Office for Personal Data Protection Inspections and Decisions in the First Half of 2019

The Office for Personal Data Protection (“OPDP”) published an overview of finished and ongoing inspections for the first half of 2019 in the area of personal data protection and unsolicited commercial communications. Below, you can find the summary and interesting facts about the conducted inspections.

• Inspection Frequency: In total, 43 entities were subject to inspections, both from the public sector (e.g. the Czech School Inspectorate, the Czech Television, various ministries) and the private sector (e.g. banks, insurance companies, IT companies).
• Inspection Triggers: In the area of personal data protection, about half of the inspections were initiated on the basis of the OPDP inspection plan; the other half was initiated due to a received notification or complaint, with 3 inspections being carried out as a result of security breach notifications made by data subjects. As for unsolicited commercial communications, all inspections were initiated due to notifications made by data subjects.
• Penalties Imposed: In total, 5 penalties were imposed in the area of personal data protection, the lowest being CZK 7,000 and the highest CZK 450,000, which was imposed to STEM/MARK a.s. for the processing of personal data without a legal title (the company bought a client database that leaked from one of the mobile operators). As for unsolicited commercial communications, the penalties ranged from CZK 25 to 80 thousand, usually for the breach of obligations under the Act on Certain Information Society Services (insufficient identification of the commercial communication or the sender).

Conclusions from the OPDP Inspection Activities and Advice:

• Balancing Tests: If personal data is being processed on the basis of a legitimate interest, the OPDP puts an emphasis on the data controller to create a “balancing test”, i.e. to compare the interests of the controller and third parties with the interests and fundamental rights of data subjects and to properly record the results of this test as well.
• IT: If a computer system or software is attacked, the data controller needs to report the attack not only to the Police of the Czech Republic, but also OPDP.
• Financial Services and Insurance: If a business or its part is transferred, all contractual documents, including personal data, are transferred to the legal successor as well. The legal successor is obliged to process personal data in the same manner as the previous owner.
• Marketing: OPDP advices against purchasing databases from unknown sources, because this activity is basically illegal, as it involves the processing of personal data without a legal title.
• Biometrics: Using voice biometrics to authenticate the identity of a client during a phone call to a client centre is allowed, as long as the client gave consent with this, which they could have revoked at any time. OPDP considers the FaceID technology to be justified, because the inspected person was able to prove that its use was necessary and it was not possible to achieve the aim through other means.
• Obligation to Inform: In case of a request for access, the requester has to be provided (among other things) with the information on the specific recipients of their personal data. The requester can be provided with recipient categories instead only when the recipient identity is (yet) unknown to the controller, e.g. in case the personal data will be (or could be) transferred to the recipient in the future.

Further Development Concerning Codes of Conduct and Certification

The code of conduct is a self-regulatory tool, which enables the personal data processors and controllers to prove their GDPR compliance. The code itself should be specific enough to define fundamental principles, procedures and requirements for the processing of personal data, resulting from the GDPR for a group of controllers or processors in the same industry (e.g. banks, insurance companies). Therefore, a union, association or another group, which organises more entities in the same industry, often compiles the code.

The code has to be submitted to OPDP. However, OPDP does not create codes; it only reviews the text, issues an opinion on whether it complies with the GDPR and eventually approves it. Although a code of conduct is a voluntary method of GDPR compliance verification, in case the controller or processor declares to abide by it, they are obliged to undergo regular monitoring by an independent entity. Before the commencement of the entire process, OPDP needs to submit the accreditation requirements for the monitoring entities to the European Data Protection Board for approval. Until that time, it is not possible to submit codes of conduct to OPDP.

Another way of proving GDPR compliance is a personal data protection certificate. Again, the certification is voluntary and it certifies that the activities of the controller or processor comply with the GDPR provisions. Besides other things, the certificate can facilitate trade (especially buying and selling specific products and services) or the transfer of personal data abroad. The certificate can only be issued by a certificate issuing entity accredited by the Czech Accreditation Institute (“CAI”). It is currently not yet possible to request accreditation from CAI, because it has not yet received the accreditation criteria for entities who would subsequently issue GDPR compliance certificates.

How to Proceed in Case of a Safety Breach and when Fulfilling the Obligation to Inform?

OPDP published its findings about the practice of reporting safety breaches by data controllers. However, these findings do not include just statistics; OPDP gives advice and recommendations on how to prevent such breaches and how to protect oneself against them. OPDP also published a form, which makes reporting breaches much easier, helping data controllers fulfil their obligation to inform.

Throughout its existence, OPDP received around 600 notifications. The most common type of breach is phishing – an attack on the information system of a user who accidentally provided their login details to an unknown entity, who subsequently misused them. The contacts, with which the user communicated, become the next target of the phishing attack. A large proportion of such attacks ends with the installation of ransomware (harmful software) into the system. This program encrypts all user data and offers to decrypt it again only when the user pays a certain sum of money as ransom. The best protection against such practices is a regular data backup.

