ČESKÁ SPRÁVA SOCIÁLNÍHO ZABEZPEČENÍ

Váš prohlížeč - MS Internet Explorer #version# - již nepatří mezi podporované prohlížeče. Doporučujeme přejít na některý jiný prohlížeč, podrobnosti najdete v prohlášení o přístupnosti.

Breadcrumbs

GDPR – Privacy Notice

Privacy Notice

Privacy notice pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – the “GDPR”.

This page is intended to provide data subjects with full, transparent, and easily accessible information on the processing of personal data, including special categories of personal data, by the controller in accordance with the GDPR and Act No 110/2019 on the processing of personal data.

1. Contact details of the controller and the data protection officer:

Personal data controller

1.1. Czech Social Security Administration ("CSSA")
Křížová 25
225 08 Praha 5
Address of e-mailroom: posta@cssz.cz 
Data box ID of CSSA Headquarters: 49kaiq3

1.2. Regional Social Security Administrations (“RSSA”)

contact details: www.cssz.cz/cz/kontakty

1.3. Institute for Medical Assessment (“IMA”)
Slezská 839/16
502 00 Hradec Králové
Address of e-mailroom: posta.ipzs@cssz.cz
Data box ID: 6hyxrbe

1.4. Data protection officer
Radka Poláková
Česká správa sociálního zabezpečení (CSSA)
Křížová 25
225 08 Praha 5
email: dpo@cssz.cz

The data protection officer acts for all the above personal data controllers and serves as their contact point.

2. Purposes of processing and legal basis:

2.1 The CSSA/RSSA/IMA process personal data, including special categories of personal data, relating to the clients of the CSSA/RSSA/IMA (“clients”) for the purposes of carrying out tasks within their statutory remit in accordance with laws of the Czech Republic and the European Union, and in compliance with international treaties by which the Czech Republic is bound.

Processing is carried out in particular for the following purposes:

  • administration of the social security system (including social security premiums and contributions to the state employment policy, sickness insurance, pension insurance, and matters relating to disabled persons);
  • administration of the assessment of health status for both contributory and non-contributory social security schemes and for employment purposes;
  • processing of data in the Employer and Employee Registers under the Single Monthly Report system;
  • data repository management  (including the Employer and Employee Registers, the Insured Persons Register, insurance relationships, entitlement records for pension insurance, and pension benefit files);
  • administration of reimbursements of wage compensation for time off work connected with activities for children and young people provided under the Labour Code;
  • provision of information to entitled persons (including mutual communication and cooperation);
  • ensuring inspections;
  • ensuring accounting (both non-benefit accounting and benefit payments).

The following legislation lays down requirements for the exercise of state administration and defines the remit of the CSSA/RSSA/IMA. This legislation determines the legal status of the CSSA/RSSA/IMA as personal data controllers. Unless expressly stated otherwise, references to the legislation below are to such legislation as currently in force and effect, i.e. as amended.

  • zákon č. 582/1991 Sb., o organizaci a provádění sociálního zabezpečení (Act No 582/1991 on the organisation and implementation of social security);
  • zákon č. 155/1995 Sb., o důchodovém pojištění (Act No 155/1995 on pension insurance);
  • zákon č. 187/2006 Sb., o nemocenském pojištění (Act No 187/2006 on sickness insurance);
  • zákon č. 589/1992 Sb., o pojistném na sociální zabezpečení a příspěvku na státní politiku zaměstnanosti (Act No 589/1992 on social security premiums and contributions to the state employment policy);
  • zákon č. č. 323/2025 Sb., o jednotném měsíčním hlášení zaměstnavatele (Act No 323/2025 on the Single Monthly Employer Report).

A full list of the relevant legislation is available in Czech in this leaflet (PDF 182.6 kB).

The CSSA/RSSA/IMA process personal data, including special categories of personal data, relating to clients in order to comply with a legal obligation [Article 6(1)(c) of the GDPR] or for the performance of a task carried out in the public interest or in the exercise of official authority [Article 6(1)(e) of the GDPR].

Types of personal data processed

  • identification  data;
  • address data;
  • contact data;
  • data relating to sickness insurance;
  • data relating to pension insurance;
  • data relating to Medical Assessment Service activities;
  • data relating to the collection of premiums;
  • data reported in the Single Monthly Report;
  • data recorded pursuant to requirements of European Union law and international social security agreements;
  • property and financial data.

Types of special categories of personal data processed

  • data concerning health;
  • data relating to criminal matters.

