Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial emblem — CZStylized flag-color motif for editorial reference. Not an official symbol.CZ
Czech Republic Česká republika

WEB ANALYTICS · COOKIE COMPLIANCE · EASTERN EUROPE · CZ

Czech Republic — analytics & cookie compliance reference

ÚOOÚ pragmatic enforcement — rarely top of EU enforcement charts but capable of large fines (Avast 351M CZK, Apr 2024). Single federal regulator · Czech-language privacy notices recommended · digital-consent age lowered to 15.

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting the Czech Republic. Sectoral rules (healthcare, banking, employment) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

Act 110/2019  Stricter
Zákon č. 110/2019 Sb., o zpracování osobních údajů
Czech implementation of GDPR opening clauses + ÚOOÚ powers + child-consent age + special-category permissions + employee-data references + criminal-record processing. Replaced the pre-GDPR Act 101/2000.
  • § 7 Child consent — age lowered to 15 (vs GDPR default 16)
  • § 8 Special-category data — Czech-specific permissions (employment, social security, public health)
  • § 11 Processing for journalistic, academic, artistic, and literary purposes — derogations from Chapters II/III of GDPR
  • § 50 ÚOOÚ supervisory powers + administrative-offence catalogue
  • § 62 Fines — aligned with GDPR Art 83 ceilings; ÚOOÚ scaling guidance applies
Act No. 110/2019 Coll. on Personal Data Processing (effective 24 Apr 2019), as amended
Act 127/2005 § 89a  Stricter
Zákon č. 127/2005 Sb., o elektronických komunikacích
Cookies + terminal-equipment access + electronic communications privacy. § 89a transposes ePrivacy Art 5(3) — since 1 Jan 2022, Czech Republic is a strict opt-in jurisdiction (previously rare EU opt-out outlier).
  • § 89a(3) Storage / read access on terminal equipment requires prior informed consent — analytics, marketing, A/B testing all in scope
  • § 89a(3) Strictly-necessary exception — narrowly construed; user-requested service delivery only
  • § 93 Confidentiality of communications + traffic-data minimization
Electronic Communications Act, § 89a (cookies/terminal-equipment access). Switched from opt-out to opt-in by amendment Act 374/2021 Coll., effective 1 Jan 2022.
Act 480/2004 § 7
Zákon č. 480/2004 Sb., o některých službách informační společnosti
Direct electronic marketing — § 7 requires prior express opt-in for unsolicited commercial communications by email/SMS. Soft opt-in narrow exception for existing customers + similar products + clear opt-out at every contact. ÚOOÚ enforces jointly with the Czech Trade Inspection Authority.
  • § 7(2) Email/SMS marketing — prior express opt-in required (no double-opt-in mandate, but recommended for evidentiary value)
  • § 7(3) Soft opt-in — narrow exception for existing-customer + similar products + opt-out at every contact
Act on Certain Information Society Services (e-services + commercial communications)
Zákoník práce § 316
Zákon č. 262/2006 Sb., zákoník práce
Employee monitoring at the workplace requires (a) a serious operational reason, (b) prior written notice to employees about the scope, methods, and duration of monitoring, and (c) consultation with the trade union / works council where present. Touches most analytics, productivity, HR, and IT-monitoring tools deployed on internal systems.
  • § 316(2) Workplace surveillance — serious operational reason required; mere convenience or HR curiosity is insufficient
  • § 316(3) Prior written notice to employees — scope, extent, methods, duration
Labour Code § 316 — employee monitoring

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
ÚOOÚ · Úřad pro ochranu osobních údajů
Single federal regulator — supervises all controllers and processors in the Czech Republic across public and private sectors. No state-level DPAs.
https://www.uoou.cz/

