Fining practice
Trend: to date, have the national data protection authorities in Czech Republic focused on certain types of non-compliance with data protection law, or have the authorities stated that they will investigate certain types of non-compliance more closely in future? Do you see a focus on certain industries/sectors? If so, which ones?
The Czech data protection authority (“Úřad pro ochranu osobních údajů”, the "UOOU") verifies general compliance with the GDPR. The control protocols issued by the UOOU during their audits demonstrate that the UOOU is thorough and investigates all possible breaches of the GDPR. However, it can also be seen that most of the breaches are due to there being an insufficient legal basis for data processing or deficiencies in data security.
The UOOU has announced its control plan for 2023. It will focus on the processing of personal data in attendance systems, the use of social networks, large-scale CCTV systems and large data processors or bailiffs. It will also audit selected information systems of the Czech Police and, in cooperation with the Czech Telecommunications Office, telemarketing activities.
Overall, what was the most significant fine in Czech Republic to date (please specify the recipient, the amount, the type of violation, the sector, and provide a brief summary)? Has the fine been challenged in court? If it has: was this successful, or what is the status of the proceedings?
The highest single fine issued by the UOOU was approx. EUR 250,000. The UOOU imposed this fine for a violation of Act No. 480/2004 Coll., on certain Information Society Services. The accused company distributed unsolicited advertising messages through e-mail to half a million addressees in one year. The high number of affected data subjects influenced the amount of the fine.
The highest fine imposed for a GDPR breach was approx. EUR 83,600 for the failure to implement corrective measures. There is no additional information related to this case available.
Organisation of authorities, procedure and publicising of fine proceedings
How is the data protection authority organised in Czech Republic? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?
The UOOU is the only authority responsible for enforcing the GDPR in the Czech Republic. It operates independently from other authorities, including ministries. The annual budget is around EUR 7 million. It has approx. 100 employees and is based in Prague.
How does a fine procedure work in Czech Republic? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?
To impose fines, the UOOU must first initiate an inspection. This may be performed either at a third party’s instigation, or ex-officio. The inspector must draw up a control protocol against which the inspected entity may file objections. If a breach is found, the UOOU can either give the inspected entity time to remedy said breach or it may initiate administrative proceedings. In these proceedings, the UOOU may issue a fine. The inspected entity may appeal against the UOOU’s decision or it may file an action with the administrative court if certain conditions are met.
When fines are imposed by the data protection authority: Where does the money go? (e.g., State treasury, the budget belonging to the authority)?
Fines issued by the UOOU are paid into the revenue of the State budget.
Is there a common, official calculation methodology for fines in Czech Republic (such as the fining models in the Netherlands or Germany)?
There is no official means of calculating fines. Yet, the administrative fines must be effective, proportionate and dissuasive. A fine amount is heavily dependent on the entity’s position. The UOOU considers, for example, the gravity of the breach, the number of data subjects affected, or whether the entity may have been fined in the past. Of course, the imposition of fines must be governed by law.
Can public authorities be fined in Czech Republic? If they can: Where does this money go?
The UOOU cannot impose a fine on public authorities and other public bodies, as they are exempted under Section 62 (5) of Act No. 110/2019 Coll. on Personal Data Processing.
In Czech Republic, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?
The UOOU only publishes a fraction of all cases on its website and in its annual report. Cases published are often redacted and usually only contain the type of entity (e.g. an e-shop, insurance company, hotel), which articles of the GDPR were breached, and whether administration proceedings were initiated and fines imposed. The fine amounts are not usually published. The UOOU also occasionally publishes the conclusions which may be drawn from the cases.
If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?
It is possible to file an official request with the UOOU regarding the numbers and the UOOU is legally obliged to respond. The answer is then usually published on the UOOU’s website. The UOOU also publishes annual reports with detailed information about its inspection activities from the previous year.
The UOOU’s scope of work is balanced and focuses on both public and private sectors. From 2018–2021, the UOOU issued fines totalling over EUR 1,099,000. The data for the year 2022 are not yet available.
Other legal consequences of non-compliance
Does Czech Republic have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?
In the Czech legal system, class actions or model declaratory proceedings are not available. There is another attempt to legally regulate class actions, but the legislative procedure is at the very beginning. At the moment, there is no option to file class actions regarding personal data processing.
What is more relevant in Czech Republic: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?
In the Czech Republic, administrative fines do not prevent private claims from being made in separate proceedings. However, private litigation regarding personal data processing is not very common, mainly because of high litigation costs and low claim amounts for damages. Therefore, fines issued by the UOOU are much more common and relevant and, for businesses, much more noticeable.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.