GDPR Enforcement in Czech Republic

Trend: Have the national data protection authorities in the Czech Republic focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

The Czech data protection authority (“Úřad pro ochranu osobních údajů”, the "UOOU") verifies general compliance with the GDPR. The control protocols issued by the UOOU during their audits demonstrate that the UOOU is thorough and investigates all possible breaches of the GDPR. It can also be seen that most of the breaches are due to there being an insufficient legal basis for data processing or deficiencies in data security.

The UOOU has announced its control plan for 2025. It will focus on the processing of personal data by retailers who make discounts conditional on participation in loyalty or similar programmes. Another area of focus will be the use of CCTV in public transport, particularly with regard to the application of the UOOU’s latest CCTV methodology. In addition, the UOOU will scrutinise the practices of providers of online comparison services (e.g. for insurance or loans) that send commercial communications to individuals who have used their services. These providers have so far not been subject to a comprehensive audit by the UOOU.

Overall, what was the most significant fine in the Czech Republic to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

The largest single fine imposed by the UOOU was approximately EUR 13,900,000 against Avast Software s.r.o. for unlawful data transfers to Jumpshot, INC. Although Avast assured its customers that it was transferring anonymised data and had implemented robust anonymisation techniques, the data subjects’ browsing history was only pseudonymised, meaning that with additional information it would still be possible to identify the data subjects and their interests, preferences, home address or financial background. The UOOU emphasised the importance of data subjects' expectations - Avast is a leading cybersecurity company and data subjects would not expect it to misuse their data.

How is the data protection authority organised in the Czech Republic? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

The UOOU is the only authority responsible for enforcing the GDPR in the Czech Republic. It operates independently from other authorities. The annual budget is around EUR 7.5 million. It has approximately 100 employees and is based in Prague.

How does a fine procedure work in the Czech Republic? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

To impose fines, the UOOU must first initiate an inspection. This may be performed either at a third party’s investigation or ex-officio. The inspector must draw up a control protocol against which the inspected entity may file objections. If a breach is found, the UOOU can either give the inspected entity time to remedy said breach or it may initiate administrative proceedings. In these proceedings, the UOOU may issue a fine. The inspected entity may appeal against the UOOU’s decision or it may file an action with the administrative court if certain conditions are met.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

Fines issued by the UOOU are paid into the revenue of the state budget.

Is there a common, official calculation methodology for fines in the Czech Republic (such as the fining models in the Netherlands or Germany)?

There is no official means of calculating fines. However, the administrative fines must be effective, proportionate and dissuasive. A fine amount is heavily dependent on the entity’s position. The UOOU considers, for example, the gravity of the breach, the number of data subjects affected and whether the entity may have been fined in the past. Of course, the imposition of fines must be governed by law.

Can public authorities be fined in the Czech Republic? If they can: Where does this money go?

The UOOU cannot impose a fine on public authorities and other public bodies, as they are exempted under Section 62 (5) of Act No. 110/2019 Coll. on Personal Data Processing.

In the Czech Republic, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

The UOOU only publishes a fraction of all cases on its website and in its annual report. Cases published are often redacted and usually only contain the type of entity (e.g. an e-shop, insurance company, hotel), which articles of the GDPR were breached and whether administrative proceedings were initiated and fines imposed. The fine amounts are not usually published. The UOOU also occasionally publishes the conclusions which may be drawn from the cases.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

It is possible to file an official request with the UOOU regarding the numbers and the UOOU is legally obliged to respond. The answer is then usually published on the UOOU’s website. The UOOU also publishes annual reports with detailed information about its inspection activities from the previous year.

The UOOU’s scope of work is balanced and focuses on both public and private sectors. From 2018 to 2024, the UOOU issued fines totalling around EUR 16 million.

Does The Czech Republic have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

In the Czech legal system, model declaratory proceedings are not available. Class actions have recently been introduced into the Czech legal system and may, in theory, be used by consumers and small businesses to seek compensation for damages and non-pecuniary losses resulting from violations of data protection laws.

What is more relevant in the Czech Republic: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

In the Czech Republic, administrative fines do not prevent private claims from being made in separate proceedings. However, private litigation regarding personal data processing is not very common, mainly because of high litigation costs and low claim amounts for damages. Therefore, fines issued by the UOOU are much more common and relevant and, for businesses, much more noticeable.