In March 2019, the most important event in personal data protection was undoubtedly the adoption of the GDPR Adaptation Act and the relevant accompanying act. In doing so, the Czech Republic remedied one of its legislative shortcomings as it was one of the last EU states lacking the Adaptation Act. Following France, another EU state that has fined a higher fine for violating the GDPR is Poland.
The Czech Parliament has Adopted the GDPR Adaptation Act
On 12 March 2019, the Chamber of Deputies approved two drafts of what are referred to as “GDPR Adaptation Acts”, which the Senate had previously returned with comments primarily directed against the extension of the competencies of the Office for Personal Data Protection (the “OPDP”) in respect of the right to information and against the mere decrease in fines for some public entities.
The Personal Data Processing Act (the “PDPA”), which will replace the existing Act No. 101/2000 Coll., on Personal Data Protection, had been adopted in the Senate’s version. In contrast, in the Accompanying Act amending certain acts in relation to the adoption of the Personal Data Processing Act (the “Accompanying Act”), the Deputies upheld their original proposal. On 10 April 2019, the new rules governing personal data protection were signed by the President.
Besides the enactment of exceptions admitted by the GDPR and the specification of certain GDPR definitions, the objective of the PDPA and the Accompanying Act is also the implementation of two criminal-law directives.
The adoption of the act will affect, for example, the following:
- The Internet age of consent (finally stipulated at 15 years);
- The term ‘legitimate interest’ under the GDPR and relating exceptions;
- The exception from assessing the impact on personal data protection;
- The obligation of certain public authorities to appoint a Data Protection Officer;
- The impossibility of fining certain public entities;
- The accreditation of the GDPR certification authorities;
- Personal data processing for journalistic purposes; and
- The amendment to almost 40 acts, which will be primarily reflected in criminal law.
As a result of the adaptation package, Act No. 106/1999 Coll., on Free Access to Information, will newly include a provision introducing the institutes of what is referred to as an ‘information order’, based on which the liable entity will be obliged to provide the applicant with the requested information under the above-stated legislation. The new provisions of the Information Act will apply with effect from 1 January 2020.
No Fines for Selected Public Entities
The final wording of the PDPA fully abolishes the possibility of imposing administrative sanctions for the misuse of personal data on some public entities (municipalities not having extended powers in the scope of the municipal authority of a municipality with extended powers, and educational facilities established by municipalities) as requested by the Senate, which had argued that this would merely result in the transfer of funds as part of public budgets. According to the original proposal, only the maximum limit to fines should have been decreased.
The First Fines for Violating the GDPR Abroad
The Polish Personal Data Protection Office released information that it had imposed a sanction of PLN 943,000 (approximately EUR 220,000). The fine was imposed for a failure to comply with the reporting duty. According to the Office’s information, up to six million data subjects were unaware of processing and thereby were unable to exercise their rights as stipulated by the GDPR. The company, on which the fine was imposed, collected the data from a publicly accessible register similar to the Czech Trade and Commercial Registers. In the case, it argued by saying that it would be extremely costly to comply with the reporting duty in relation to the persons in respect of whom it did not have e-mail addresses. Given that the company had the telephone numbers and postal addresses of the subjects, the Office did not accept the argument.
In Denmark, the relevant office seeks to impose a fine on a taxi service operator for storing personal data for an excessive amount of time, specifically for storing telephone numbers for five years without sufficient justification. The proposed sanction corresponds to EUR 160,000; however, it has yet to be approved by Danish courts.
For the Polish Office’s information about the imposed fine follow this link.
The article is part of dReport – April 2019, Legal news.