Compensation for a leaked password

Internet server Lupa.cz has informed about a case of a Czech e-shop user claiming a court compensation for a login and identification data breach against the provider of the server.

From the initial amount of CZK 125,000, the e-shop must pay CZK 10,000 including the reimbursement of legal fees determined by the Court. According to the Court, the user´s right to informational self-determination was violated. The Municipal Court in Prague did not grant the requested amount to the plaintiff on the grounds that it was the plaintiff who amplified the range of adverse consequences of the password leakage by using them for other services.

The court judgement is not precedential. In other cases, it will surely depend on concrete circumstances and evidence to the case; the amount, length, and costs of the litigation probably do not create sufficient motivation for similar lawsuits. A possible change could take place in the future with the implementation of so-called class actions, but the Czech law does not recognise such measures yet. However, the case reminds us that in case of its infringement, even the GDRP allows the private enforcement of damages by concerned subjects.

Draft methodology concerning data protection impact assessment (DPIA) proposed by the Office for Personal Data Protection

The GDPR established a new obligation for personal data controllers, namely to conduct, in specific cases, a data protection impact assessment (DPIA). Following the prior publication of the rules which  identified cases in which it is necessary to implement conduct a DPIA , the Office for Personal Data Protection has now submitted, for an open discussion, on its website, a draft methodology which clarified what the DPIA should actually looked like and what it should contain.

The purpose of the DPIA is to prevent, in a timely matter, potential negative impacts of personal data processing by assessing potential risks and implementing adequate and effective technical and other measures. It is thus clear that such an assessment is conducted before the actual processing is commenced. If the  controller is obliged to prepare a  DPIA, he also has an obligation to archive all DPIA documentation for the purposes of a potential inspection.

How to proceed when conducting the DPIA

The Office for Personal Data Protection has divided the process of a DPIA preparation into 4 stages, which aim for a proper fulfilment of the obligation.

1. The controller should start by collecting information on the intended processing of personal data; the controller should also draw up a description of the processing and its purpose.
2. Another stage is to determine whether the controller is subject to the obligation of a DPIA preparation.
3. The third stage is the most complex one. It concerns the actual preparation of a DPIA. This stage is further divided into 8 parts, which include, among others, an assessment of the necessity and adequacy of the processing in terms of its purposes, assessment of risks to the rights and freedoms of the data subjects, monitoring and updating the DPIA, or securing opinions of the data subjects’ representatives, independent professionals or the  data protection officer (if  appointed). The Office for Personal Data Protection recommends that an  assessment of risks to the rights and freedoms of data subjects be conducted in 6 steps, such as, most importantly, identification of the primary and secondary assets (e.g. processed information, data storage mediums), the determination of vulnerability of data subjects (e.g. threats caused by outdated technological equipment, insufficient data or assets protection), the determination of threats (e.g. technological equipment damage, unwarranted access to the data), and the determination of possible risks.
4. The final stage is called monitoring and abiding by the measures and regular revision of the DPIA. For these purposes, the controller shall draw up a time schedule of the inspections.

ECHR case law: monitoring of employees and the right for privacy

The European Court of Human Rights (ECHR) has decided an interesting case regarding the monitoring of employees with CCTV cameras. The employer, a Spanish supermarket chain, found out during an inventory check that they had lost goods worth several tens of thousands of Euro. In order to figure out how it had happened, they installed on the business premises several cameras, public and hidden, whereas the employees were informed by the employer merely about the public ones. After ten days, the employer concluded that the goods had been systematically stolen by certain employees, whose employment contract was subsequently terminated. Some of these employees consequently claimed that the dismissal was invalid, and the case reached the ECHR.

In its decision, the ECHR measured the monitoring against the right to privacy of the employees, which was claimed to have been violated. The Court stated that although the employer is generally obliged to inform the employees about any cameras installed to monitor them, there were fair reasons not to do so, especially given the large amount of thefts, the legitimacy of suspicion, and the fact that identifying the perpetrator of the thefts would have otherwise been nearly impossible. The employees were monitored merely for a limited time of ten days and the footage was only seen by a limited amount of people. The Court also noted that the employees had other ways to defend themselves (e.g. the local authority for personal data protection), which were not utilised. The court reached a conclusion that such employee monitoring was in accordance with the law.

The judgement is relevant to the Czech Republic as well, and it complements a series of other judgements of the ECHR concerning limits on employee monitoring.