The most interesting decisions of the Czech Data Protection Office in 2019
At the end of 2019, there were not that many news from the new Czech legislations in 2020, which would be generally relevant for all entrepreneurs, as usual. Not only the Czech legislature, but also the Czech authorities can bring changes for entrepreneurs. The most important news brought by the decision of the Czech Office for Personal Data Protection can be found in this post.
The latest decisions of the Czech Data Protection Office on GDPR and personal data protection ruls in Czech Republic in 2019
Given the wide range of doubts and unclear facts surrounding the application of General Data Protection Regulation (“GDPR”) and the new Czech Personal Data Processing Act (English translation), the Czech Office for Personal Data Protection (“Czech Data Protection Office”) started to considerably increase the general public awareness of its decision-making processes and its control activities. In addition to the description of all the inspections carried out in the first half of 2019, a new list of selected second instance decisions made by the Chairman of the Czech Data Protection Office can be now found on the UOOU website.
The new Czech Personal Data Processing Act does not enable to impose penalties on state bodies, which lead in 2019 to the impossibility to sanction the Czech Ministry of the Interior, which allowed a total of 7,064 unauthorized access to the population register and furthermore, it allowed 88,491 accesses to data in the population register to a greater extent than stipulated by the Basic Registers Act.
The Czech Data Protection Office has imposed only symbolic final and binding penalties for the breach of GDPR rules since its adoption. The number of fines did not reach 10 for the first year and the total amount of penalties even did not exceed EUR 15,000. What was subject of the inspections by the Czech Data Protection Office during the year 2019?
For example, the Czech Data Protection Office carried out inspection based on a complaint filed with the Dutch Supervisory Authority concerning the processing of personal data of the users of both free and paid versions of the antivirus software. As part of this inspection, the Czech Data Protection Office concluded, that the inspected subject is in the position of the antivirus software user’s personal data administrator, because it has information that might, overall, lead to the identification of the specific user, based on which the specific user can be identified and therefore by providing the antivirus software service, such data of the users are collected, which are the personal data in the sense of GDPR.
The Czech Data Protection Office also confirmed, that the control of access to the business premises through a camera system located at the entrance to the business premises, is in compliance with GDPR and the Czech Personal Data Processing Act. The Czech Data Protection Office concluded that the identification of persons entering the business premises through a CCTV system in the on-line mode without sound (without a recording system), is not a processing of personal data, and thus the operator of such system is not an administrator of the personal data in the sense of the GDPR.
The Czech Data Protection Office also stressed out the obligation to respond to a request for withdrawal of consent with the processing of personal data, and the obligation to dealt with such request immediately. One of the major on-line retailers did not process a request to delete personal information (a copy of the personal identification card and a photograph), that was processed with the consent of the customer, which was subsequently revoked. Even though it was supposed to be an retailer’s employee misconduct, the Czech Data Protection Office stated, that the withdrawal of consent have to be as simple, as it was to grant such consent, and imposed a fine of CZK 15,000 in this specific case.
The Czech Data Protection Office also carried out a control on the fulfilment of obligations in the processing of personal data of former employees, including former employees of the company, focusing on the transfer and use of electronic communication. Based on a complaint from a former employee, the Czech Data Protection Office evaluated the employer's procedure which, upon the termination of employment, does not delete the email address and mailbox of the employee and continues to access employee’s mailbox, and by this conduct, the employer was supposed to violate former employees' privacy. The Czech Data Protection Office did not find this procedure to be defective, especially with regard to the fact that the employer regulated the use of the e-mail address and the mailbox by internal regulations, had security measures related to the integrity of the e-mail server and of the individual mailboxes, and any potential incidents are investigated and documented. In the event of termination of employment, the e-mail address is kept for three months, the access of the former employee is revoked and an automatic reply is set up to the sender of the message containing the cancellation of the account and new contact information.
For more information, contact us at:
JUDr. Mojmír Ježek, Ph.D.
ECOVIS ježek, advokátní kancelář s.r.o.
Betlémské nám. 6
110 00 Praha 1
About ECOVIS ježek advokátní kancelář s.r.o.
The Czech law office in Prague ECOVIS ježek practices mainly in the area of Czech commercial law, Czech real estate law, representation at Czech courts, administrative bodies and arbitration courts, as well as Czech finance and banking law, and provides full-fledged advice in all areas, making it a suitable alternative for clients of international law offices. The international dimension of the Czech legal services provided is ensured through past experience and through co-operation with leading legal offices in most European countries, the US, and other jurisdictions. The Czech lawyers of the ECOVIS ježek team have many years of experience from leading international law offices and tax companies, in providing legal advice to multinational corporations, large Czech companies, but also to medium-sized companies and individual clients. For more information, go to www.ecovislegal.cz/en.