Coordination body

ÚOOÚ Stanoviska & Výroční zprávy · ÚOOÚ — opinions, methodologies, and annual reports
ÚOOÚ issues stanoviska (formal opinions), methodologies, and an annual report (Výroční zpráva). Czech Republic participates in EDPB at EU level but has no domestic federal-state coordination body.
  • 2021-10 · Cookies — opt-in transition — ÚOOÚ methodology accompanying Act 374/2021 amendment — confirms opt-in baseline from 1 Jan 2022; analytics, marketing, and A/B testing never qualify for the strictly-necessary exception.
  • 2022-04 · Google Analytics — ÚOOÚ aligned with EDPB GA4 taskforce conclusions following the Austrian DSB ruling — explicit consent + Schrems II supplementary measures expected pre-DPF.
  • 2024-04 · Avast / Jumpshot — ÚOOÚ Avast decision (351M CZK) became final and binding April 2024 — landmark on pseudonymisation-vs-anonymisation (browsing data was re-identifiable, not anonymous) and onward transfers via Jumpshot subsidiary; precedent on browsing-data monetization disclosed only deep in privacy notice.
  • 2024-09 · Cookie banner sweep — ÚOOÚ targeted audit of major Czech publishers and e-commerce — equal-prominence reject button required, pre-ticked boxes invalid, dark patterns flagged.
https://www.uoou.cz/stanoviska/os-1051

Notable enforcement

ÚOOÚ rarely tops EU enforcement charts in absolute terms but is capable of headline-grabbing fines when consent transparency or onward-transfer disclosures fail (Avast 351M CZK, Feb 2024 — sale of browsing data via the Jumpshot subsidiary). The regulator's posture is pragmatic: aligned with EDPB consensus rather than first-mover, willing to settle, and focused on consent layer, transparency, and direct-marketing breaches more than transfer-mechanism formalism. Czech Republic was an opt-out outlier on cookies until 1 Jan 2022 — the post-2022 enforcement curve is still maturing.

  1. 2024-04 €14.0M
    Avast Software s.r.o. ÚOOÚ · Art 5, 6, 13, 14 final

    351M CZK fine — Avast transferred browsing histories of ~100M antivirus users to its Jumpshot subsidiary (which sold the data to advertisers and market-research clients) during 2019. ÚOOÚ rejected Avast's claim that the data was anonymous: the data was pseudonymised but re-identifiable. Insufficient transparency in the antivirus product privacy notice. Largest Czech GDPR fine to date. Decision became final and binding April 2024. Approx €14M.

  2. 2025-04 €800k
    Unnamed Czech retailer ÚOOÚ · Art 32 verify

    Insufficient technical-organizational measures resulting in customer-data breach (login credentials + order history). Fine reflects mid-tier retailer turnover. Subject to verification — ÚOOÚ does not always publish full case dossiers.

  3. 2025-01 €350k
    Unnamed health-tech provider ÚOOÚ · Art 9, 32 settled

    Insufficient encryption of special-category health data + missing DPIA for new patient-portal feature. Settled.

GA4 status

GA4 is usable in the Czech Republic only with prior, explicit, granular consent under § 89a of Act 127/2005 (Electronic Communications Act). ÚOOÚ aligned with the EDPB GA4 taskforce post-Austrian-DSB but did not issue an independent first-mover ruling. After EU-US DPF (10 Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. ÚOOÚ posture is pragmatic — TIA documentation expected but not aggressively second-guessed when DPF is in force.

DPAStance
ÚOOÚSingle federal regulator — pragmatic post-DPF. Opt-in still required under § 89a; TIA documentation expected. Czech-language consent layer recommended for Czech-targeted sites.

Cross-border transfers + Schrems II

ÚOOÚ has historically been pragmatic on transfers — less aggressive than the Austrian DSB or French CNIL. Pre-DPF, ÚOOÚ aligned with EDPB GA4 conclusions but did not issue an independent first-mover ruling. Post-DPF (10 Jul 2023) ÚOOÚ accepts adequacy for DPF-certified US importers. A documented Transfer Impact Assessment is recommended but not aggressively second-guessed in routine deployments. Loss of DPF certification reverts the recipient to the pre-DPF strict posture.

EU 2021/914 SCCs are the fallback when DPF certification is absent or revoked. ÚOOÚ scrutiny on Module 2 onward-transfer clauses is moderate — focus tends to fall on consent layer, transparency, and onward transfers via subsidiaries (Avast/Jumpshot template).