If the misused data was successfully restored without other serious consequences, it is not necessary to report the incident to OPDP. Otherwise, the controller is obliged to report the safety breach. The new form, which makes reporting breaches easier, can help especially those controllers who do not have their own personal data protection specialist. The form not only makes the reporting itself easier; it also helps controllers fulfil their obligation properly.

How to Fulfil the Obligation to Inform Customers Properly

In trading, the exchange of relevant information is necessary for the creation and execution of a legal relationship. However, it is necessary to safeguard the information the customer provides to the business accordingly and to protect it against potential misuse. Moreover, the business has the obligation to process the information in an open manner and to provide the data subject with sufficient information on the manner of processing.

In its methodology, OPDP comments on the proper fulfilment of the obligation to inform. In practice, OPDP often sees customers being informed about the processing of their personal data by a reference to a separate document or by a reference to the terms and conditions. However, interpretation issues may arise from such procedure. Referencing is allowed in practice, but it is important to state all the information in one place in such a way that allows the customer to find all the information easily without complicated searching in more documents.

OPDP recommends the following procedure:

• Always define and describe the purposes for which the controller intends to process the personal data.
• The entity, which obtains data from data subjects, needs to inform the subjects whether the provision of data is a statutory or a contractual requirement, or a requirement which needs to be stated in a contract. The subjects also need to be informed about whether they are obliged to provide the data, and what the consequences are of failing to provide the data, if applicable.

Pursuant to Articles 13 and 14 of the GDPR, it is necessary to provide more information on the intended manner of processing for each processing purpose. In particular, this information has to include: the purpose and legal basis on which the personal data will be processed; the identity of the controller (and their potential representative) and their contact details; the identity of the potential recipient; and the existence of the right of access, rectification or erasure of the personal data, the right to restrict processing, the right to data portability, and the right to object.

Storing Cookies Requires Active Consent

On 1 October 2019, the Court of Justice of the European Union ruled in case C-673/17 (Planet49) that storing cookies requires the active consent of the internet users and a pre-checked checkbox does not suffice.

The German federal consumer rights group disputed the practice of Planet49, who uses a pre-checked checkbox for its online lottery service, through which the user gives consent to installing cookies on their browser and which the user has to uncheck if they do not want to give their consent.

The Court of Justice also ruled that the information the user has to receive from the service provider needs to include the cookies lifespan, as well as the possibility for third parties to access the cookies.

The verdict can be interesting for the Czech Republic, because German legislation (just like the Czech one), does not stipulate that the consent with storing cookies on websites has to be given actively; although according to the ePrivacy Directive it should. It might therefore be interesting to see whether the Court’s ruling will spark a discussion about the need to change the respective Czech law.

German Authorities Trying to Unify the Penalising Procedure

The joint coordination body of the German data protection authorities (“DSK”) agreed on a new methodology concept for issuing penalties under the GDPR. Technically speaking, the new concept specifies the requirements stipulated by Art. 83 GDPR and it will most probably undergo further debates and changes. The aim of the concept is to provide the supervisory authorities for personal data protection with a common methodology, in order to set up a systematic and transparent administrative practice for assessing administrative delicts in the area of personal data protection and for issuing penalties for such delicts. The concept only applies to penalties resulting from proceedings against companies and does not therefore apply to penalties issued to societies or natural persons for delicts unrelated to their business activities.

According to German experts, the methodology will lead to issuing much higher penalties than is now common under the regular decision practice of the German supervisory authorities. The method of a mainly linear calculation (starting with a turnover) can pose a risk of heavy sanctions being imposed, especially against companies and groups with high turnovers. Despite being just a concept, the methodology is already beginning to take root in practice: for example, the Berlin Commissioner for Data Protection has recently announced his intention to issue penalties amounting to millions of euros. It was also announced that the methodology would be submitted for discussion to the European Data Protection Board, which organises the offices for personal data protection of the individual member states. Therefore, it is possible that in the future the methodology could be adopted in other member states as well.

The published concept is based on the assessment of two key factors: the type of severity of the violation and the size of the company in question. The first part of the document contains methodology for assessing the harmfulness of the violation through assigning a “severity level” (Schweregrad) to it. The concept categorises instances of violation as mildly serious (leicht), moderately serious (mittel), serious (schwer) and very serious (sehr schwer). For the severity assessment, the most relevant factors are the duration of the unlawful action, the manner, scope and purpose of the unlawful processing, the number of data subjects affected by the processing, and the scope of injury suffered by the data subjects. What should also be taken into account is the fault (negligence or intention), the adoption of measures for damage mitigation, the history of previous violation, cooperation with the supervisory authority, or the adoption of corrective measures imposed by the supervisory authority in the past.

The second part of the document contains guidelines on calculating the specific penalty amount, depending on the size of the enterprise in question. The methodology for enterprise size assessment is primarily based on determining a “daily rate” (Tagessatz), which is calculated on the basis of the global turnover of the enterprise (group) for the last 360 days. The methodology categorises enterprises into 4 groups (microenterprise, small enterprise, medium-sized enterprise, and large enterprise), which are then divided into subcategories in order to determine the most accurate value of the enterprise. Afterwards, the indicators are multiplied by a fixed coefficient, depending on the determined level of seriousness of the violation.