The Czech Data Protection Authority, which monitors compliance with European data protection regulations in the Czech Republic, publishes information online about its control activities, its decisions and their effects on companies.

Given the wide-ranging doubt and lack of clarity surrounding the application of the General Data Protection Regulation (GDPR) and the new Czech Personal Data Processing Act (English translation), the Czech Office for Personal Data Protection (Czech DPA, ÚOOÚ) has started to considerably increase general public awareness of its decision-making processes and its control activities. In addition to a description of all inspections carried out in the first half of 2019, a new list of selected second instance decisions made by the Chairman of the UOOU can now be found on the UOOU website.

The new Czech Personal Data Processing Act has no provision for imposing penalties on state bodies. This meant that in 2019, it was impossible to sanction the Czech Ministry of the Interior, which allowed unauthorized access to the population register a total of 7,064 times, as well as access to the population register to a greater extent than stipulated by the Basic Registers Act on 88,491 occasions.

Since the GDPR law was passed, the Czech DPA has only imposed symbolic penalties for violating GDPR rules. As the Ecovis experts explain, a total of only 10 fines were imposed and the total amount of the fines was less than EUR 15,000.

JUDr. Mojmír Ježek, Ph.D., Partner, ECOVIS ježek, advokátní kancelář s.r.o., Prague, Czech Republic

“Up to now, the fines imposed by the Czech Data Protection Authority for GDPR violations have not been very high. Now the legal framework is complete and the sanctions are more frequent and more severe. We can help you avoid penalties.”

Four examples of checks by the Czech DPA in 2019

The subject of the inspection by the Czech DPA was a check based on a complaint made to the Dutch supervisory authority concerning the processing of personal data of users of both the free and paid versions of an antivirus software. As part of this inspection, the Czech DPA concluded that the subject is in the position of being the antivirus software user’s personal data administrator because it has information which could eventually lead to the identification of a specific user. Therefore, by providing the antivirus software service, user data is collected which is personal data in the sense of the GDPR.

The Czech DPA also confirmed, that controlling access to business premises through a camera system located at the entrance is in compliance with the GDPR and the Czech Personal Data Processing Act. The Czech DPA concluded that the identification of persons entering the business premises using a CCTV (Closed Circuit Television) system in online mode without sound (without a recording system) does not amount to the processing of personal data and thus the operator of such a system is not an administrator of the personal data in the sense of the GDPR.

The Czech DPA also stressed the obligation to respond to a request for the withdrawal of consent for the processing of personal data and the obligation to deal with such a request immediately. A major online retailer did not process a request to delete personal information (a copy of the personal identification card and a photograph) that was processed with consent which the customer subsequently revoked. Although allegedly the misconduct of an employee of the retailer, the Czech DPA stated that it must be as easy to withdraw the consent as it was to grant such consent and imposed a fine of CZK 15,000 (around EUR 600).

The Czech DPA also carried out a check on the fulfilment of obligations in the processing of the personal data of former employees, focusing on the transfer and use of electronic communication. Based on a complaint from a former employee, the Czech DPA evaluated an employer’s procedure which, following the termination of employment, does not delete the employee’s email address and mailbox which the employer continues to access. This was alleged to be a violation of the former employee’s privacy. The Czech DPA did not judge this procedure to be defective, especially with regard to the fact that the employer had implemented internal regulations covering the use of the email address and the mailbox, as well as security measures related to the integrity of the email server and of the individual mailboxes. Any potential incidents were also investigated and documented. In the event of the termination of employment, the email address is kept for three months, the former employee’s access is revoked and an automatic reply is set up to the sender of the message containing details of the cancellation of the account and new contact information.