GDPR Enforcement in Czech Republic

Trend: Have the national data protection authorities in the Czech Republic focused on certain types of non-compliance... Do you see a focus on certain industries/sectors? If so, which ones?

The Czech data protection authority (“Úřad pro ochranu osobních údajů”, the "UOOU") verifies general compliance with the GDPR. The control protocols issued by the UOOU during their audits demonstrate that the UOOU is thorough and investigates all possible breaches of the GDPR. It can also be seen that most of the breaches are due to there being an insufficient legal basis for data processing or deficiencies in data security. The UOOU’s scope of work is balanced and focuses on both public and private sectors.

The UOOU has announced its control plan for 2026. It will focus on transparency and information obligations under Articles 12-14 GDPR, in particular the quality, accessibility and clarity of privacy notices. This forms part of the EU-wide Coordinated Enforcement Framework 2026, in which the UOOU participates together with the European supervisory authorities. Another key area of attention is the position, independence and effective functioning of data protection officers, especially in the public sector, where the UOOU has repeatedly identified structural shortcomings.From a sectoral perspective, the UOOU will also scrutinise the processing of personal data in debtor registers, as well as the use of customer satisfaction surveys that may constitute disguised commercial communications, affecting entities in consumer-facing industries.

Overall, what was the most significant fine in the Czech Republic to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

The largest single fine imposed by the UOOU was approximately EUR 13,900,000 against Avast Software s.r.o. for unlawful data transfers to Jumpshot, INC. Although Avast assured its customers that it was transferring anonymised data and had implemented robust anonymisation techniques, the data subjects’ browsing history was only pseudonymised, meaning that with additional information it would still be possible to identify the data subjects and their interests, preferences, home address or financial background. The UOOU emphasised the importance of data subjects' expectations – Avast is a leading cybersecurity company and data subjects would not expect it to misuse their data.

How is the data protection authority organised in the Czech Republic? Budget, staff, assignment to a ministry?

The UOOU is the only authority responsible for enforcing the GDPR in the Czech Republic. It operates independently from other authorities. The annual budget is around EUR 7.5 million. It has approximately 100 employees and is based in Prague.

How does a fine procedure work in the Czech Republic? Can the authority impose fines itself? Procedural steps? Legal remedies?

To impose fines, the UOOU must first initiate an inspection. This may be performed either at a third party’s instigation or ex officio. The inspector must draw up a control protocol against which the inspected entity may file objections. If a breach is found, the UOOU can either give the inspected entity time to remedy said breach or it may initiate administrative proceedings. In these proceedings, the UOOU may issue a fine. The inspected entity may appeal against the UOOU’s decision or it may file an action with the administrative court if certain conditions are met.

When fines are imposed: Where does the money go? (state treasury / authority budget / other)

Fines issued by the UOOU are paid into the revenue of the state budget.

Is there an official calculation methodology for fines in the Czech Republic?

There is no official means of calculating fines. However, the administrative fines must be effective, proportionate and dissuasive. A fine amount is heavily dependent on the entity’s position. The UOOU considers, for example, the gravity of the breach, the number of data subjects affected and whether the entity may have been fined in the past. Of course, the imposition of fines must be governed by law.

Can public authorities be fined in the Czech Republic? If yes: Where does this money go?

The UOOU cannot impose a fine on public authorities and other public bodies, as they are exempted under Section 62 (5) of Act No. 110/2019 Coll. on Personal Data Processing.

Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

The UOOU publishes annual reports with detailed information about its inspection activities from the previous year with aggregated figures. Generally, it only publishes a fraction of all cases on its website and in its annual report. Cases published are often redacted and usually only contain the type of entity (e.g. an e-shop, insurance company, hotel), which articles of the GDPR were breached and whether administrative proceedings were initiated and fines imposed. The fine amounts are not usually published. The UOOU also occasionally publishes the conclusions which may be drawn from the cases.

It is possible to file an official request with the UOOU regarding the numbers and the UOOU is legally obliged to respond. The answer is then usually published on the UOOU’s website. If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).

According to the UOOU’s 2025 annual report, seven cases in the area of data protection resulted in the imposition of fines with final effect. The total amount of fines imposed in 2025 was approx. EUR 600,000.

In the area of unsolicited marketing communications, the total amount of fines imposed with final effect was approx. EUR 500,000.

From 2018 to 2024, the UOOU issued fines totalling around EUR 16 million.

Does the Czech Republic have model declaratory proceedings/class actions in data protection law?

In the Czech legal system, model declaratory proceedings do not exist. Class actions have been introduced into the Czech legal system and may, in theory, be used by consumers and small businesses to seek compensation for damages and non-pecuniary losses resulting from violations of data protection laws.

What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?

In the Czech Republic, administrative fines do not prevent private claims from being made in separate proceedings. However, private litigation regarding personal data processing is not very common, mainly because of high litigation costs and low claim amounts for damages. Therefore, fines issued by the UOOU are much more common and relevant and, for businesses, much more noticeable. Over the next 12 months, administrative fines from the UOOU are expected to remain the dominant enforcement risk for businesses.