Topic: International transfers

Employee data

Key thresholds

Child consent age
15 years
Article 27 representative
Required
Marketing consent
Single opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red
VendorStatusRationale
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Czech Republic vs Germany
COMPARE
Czech Republic vs Slovakia
COMPARE
Czech Republic vs Poland
COMPARE
Czech Republic vs Austria

Common questions

Is Google Analytics legal in the Czech Republic in 2026?
Yes, conditionally. ÚOOÚ aligned with the EDPB GA4 taskforce conclusions after the Austrian DSB ruling but did not issue an independent first-mover ruling. After EU-US DPF (10 Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. In practice, GA4 still requires prior, explicit, granular opt-in consent under § 89a of Act 127/2005, plus a documented Transfer Impact Assessment. Loss of DPF certification reverts to the pre-DPF strict posture.
Do I need a DPO in the Czech Republic?
Act 110/2019 follows GDPR Art 37 thresholds — no national lower bar (unlike Germany's BDSG § 38 ≥20-employee rule). Mandatory only when (a) a public authority, (b) core activities require regular and systematic monitoring of data subjects on a large scale, or (c) core activities involve large-scale processing of special-category or criminal data. Czech SMBs typically do not need a DPO unless they fit these triggers.
Which DPA is competent for my company?
There is only one — Úřad pro ochranu osobních údajů (ÚOOÚ) at federal level. Unlike Germany, Czech Republic has no regional DPAs. ÚOOÚ supervises all public and private controllers and processors in the country. Cross-border processors with multiple EEA establishments use the GDPR One-Stop-Shop lead-DPA mechanism — ÚOOÚ serves as Czech Republic's representative.
What changed when § 89a went opt-in in 2022?
Effective 1 January 2022, Act 374/2021 Coll. amended § 89a of Act 127/2005 (Electronic Communications Act). Czech Republic switched from opt-out (one of the last EU member states to do so) to opt-in for cookies and terminal-equipment access. From that date, prior informed consent is required for any non-strictly-necessary cookie or device-storage technology — analytics, marketing, A/B testing all in scope. Pre-2022 banners with opt-out cookies are now non-compliant.
Is 'legitimate interest' a valid basis for analytics in the Czech Republic?
No, for non-essential analytics that store or read on terminal equipment. § 89a of Act 127/2005 is independent of GDPR Art 6 — it requires opt-in consent for any non-strictly-necessary cookie or device-storage technology, regardless of GDPR lawful basis. § 89a governs the cookie/tracking layer; GDPR governs subsequent processing of the resulting data.
What about the works council and analytics tools?
Zákoník práce § 316 governs employee monitoring at the workplace. § 316(2) requires a serious operational reason for surveillance, and § 316(3) mandates prior written notice to employees about scope, methods, and duration. Where a trade union or works council exists, consultation is required. This is independent of GDPR — employee consent is rarely a valid GDPR basis (recital 43), so most deployments rely on legitimate interest documented in a § 316 notice. Touches most analytics, productivity, HR, and IT-monitoring tools on internal systems.
Do I need a Czech Article 27 representative?
Yes if you are a non-EU controller offering goods/services to or monitoring behaviour of people in the Czech Republic (or any EEA state), unless the small-business exception in Art 27(2) applies. ÚOOÚ has pursued non-designation cases as part of broader EDPB coordination. A representative may be appointed in any EEA state where data subjects whose data you process are located — Czech Republic is a valid choice for CEE-targeted services.
What language must my privacy notice be in?
ÚOOÚ position: notices in Czech for Czech-targeted sites — English-only is insufficient where the site is clearly aimed at Czech consumers. The targeting test mirrors GDPR Art 3(2) — Czech-language website, .cz domain, CZK pricing, Czech-language marketing, etc. all signal targeting. Slovak-language notices are not a substitute despite mutual intelligibility — separate Czech notices are recommended.
At what age can a child consent in the Czech Republic?
15, under § 7 of Act 110/2019 — Czech Republic lowered the GDPR default from 16. Below 15, parental authorization is required for information-society services. This is one of the lower digital-consent ages in the EU and matters for ed-tech, gaming, and social platforms targeting Czech minors.
Is double-opt-in required for email marketing in the Czech Republic?
No — § 7 of Act 480/2004 (e-services + commercial communications) requires prior express opt-in for unsolicited commercial communications by email/SMS, but does not mandate double-opt-in. However, double-opt-in is strongly recommended for evidentiary value — single opt-in records are routinely challenged in ÚOOÚ proceedings for proof of consent. Soft opt-in is permitted for existing customers + similar products + clear opt-out at every contact.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Czech Republic's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.