Fining practice
Trend: Have the national data protection authorities in the Czech Republic focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?
The Czech data protection authority (“Úřad pro ochranu osobních údajů”, the "UOOU") verifies general compliance with the GDPR. The control protocols issued by the UOOU during their audits demonstrate that the UOOU is thorough and investigates all possible breaches of the GDPR. However, it can also be seen that most of the breaches are due to there being an insufficient legal basis for data processing or deficiencies in data security.
The UOOU has announced its control plan for 2024. It will focus on the processing of personal data by public authorities – for example the use of data from the Population Register and the processing of personal data by the Czech Police and the embassies - in the context of the visas, in the Visa Information System and in the Schengen Information System. The UOOU has also announced inspections focused on the sending of commercial communications by companies operating delivery services and the recording of telephone calls.
Overall, what was the most significant fine in the Czech Republic to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?
The highest single fine issued by the UOOU was approx. EUR 300,000 for a violation of Act No. 480/2004 Coll., on certain Information Society Services. Since 2015, the accused transportation company has distributed unsolicited commercial communications to more than 40 million recipients without their prior consent. The highest fine imposed for a GDPR breach was approx. EUR 83,600 for the failure to implement corrective measures. There is no additional information related to this case available.
Organisation of authorities and course of fine proceedings in the Czech Republic
How is the data protection authority organised in the Czech Republic? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?
The UOOU is the only authority responsible for enforcing the GDPR in the Czech Republic. It operates independently from other authorities. The annual budget is around EUR 7 million for one year. It has approx. 100 employees and is based in Prague.
How does a fine procedure work in the Czech Republic? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?
To impose fines, the UOOU must first initiate an inspection. This may be performed either at a third party’s instigation, or ex-officio. The inspector must draw up a control protocol against which the inspected entity may file objections. If a breach is found, the UOOU can either give the inspected entity time to remedy said breach or it may initiate administrative proceedings. In these proceedings, the UOOU may issue a fine. The inspected entity may appeal against the UOOU’s decision or it may file an action with the administrative court, if certain conditions are met.
When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?
Fines issued by the UOOU are paid into the revenue of the state budget.
Is there a common, official calculation methodology for fines in the Czech Republic (such as the fining models in the Netherlands or Germany)?
There is no official means of calculating fines. Yet, the administrative fines must be effective, proportionate and dissuasive. A fine amount is heavily dependent on the entity’s position. The UOOU considers, for example, the gravity of the breach, the number of data subjects affected, or whether the entity may have been fined in the past. Of course, the imposition of fines must be governed by law.
Can public authorities be fined in the Czech Republic? If they can: Where does this money go?
The UOOU cannot impose a fine on public authorities and other public bodies, as they are exempted under Section 62 (5) of Act No. 110/2019 Coll. on Personal Data Processing.
In the Czech Republic, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?
The UOOU only publishes a fraction of all cases on its website and in its annual report. Cases published are often redacted and usually only contain the type of entity (e.g. an e-shop, insurance company, hotel), which articles of the GDPR were breached, and whether administration proceedings were initiated and fines imposed. The fine amounts are not usually published. The UOOU also occasionally publishes the conclusions which may be drawn from the cases.
If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines?
It is possible to file an official request with the UOOU regarding the numbers and the UOOU is legally obliged to respond. The answer is then usually published on the UOOU’s website. The UOOU also publishes annual reports with detailed information about its inspection activities from the previous year.
The UOOU’s scope of work is balanced and focuses on both public and private sectors. From 2018–2023, the UOOU issued fines totalling around EUR 2 million.
Other legal consequences of non-compliance in the Czech Republic
Does The Czech Republic have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?
In the Czech legal system, class actions or model declaratory proceedings are not available. There is another attempt to legally regulate class actions. At the moment, there is no option to file class actions regarding personal data processing.
What is more relevant in the Czech Republic: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?
In the Czech Republic, administrative fines do not prevent private claims from being made in separate proceedings. However, private litigation regarding personal data processing is not very common, mainly because of high litigation costs and low claim amounts for damages. Therefore, fines issued by the UOOU are much more common and relevant and, for businesses, much more noticeable.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.