Personal Data Protection Office imposes first fines for GDPR breaches

The office most often imposed penalties where a data controller failed to properly inform data subjects of their personal data’s processing. Furthermore, penalties were also imposed for personal data leaks, such as leaving a box of consumer contracts next to a waste bin.

A fine for the failure to inform about personal data processing was imposed, for instance, in the case of a company renting cars with installed GPS locators that the clients were not informed of. The office formulated a list of information that should have been disclosed to clients, and imposed a penalty of CZK 30 000 on the car rental company. In another case, a personal data subject was contacted by phone with an offer to trade on the stock exchange. When they asked how their telephone number had been obtained and in what manner their personal data were processed, the information was not provided, not even upon repeated requests for a confirmation of personal data processing. Here, the office imposed a penalty of CZK 20 000. The office also dealt with a situation where an employee requested a personal data processing confirmation from their employer, together with a request to correct the data. While the office found the request to correct the data unfounded (as the personal data were correct), the office still fined the employer CZK 5 000, for the failure to provide the requested confirmation.

Personal data leaks as a result of the data’s insufficient protection were dealt with in the case involving an online game. Apart from player players’ user names, account IDs and passwords, e-mail and IP addresses were leaked as well. The leak occurred as a result of the abuse of authority on the part of the game’s programmer with whom the administrator had not even concluded a personal data protection agreement. For this breach, the office imposed a penalty of CZK 15 000. A company that failed to safeguard the personal data of approximately 300 clients contained in consumer loan agreements was fined CZK 30 000. Clients’ contracts were kept for at least 14 days in a paper box in a parking area of the statutory representative’s apartment house, and later found next to a paper bin.

The processing of personal data without a legal title was dealt with in the case of a former employee who had requested a schoolmaster to remove all her photographs from the school’s internet sites once her employment terminated. After some time, she noticed that the schoolmaster had failed to remove her photographs from the school’s Facebook account, and requested their removal again. The office then also called upon the schoolmaster to remedy the situation, and after no response from the schoolmaster, imposed a penalty of CZK 10 000.

The office’s highest penalty so far was imposed on a personal data controller who to simplify the process of concluding and maintaining contractual documentation processed clients’ biometric signatures. The office found this in breach of the rule that personal data must be processed in a manner that is relevant, adequate, and limited to what is necessary for its purpose (the data minimisation principle), and imposed a penalty of CZK 250 000.

It is clear from the above overview that the office primarily aims to eliminate unlawful situations, rather than impose draconian penalties. When determining the fine, the office takes into consideration a number of factors, such as the nature, severity and duration of the breach, the number of data subjects affected, and the harm caused. Except for the last case mentioned, penalties imposed were mostly rather low. Please note, however, that the Czech Office for Personal Data Protection has not yet dealt with an extensive leak or a large-scale abuse of personal data; the penalties imposed so far thus cannot be compared to those imposed for instance by the French or British supervisory authorities, who have dealt with breaches much more severe and larger in scope.