Czech Republic


A new draft relating to compliance matters is currently waiting in the Czech Parliament. It is a draft act on the protection of whistle-blowers debated for the first time by the MPs on 28.6.2016. The Government has previously responded to this effort in a statement that the Government itself intends to submit a draft of this act according to its legislative schedule for 2016. An effective act regulating these matters is therefore not in sight.

The draft law introduces the status of the so-called protected whistle-blower, who reports a criminal offence to the competent authority and receives protection under a decision of the competent state prosecutor.

Protection may be granted to an employee in the private or public sector who reports any of the criminal offences specified in the draft act to the competent authority. The Government has criticised the act for presenting a limited inventory of criminal offences and failing to reflect the severity of the offences or include administrative offences.

The status of protection means that:

  • An employer may only take legal steps against the protected whistle-blower with the consent of the regional labour office;
  • The Ministry of Finance allocates compensation for lost income and non-financial damage of up to CZK 100,000 at the request of a protected whistle-blower.

Criminal responsibility of legal persons

The amended act on criminal responsibility of legal persons will come into force on 1st December 2016. The amendment introduces a new reason for acquitting a legal person. A legal person may not be found criminally responsible if this person made all reasonable effort to prevent the criminal offence, in particular by establishing the relevant internal supervisory body. The question of the required nature of this Code of Conduct / supervisory system to justify the acquittal will be finally decided by the courts.

Basic EU regulations on data protection

In addition, the final version of the basic EU regulation on personal data protection (EU Regulation No 2016/679), which introduces new data protection responsibilities from 2018, has recently been published. Companies will be required to observe for example the following rules starting from 24th May 2018:

  • Appoint a person responsible for data protection if they employ more than 250 employees;
  • Report any breaches of personal data protection to the competent supervisory authority without delay and if possible within 72 hours of detecting the breach;
  • Estimate the impact of certain processing methods on data protection; this applies in particular to the application of new technologies representing an increased risk of jeopardised rights and freedoms of individuals in view of their nature, extent, circumstances and purpose of data processing.