2.2 The CSSA and the RSSA/IMA process personal data, including special categories of personal data, relating to their employees and job applicants (and, where applicable, other persons) in order to comply with a legal obligation [Article 6(1)(c) of the GDPR], for the performance of a contract [Article 6(1)(b) of the GDPR], or on the basis of legitimate interests [Article 6(1)(f) of the GDPR], for the following purposes, which also constitute the controller’s legitimate interests in the processing of personal data:

  • personnel administration;
  • ensuring inspections;
  • ensuring administration of security matters;
  • ensuring administration of legal matters and projects;
  • ensuring internal administration;
  • ensuring accounting (both non-benefit accounting and benefit payments);
  • occupational health and safety;
  • ensuring administration of information and communication technologies;
  • provision of information to entitled persons (including mutual communication and cooperation).

Types of personal data processed

  • identification  data;
  • address data;
  • contact data;
  • data relating to sickness insurance;
  • data relating to pension insurance;
  • data relating to the collection of premiums;
  • property and financial data.

Types of special categories of personal data processed

  • data concerning health;
  • data relating to criminal matters.

The CSSA/RSSA/IMA also process personal data, including special categories of personal data, relating to job seekers on the basis of the data subject’s consent [Article 6(1)(a) of the GDPR], where CVs and cover letters of selected unsuccessful applicants are retained for the purposes of future recruitment procedures.

2.3 The CSSA records personal data of visitors to its headquarters [Article 6(1)(e) GDPR] in order to protect the controller’s property and individuals’ life and health. More information can be found here (PDF 42.05 kB).

3. Sources of personal data and special categories of personal data:

The CSSA/RSSA/IMA obtain personal data and special categories of personal data from data subjects (collectively “personal data”), from their employers, and from the Population Register, the Register of Persons, the Population Records Agenda Information System, the Foreign Nationals Agenda Information System, the Birth Number Register, the records of the authorities of the Financial Administration of the Czech Republic, and the records of job seekers maintained by the Labour Office of the Czech Republic. Some personal data is also provided to the CSSA/RSSA/IMA by social security institutions of European Union Member States, social security institutions of non-European Union states with which the Czech Republic has concluded a bilateral social security agreement, and healthcare providers.

4. Recipients or categories of recipients of personal data:

A recipient is a natural or legal person, public authority, agency, or another body to which personal data is disclosed (Article 4(9) GDPR), excluding public authorities that may receive personal data in the framework of a particular inquiry in accordance with Member State law.

Personal data is disclosed within the scope of and under the conditions set out by law.

The main categories of recipients of personal data are:

  • public authorities of the Czech Republic (including state administration, self-administration , and other public administration bodies), such as the Ministry of Labour and Social Affairs of the Czech Republic (hereinafter referred to as “MoLSA”) and other ministries, the State Labour Inspection Office, the General Directorate of Customs, the General Financial Directorate, authorities of the Financial Administration of the Czech Republic, the Czech Statistical Office, courts, municipal authorities, health insurance companies, and, where applicable, enforcement offices;
  • social security institutions of European Union Member States, the United Kingdom of Great Britain and Northern Ireland, Switzerland, Norway, Liechtenstein, and Iceland, in connection with activities under the European Union coordination regulations in the field of social security referred to below;
  • social security institutions of states with which the Czech Republic has concluded a bilateral social security agreement;
  • institutions of the European Union, the European Central Bank, and the European Investment Bank;
  • healthcare providers;
  • intermediaries for the payment of benefits – the Czech National Bank and Czech Post
  • operators of the CSSA information system.

5. Transfer of personal data abroad:

Personal data is transferred abroad on a legal basis arising in particular from Regulation (EC) No 883/2004 of the European Parliament and of the Council on the coordination of social security systems and Regulation (EC) No 987/2009 of the European Parliament and of the Council laying down the procedure for implementing Regulation (EC) No 883/2004, or from applicable international social security agreements. These regulations are available on the European Commission website at https://eur-lex.europa.eu/ and on the CSSA website at https://www.cssz.cz/web/cz/legislativa-evropska-unie. Further information can be found on the MoLSA website at https://www.mpsv.cz/web/cz/pravni-predpisy-eu-v-gesci-mpsv.

A full overview of all applicable international social security agreements, including their personal and material scope, is available on the MoLSA website at https://www.mpsv.cz/web/cz/dvoustranne-smlouvy-o-socialnim-zabezpeceni and on the CSSA website at https://www.cssz.cz/web/cz/mezinarodni-smlouvy.

A list of international agreements on cooperation in the area of benefit abuse and illegal employment can be found on the MoLSA website at https://www.mpsv.cz/web/cz/mezinarodni-smlouvy-o-spolupraci-v-oblasti-zneuzivani-davek-a-nelegalniho-zamestnavani.

