Přehled k problematice ochrany osobních údajů 01/24

In the following overview, we would like to inform you about recent decisions of the Office for Personal Data Protection (OPPD), the conclusions of its inspections and other new developments in the area of personal data protection. We will inform you about further information on the legal regulation of personal data protection in the next edition of this overview or in the legal news overview.

Supervisory and decision-making activities of the ÚOOÚ

Fine of CZK 351 million

The recent decision The Office imposed a fine of CZK 351 million on Avast Software s.r.o. for unauthorized processing of personal data of users of its antivirus program and its browser extension Jumpshot, INC..

It transmitted a pseudonymised internet browsing history linked to a unique identifier, which made the data available to marketers who could access consumers' online behaviour.

As a result, users were misinformed by Avast about the transmission of anonymous data for the purpose of trend analysis.

In addition, it was shown that the data transmitted were not anonymised, at least in part, and that the purpose of the processing of these data was not merely the declared production of statistical analyses, as claimed by the company.

Municipal camera system

A certain municipality had a camera system installed to monitor public spaces. There were more than 40 cameras and some of them were equipped with vehicle number plate and driver face recognition.

The ÚOOÚ initiated proceedings for the imposition of measures to remove deficiencies and ordered the municipality to cease operation of the camera systembecause the municipality as the controller had no legal basis for processing the personal data pursuant to Article 6 of the General Data Protection Regulation (“GDPR“).

In this context, the ÚOOÚ pointed out that a municipality may not process personal data through the CCTV system for the purpose of monitoring public order without specific legal authorisation.

This authority under the law belongs to the municipal police and not to the municipality itself.

A municipality that does not have a municipal police force may process personal data through the CCTV system under the same conditions as a regular data controller, e.g. for the purpose of protecting its property.

Provided, however, that such processing meets the criteria under the GDPR.

Sending out offers to buy back receivables

The ÚOOÚ audited a company engaged in the purchase of receivables, which for this purpose addressed creditors in bulk with an offer to purchase their receivables.

After the audit, the ÚOOÚ concluded that the company processed personal data of creditors in the following scope: name, surname, residential address, date of birth, amount of the claim and specification of its legal title. This was done without a legal reason and without informing the affected data subjects (creditors) about the processing in violation of Article 14 of the GDPR.

By doing so, she committed an offence under Act No. 110/2019 Coll., on the processing of personal data (hereinafter referred to as the "Personal Data Act") and the ÚOOÚ imposed a fine on her.

The ÚOOÚ disagreed with the company's argumentation that it processed the data because of a legitimate interest, because after conducting a balancing test, it concluded that the protection of personal data outweighed the interest of the company as a controller.

In particular, he pointed out that there was no prior or existing relationship between the company and the individual creditors, so the creditors could not have expected the company to process their data at all.

The ÚOOÚ summarized that although the processing of personal data for marketing purposes may be based on a legal ground of legitimate interest of the controller, the controller may do so only if this legitimate interest outweighs the rights and interests of the data subjects.

Commercial communications sent by post

A significant part of the OCCP's agenda is dealing with complaints about unsolicited commercial communications, as stated in its annual report for 2023.

As we have indicated, in these cases, the processing of personal data may be carried out on the basis of a legitimate interest of the controller, but only if this interest outweighs the data subject's interest in the protection of his or her personal data.

According to the ÚOOÚ, legitimate interest in the case of commercial communications depends primarily on whether the data subject can reasonably expect the marketing offer with regard to the subject matter of the controller's activity.

The ÚOOÚ points out that companies that send commercial communications often do not respond adequately to data subjects' requests for access to personal data, objection or erasure of personal data;
In similar cases, the OOOO usually warns the administrator of its misconduct and only proceeds to exercise further supervisory powers when the administrator fails to amend its procedures.

In this context, the ÚOOÚ also points to the very frequent offers to buy or sell immovable property addressed by various companies to their owners on the basis of finding out their data from the Land Registry.

The ÚOOÚ adds that in these cases it is not justified to interpret Act No.256/2013 Coll., on the Cadastre of Real Estate, which allows data on the owners of real estate to be found even by means of remote access.

In this regard, it refers to the decision-making practice of the cadastral authorities, which has settled on the conclusion that targeting specific owners of immovable property with a specific offer is within the scope of the use of data for economic purposes and is not contrary to the Cadastral Act.

In the context of these types of offers, the most the DPO can assess is whether controllers are properly fulfilling their information obligations and responding to data subjects' requests.

Processing of personal data by SVJ or housing cooperative

In its annual report for 2023, the CAO points out that often handles complaints about the processing of personal data by unit owners' associations or housing cooperatives.

The ÚOOÚ most often deals with issues where:

entities do not inform the members of the SVJ/BD about the processing of data in accordance with the GDPR;
do not deal with their requests to exercise their rights under the GDPR in an appropriate manner
often publish their data on the house notice board or in electronic systems accessible to other SVJ/BD members without any legal reason.

The ÚOÚ states that in such cases, the ÚOÚ considers it more useful to draw the controller's attention to its misconduct and explain its obligations under the GDPR. This is usually sufficient to seek redress and remedy the misconduct.

