Given the wide-ranging doubt and lack of clarity surrounding the application of the General Data Protection Regulation (GDPR) and the new Czech Personal Data Processing Act (English translation), the Czech Office for Personal Data Protection (Czech DPA, ÚOOÚ) has started to considerably increase general public awareness of its decision-making processes and its control activities. In addition to a description of all inspections carried out in the first half of 2019, a new list of selected second instance decisions made by the Chairman of the UOOU can now be found on the UOOU website.
The new Czech Personal Data Processing Act has no privision for imposing penalties on state bodies. This meant that in 2019, it was impossible to sanction the Czech Ministry of the Interior, which allowed unauthorised access to the population register a total of 7,064 times, as well as access to the population register to a greater extent than stipulated by the Basic Registers Act on 88,491 occcasions.
Since the GDPR law was passed, the Czech DPA has only imposed symbolic penalties for violating GDPR rules. As the Ecovis experts explain, a total of only 10 fines were imposed and the total amount of the fines was less than EUR 15,000.
Four examples of checks by the Czech DPA in 2019
- The subject of the inspection by the Czech DPA was a check based on a complaint made to the Dutch supervisory authority concerning the processing of personal data of users of both the free and paid versions of an antivirus software. As part of this inspection, the Czech DPA concluded that the subject is in the position of being the antivirus software user’s personal data administrator because it has information which could eventually lead to the identification of a specific user. Therefore, by providing the antivirus software service, user data is collected which is personal data in the sense of the GDPR.
[*]The Czech DPA also confirmed, that controlling access to business premises through a camera system located at the entrance is in compliance with the GDPR and the Czech Personal Data Processing Act. The Czech DPA concluded that the identification of persons entering the business premises using a CCTV (Closed Circuit Television) system in online mode without sound (without a recording system) does not amount to the processing of personal data and thus the operator of such a system is not an administrator of the personal data in the sense of the GDPR.
[*]The Czech DPA also stressed the obligation to respond to a request for the withdrawal of consent for the processing of personal data and the obligation to deal with such a request immediately. A major online retailer did not process a request to delete personal information (a copy of the personal identification card and a photograph) that was processed with consent which the customer subsequently revoked. Although alledgedly the misconduct of an employee of the retailer, the Czech DPA stated that it must be as easy to withdraw the consent as it was to grant such consent and imposed a fine of CZK 15,000 (around EUR 600).
[*]The Czech DPA also carried out a check on the fulfilment of obligations in the processing of the personal data of former employees, focusing on the transfer and use of electronic communication. Based on a complaint from a former employee, the Czech DPA evaluated an employer’s procedure which, following the termination of employment, does not delete the employee’s email address and mailbox which the employer continues to access. This was alledged to be a violation of the former employee’s privacy. The Czech DPA did not judge this procedure to be defective, especially with regard to the fact that the employer had implemented internal regulations covering the use of the email address and the mailbox, as well as security measures related to the integrity of the email server and of the individual mailboxes. Any potential incidents were also investigated and documented. In the event of the termination of employment, the email address is kept for three months, the former employee’s access is revoked and an automatic reply is set up to the sender of the message containing details of the cancellation of the account and new contact information.
Author
JUDr. Mojmír Ježek, Ph.D., Partner, ECOVIS ježek, advokátní kancelář s.r.o., Prague, Czech Republic
Ecovis is a leading global consulting firm with its origins in Continental Europe. It has over 7,500 people operating in over 75 countries. Its consulting focus and core competencies lie in the areas of tax consultation, accounting, auditing and legal advice.
The particular strength of Ecovis is the combination of personal advice at a local level with the general expertise of an international and interdisciplinary network of professionals. Every Ecovis office can rely on qualified specialists in the back offices as well as on the specific industrial or national know-how of all the Ecovis experts worldwide. This diversified expertise provides clients with effective support, especially in the fields of international transactions and investments – from preparation in the client’s home country to support in the target country.
In its consulting work Ecovis concentrates mainly on mid-sized firms. Both nationally and internationally, its one-stop-shop concept ensures all-round support in legal, fiscal, managerial and administrative issues.
The name Ecovis, a combination of the terms economy and vision, expresses both its international character and its focus on the future and growth.
ECOVIS AG Steuerberatungsgesellschaft
Ernst-Reuter-Platz 10
10587 Berlin
Telefon: +49 89 5898-266
Telefax: +49 (30) 310008556
http://www.ecovis.com
ECOVIS AG Steuerberatungsgesellschaft*
Telefon: +49 (89) 5898-266
E-Mail: gudrun.bergdolt@ecovis.com