Where insured persons become officials or other employees  of the European Union and its institutions, or employees of the European Central Bank or the European Investment Bank, their personal data is transferred in connection with the transfer of their pension rights to the pension scheme of those institutions. This transfer is carried out on the basis of Annex VIII to Council Regulation (EEC, Euratom, ECSC) No 259/68 laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission, and on the basis of Government Regulation No 141/2013 laying down detailed rules for the mutual transfer of pension rights in relation to the pension scheme of the European Union.

6. Period over which personal data is stored:

The CSSA/RSSAs/IMA store personal data only for as long as necessary for the purposes for which it is processed. The retention  period is determined by applicable legislation, the duration of the contractual or service relationship with a CSSA employee, and the internal regulation “Decision of the Director General of the CSSA – Records Management Rules of the Czech Social Security Administration”. Disposal procedures are carried out in accordance with legislation of general application and the CSSA’s internal rules on archiving and retention at scheduled intervals (usually once a year), and, where necessary, outside these intervals. They are carried out comprehensively and separately for each organisational unit, and cover all documents stored in the registry of that unit for which the retention periods have expired. Where a file contains documents with different retention periods, the document with the longest retention period determines when the file is to be disposed of.

7. The following rights apply to the protection of your personal data:

7.1 Right of access to your personal data (Article 15 GDPR)

As a personal data subject, you have the right to be informed what personal data about you is processed, for what purpose, for how long, where it is obtained, to whom it is disclosed, and who further processes it, as well as what other rights you have in connection with the processing of your personal data. You may contact the data protection officer, who will arrange for you to receive information on whether your personal data is processed and, if so, what data is processed and to whom it is disclosed. Upon request, you will also be provided with copies of your personal data. The CSSA ePortal and its services are another way of obtaining information about what personal data is processed by the CSSA/RSSA/IMA.

7.2 Right to rectification of your personal data (Article 16 GDPR)

If you find that your personal data processed by the CSSA/RSSA/IMA is inaccurate or incomplete, you have the right to have it corrected or completed without undue delay.

7.3 Right to erasure of your personal data (Article 17 GDPR)

You have the right to have your personal data erased without undue delay where one of the following grounds applies:

  • your personal data is no longer needed for the purposes for which it was processed;
  • you exercise your right to object to processing (see below “Right to object to the processing of your personal data”) in relation to personal data processed for the performance of a task carried out in the public interest, and it is established that no public interest justifying such processing exists; or
  • it becomes clear that the processing of personal data carried out by us is no longer in compliance with generally binding regulations.

However, where personal data is processed by the CSSA/RSSA/IMA in their capacity as public authorities, your right to erasure is limited in accordance with Article 17(3) GDPR. In particular, this right does not apply where processing is necessary for compliance with a legal obligation under the laws of the Czech Republic, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the CSSA/RSSA/IMA. This right may also be further restricted by legislative measures in the field of social security within the meaning of Article 23 GDPR.

7.4 Right to restriction of processing of your personal data (Article 18 GDPR)

You may request that the processing of your personal data be restricted in the following cases:

  • you contest the accuracy of your personal data, for a period enabling its accuracy to be verified;
  • the processing is unlawful (i.e. has no legal basis) and you oppose erasure and request restriction of its use instead;
  • the controller no longer needs the personal data for the purposes of processing, but you require it for the establishment, exercise, or defence of legal claims;
  • you, as the personal data subject, have objected to processing based on the legitimate interests of the controller or third parties, and it has not yet been determined whether the controller’s legitimate grounds override yours; in that case, processing will be restricted for that period.

7.5 Right to the portability of your personal data (Article 20 GDPR)

You have the right to obtain from us all personal data that you have provided to CSSA/RSSA/IMA and that we process on the basis of the performance of a contract or your consent.

However, this right is limited under Article 20(3) GDPR. In particular, it does not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the CSSA/RSSA/IMA. This right may also be further restricted as a necessary and proportionate measure in the field of social security within the meaning of Article 23 GDPR.

7.6 Right to object to the processing of your personal data (Article 21 GDPR)

As a data subject, you have the right at any time to object to processing on grounds relating to your particular situation. You may exercise this right:

  • where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority; or
  • where processing is based on the legitimate interests of the controller or a third party, as well as in connection with the right to data portability.

When exercising the right to object or another means of protection against the processing of personal data, the provisions of Act No 500/2004, the Code of Administrative Procedure, governing complaints shall apply mutatis mutandis.

The CSSA/RSSA/IMA will appropriately mark personal data whose accuracy has been contested or in respect of which an objection has been raised, and will continue to process such personal data even without the consent of the data subject.

8. Right to lodge a complaint with a supervisory authority:

If you believe that the processing of personal data infringes the GDPR, you have the right to lodge a complaint pursuant to Article 77 GDPR with the supervisory authority, i.e. the Office for Personal Data Protection.

List of Relevant Legislation (PDF 101,89 kB) 

Last update: 20. 4. 2026