From the consultancy activities of the ÚOOÚ

Delivery Satisfaction Questionnaires

The ÚOOÚ was asked to consult on a frequent phenomenon where customers usually order goods on the internet together with their delivery.

The contract is therefore concludes with the e-shop operator. However, the delivery service will then send him an email asking him to fill in a delivery satisfaction questionnaire.

The ÚOOÚ states that in this case the customer enters into a legal relationship (concludes a contract) only with the operator of the e-shop (the seller) and not with the supplier of the goods, who delivers them on the basis of a contract with the seller.

Therefore, in this case, delivery service operators do not process the customer's personal data either for the performance of the contract or for legitimate interest.

Satisfaction surveys could thus only be sent with the prior consent of the addressees.

Contractual penalty in the processing contract

V případě, kdy správce předává osobní údaje zpracovateli, např. externímu dodavateli některých služeb poskytovaných správcem jeho zákazníkům, vyžaduje čl. 28 GDPR, aby spolu správce a zpracovatel měli uzavřenou smlouvu o zpracování osobních údajů.

The Office for Personal Data Protection (UOOU) requested a consultation on whether it is possible to agree on a contractual penalty in the event of a breach of obligations under such an agreement. The UOOU concluded that it is possible.

He pointed out that Article 28 of the GDPR provides only a demonstrative list of obligations that the processor is obliged to comply with, and nowhere is it prohibited to ensure compliance by negotiating a contractual penalty.

He also referred to the fact that the contract on personal data processing is alternatively governed by Act No. 89/2012 Coll. and the Civil Code, which also regulates the negotiation of contractual penalties.

Interpretation of the Whistleblower Protection Act in the context of the GDPR

The ÚOOÚ points out that the newly adopted regulation of the so-called whistleblowing contained in Act No. 171/2023 Coll., on the protection of whistleblowers, requires that the obligated entity be able to familiarize itself with the content of the report when handling it.

In doing so, however, it is not possible to provide information that could defeat or undermine the purpose of the notification. Only if the whistleblower has consented to this or if the data was provided to public authorities.

If, in these cases, the disclosure of these data is refused, the ÚOOÚ considers it a restriction of the data subject's rights and requires that this step be communicated to them in accordance with Section 11, Paragraph 2 of the Act on the Protection of Personal Data.

Processing of biometric data for the purpose of operating the attendance system

The ÚOOÚ dealt with the issue of the attendance system based on the attachment and scanning of the fingerprint of the entering employee.

He pointed out that the case involved the processing of biometric data, which is a special category of personal data that is prohibited from being processed under the GDPR. That is, unless the case falls within one of the exceptions under Article 9(2) GDPR.

The employer argued that the employees had given their prior consent to the operation of the attendance system and the fingerprint scan.

However, the ÚOOÚ stated that in the present case, there may be doubts as to whether consent was freely given in the circumstances, given that employees are the weaker party in relation to their employer.

For these and other reasons, the ÚOOÚ concluded that Czech law does not currently allow the operation of an attendance system based on the use of biometric data.

From the case-law

Responsibility for the dissemination of commercial communications rests with the sender and the subscriber

In the judgment of March 16, 2023, No. 6 As 18/2022-43, the Supreme Administrative Court (NSS) explained that responsibility for the distribution of commercial communications lies not only with the sender but also with the person who initiated such a distribution for their own benefit.

I.e. ordered or used affiliate partners or lead marketing tools.

The SAC pointed out that liability in this case is objective, i.e. it arises regardless of fault.

It thus confirmed the decision of the ÚOOÚ to impose a fine of CZK 1,400,000 for offenses under Act No. 480/2004 Coll., on certain information society services. The complainant was found to have distributed commercial communications from various email addresses of its affiliate partners.

They did not state the identity of the sender or the name under which the communication was made. Nor did it leave a valid address to which the addressee could directly send information that he or she did not wish to receive further commercial communications.

The SAC added that it is important that the disseminators of commercial communications, whether they are the principals (principals) or the actual disseminators, sufficiently verify whether the addressees of the commercial communications have given their consent to such dissemination. Or, more generally, that the distribution is carried out in a lawful manner.

Legitimacy of recording and retention of location data by electronic communications service operators (data retention)

In the judgment of March 27, 2024, File No. 30 Cdo 3909/2023, the Supreme Court (NS) ruled that the Czech Republic, due to the incorrect transposition of the European directive, allows the collection of communication metadata of internet and mobile phone users and their retention for a period of 6 months, in violation of EU law.

The Supreme Court (NS) noted that in the case of proven violation of European law, the emergence of a claim for compensation for non-material damage is not excluded.

NS dále uvedl, že v případě zásahu do základního práva na respektování soukromí a na ochranu osobních údajů je už samotná obava z jejich zneužití způsobilá představovat nemajetkovou újmu.

Thus, it will normally be sufficient to conclude that the perceived interference with the moral integrity of the person concerned does not appear unlikely, given the particular circumstances of the case and the position of that person.

The evidence should focus on the position of the victim and the objective factors that cause him to feel aggrieved by the storage of traffic and location data (and the theoretical possibility of its misuse).