Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Czech Republic
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

The transparency of personal data processing: common pitfalls and key findings from the decisions of the Czech Office for Personal Data Protection, Part III

08 Dec 2025 Czech Republic 5 min read

The principle of transparency is another fundamental principle of the GDPR, closely corelated to the principle of lawfulness, which we discussed in previous articles (Part I. and Part II.). Only if the data subject is informed in a timely and sufficient manner about the processing of their data and its purpose can they assess whether their rights are being violated. Transparency also means that all information and communications relating to data processing must be easily accessible and understandable, and provided using clear and simple language.

Even when the principle of transparency and related information obligations are complied with, frequent errors still occur. Based on the decision-making practice of the Czech Office for Personal Data Protection (the DPA), we have prepared a selection of the most common ones for you.

In our previous articles (Part I and Part II), we described the six most common mistakes. Here are three more mistakes that we have identified from DPA decisions.

Failure to comply with information obligations when using cookies

The information obligation must also be fulfilled when using cookies, which are small data files necessary for the proper functioning of websites (“technical cookies”) or for tracking visitor behaviour on websites (“non-technical cookies”). The applicable laws set strict rules for the use of non-technical cookies in the form of demonstrable consent from website users. Data controllers often focus so much on the correct settings of the cookie bar and compliance with the conditions for the introduction of non-technical cookies that they forget that even when using technical cookies, where the data subjects’ consent is not required, personal data is usually processed, and data subjects must be informed of this processing in a timely manner. One audited company even instructed data subjects about the processing of data by several categories of cookies, including technical cookies, but the DPA analysis revealed that this list was incomplete, meaning that the company did not provide the data subjects with all the necessary information. Another company included the category of “unclassified” cookies in its privacy notice, so their purpose would have been unclear to website visitors.

Data controllers must carefully analyse which cookies they use and provide data subjects with information on the processing of personal data regarding all of them. If only technical cookies are used and a “cookie bar” is not required, but personal data is processed using them, it is still necessary to inform data subjects about this processing in an appropriate manner on the website where the personal data is processed.

Insufficient information about data transfers to third countries

Under the GDPR, the controller must also inform data subjects of its intention to transfer personal data to a third country or international organisation, and of the (non-)existence of a Commission decision on adequate protection or a reference to appropriate safeguards and means to obtain a copy of such data or information on where such data has been made available. One company was fined for providing a list of third parties to whom it transfers data, together with links to their websites, regarding data transfers to foreign countries. Data subjects had to find information about data transfers to third countries themselves by reading the privacy notices of individual third parties, which were not always available in Czech. The DPA found this to be insufficient.

Check whether you are actually providing direct and comprehensible information about data transfers to third countries. Simply listing the recipients of the data, even though this could imply information about data transfers to third countries, is insufficient.

Failure to prove compliance with information obligations

Controllers must be able to demonstrate compliance with information obligations during an inspection by the DPA. One data controller operating a guesthouse learned this the hard way when, during an inspection by the authority, he argued that he informed data subjects verbally or by telephone, but had no evidence of having done so. An online platform mediating accommodation as an independent controller did inform future clients in accordance with the GDPR, but only regarding the booking of accommodation and not to the further processing of data that took place at the guesthouse.

Data controllers must have demonstrable evidence of compliance with their information obligations in accordance with the principle of accountability.

Conclusion

Data protection regulations are complex, and violations can be costly. To remain compliant, organisations must thoroughly map how they process personal data, provide data subjects with transparent and accurate information about processing within the statutory time limits, ensure that the information is understandable, and always strive to make it as easy as possible for data subjects to obtain information.

If you have any questions regarding data protection, please contact our experts.

More insights

Explore more

Publication Czech Republic

CMS European M&A Study 2026

27 Mar 2026 2 min read
Expert Guide International

International arbitration law and rules in the Czech Republic

49 min read
Event Czech Republic

IP Insights webinar series 2026

28 Apr 2026
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.