The Czech Data Protection Office (“the Office”) has the power to investigate complaints and cases, and to impose penalties for breaches of the data protection act; penalties can be up to CZK 10,000,000 (approx. 500,000 USD) and penalties can be imposed repeatedly if the same breach is also committed repeatedly. Liability for a particular offence ceases to exist if the Office fails to commence administrative proceedings within a year from the date on which the Office learned about the breach, however no later than three years from the date of the breach.
Individuals can seek judicial remedies and damages for breach of the protection of their personhood.
An individual found guilty of the unauthorized disposal of personal data may be punished by imprisonment for a term of up to 8 years. Legal entities may not be criminally liable for unauthorized disposal of personal data.
Selected Enforcement Actions / General Comments
Some examples of recent enforcement action in the Czech Republic include:
- A fine of CZK 3,500,000 was imposed by the Data Protection Office on Komerční pojišťovna, a.s. for the leakage of client data.
- A fine of CZK 100,000 was imposed on Eurotel for misplacement of documents containing personal data.
- A fine of CZK 2.3mil was imposed by the Data Protection Office on the State Institute for Drug Control for the unauthorized processing of health data of patients.
- A fine of CZK 160,000 fine was imposed on Scarabeus, a B2B company for the breach of rules for sending commercial messages via email (anti-spam rules).
- A fine of CZK 300,000 was imposed on GE Money for the unauthorized processing of telephone contacts to potential clients of GE Money Bank, GE Money Auto and GE Money Multiservis.Many companies investigated for operation of cameras at the work site and thus encroaching employees’ right to protection of privacy.
- A fine of CZK 450,000 was imposed on the Ministry of Education by the Data Protection Office for the leakage of personal data of pupils attending schools which were awarded grants by the Ministry of Education.
- A fine of CZK 100,000 was imposed on the Chief public prosecutor by the Data Protection Office for the publication of wages of employees of the Chief public prosecutor’s office.
- A fine of CZK 1,8mil was imposed by the Data Protection Office on Komerční banka for the leakage of clients data.
- A fine of CZK 450,000 was imposed by the Data Protection Office on the Ministry of Education for the online publishing of personal data of pupils who received grants to study.