Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Czech Republic
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

The transparency of personal data processing: common pitfalls and key findings from the decisions of the Czech Office for Personal Data Protection, Part II

24 Nov 2025 Czech Republic 5 min read

The principle of transparency is another fundamental principle of the GDPR, closely correlated to the principle of lawfulness, which we discussed in previous articles (Part I. and Part II.). Only if the data subject is informed in a timely and sufficient manner about the processing of their data and its purpose can they assess whether their rights are being violated. Transparency also means that all information and communications relating to data processing must be easily accessible and understandable, and provided using clear and simple language.

Even when the principle of transparency and related information obligations are complied with, frequent errors still occur. Based on the decision-making practice of the Czech Office for Personal Data Protection (the DPA), we have prepared a selection of the most common ones for you.

In Part I (link), we described the three most common mistakes. Here are three more mistakes that we found in DPA decisions.

Relying on the publication of information on the website

Many controllers believe that they generally fulfil their information obligations under the GDPR by publishing information about the processing of personal data on their website. However, if personal data is obtained from a source other than the data subject, it is necessary to inform the data subjects directly, unless an exception applies whereby the provision of such information is not possible or would require disproportionate effort. The DPA fined a company that processed data obtained from other sources and relied on the publication of information on its website to fulfil its information obligation. According to the DPA, this is insufficient, as the exception of disproportionate effort or impossibility to fulfil the information obligation does not apply because the company knew at least the addresses of the establishments/registered offices of the data subjects (self-employed individuals) and could therefore contact them.

The controller must provide the information directly to the data subject whose data it has obtained from other sources.

Late notification of data subjects in cases where they do not provide personal data themselves

There is another, related violation. When obtaining personal data from the data subjects themselves, most controllers are well aware that at the time of obtaining the data, it is necessary to inform the subjects of all essential details of the processing of their data. In situations where data controllers obtain personal data from other sources, e.g. from another controller, data subjects must also be informed in a timely manner—at the latest on first communication with the data subject, if the data is processed for the purposes of this communication, or at the latest before the data is made available to another recipient, and otherwise always within one month at the latest. A considerable number of companies have been fined by the DPA for contacting data subjects whose data was obtained from other sources without providing information in accordance with the GDPR.

It is important to note that if we obtain the data of an individual person from another source and wish to contact them, we must provide them with the necessary information immediately in the first message.

Failure to provide information regarding specific requests from data subjects

Data controllers also have an information obligation in the case of requests from data subjects to exercise their rights (access, erasure, restriction of processing, etc.), where they must inform the data subject of the measures (not) taken regarding their request within one month of receiving the request. The DPA has fined controllers who complied with data subjects’ requests or were unable to comply with them because, e.g. the data were no longer processed, but did not provide any information to the data subjects.

Another controller was fined for failing to provide a data subject with information concerning their request for access to personal data. In this case, the data subject knew that the controller was processing data about him, but he was interested in the details of the processing. He formulated his request as “how copies of his documents are handled within the meaning of Regulation (EU) 2016/679, where they are and where he can collect them”. However, the controller did not provide him with any information, even though it was necessary to interpret this question as a question about the purposes of processing and the expected length of storage of his data. In this context, the DPA emphasised that the controller was obliged to provide all information in accordance with Article 15 of the GDPR.

It is important to fulfil all obligations to provide information and to provide information in response to individual requests from data subjects, as well as to inform data subjects of the measures (not) taken in response to their requests.

Stay tuned

In the next article, we will reveal three more common mistakes that can lead to a breach of the principle of transparency in data processing. Do not miss it!

If you have any questions regarding data protection, please contact our experts.

More insights

Explore more

Expert Guide International

International arbitration law and rules in the Czech Republic

49 min read
Publication Czech Republic

CMS European M&A Study 2026

27 Mar 2026 2 min read
Event Czech Republic

IP Insights webinar series 2026

28 Apr 2026
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.