Activities of the Office for Personal Data Protection in the past year

In February, the Office for Personal Data Protection (the “Office”) published the annual report for 2019, which includes, inter alia, the results of its control activities.

What regulations did the Office follow?

The checks initiated by the Office in 2019 were already carried out in accordance with the GDPR (General Data Protection Regulation) or the so-called adaptation Act No. 110/2019 Coll., on the Protection of Personal Data. However, as the proceedings initiated in 2019 under effectiveness of the former Act No. 101/2000 Coll., on the Protection of Personal Data, were still running, the Office was closing such proceedings and also imposed penalties under this former regulation. In connection with supervisory activities in the field of business communications, the Office acted in accordance with Act No. 480/2004 Coll., on Certain Information Society Services.

What areas did the Office focus on?

For example, the use of cookies or the processing of biometric data was the subject of checks in 2019, namely the use of fingerprints for identification purposes. Another specific area that the Office dealt with in the past year was the healthcare sector where the Office specifically focused on the processing in laboratory screening of newborns. In 2019, the Office also focused on the the processing of personal data of persons transported by public transport (Dopravní podnik hl. m. Prahy, a.s.).

What were the most common cases of non-compliance?

Most often, the controllers noted non-compliance with the basic principles of processing, the absence of a legal basis for the processing of personal data, as well as violation of the rights of the data subject. The breach also occurred, for example, in the area of personal data security or dissemination of business communication. In its annual report, the Office also noted that in 2019, it had encountered a refusal of cooperation and in 11 cases even had to impose a fine for a failure to provide cooperation under Act No. 255/2012 Coll., the Inspection Code. In 2019, the Office imposed penalties on a total of 32 entities in the aggregate amount of almost CZK 1 million. The total amount of the penalty imposed by the Department of Commercial Communications was CZK 2 099 000.

Organisational changes within the Office – reorganisation of the Supervisory Section

In connection with the adoption of the so-called adaptation act, reorganisation of the Supervisory Section has taken place since 1 July. New control teams have been established within specialised departments and four existing inspectorates have been replaced by two departments carrying out control and supervision activities in the private and public sectors.

Who was subjected to checks by the Office?

A total of 68 checks were initiated in 2019, including those relating to commercial communications, of which a total of 5 were commenced. The checks affected both the public (e.g. the Czech Social Security Administration or the General Financial Directorate) and private-law entities (banking and non-banking entities, casinos, SMEs), with checks arising both from the findings of the complaints agenda and on the basis of the 2019 control plan. The controls also targeted political parties to check the processing of personal data both within and outside their membership.

Control plan of the Office for 2020

Also in February, the Office published the Control Plan for 2020 on its website.

This year, the Office plans to carry out a total of 29 checks, focusing mainly on smart energy measurement, operation of camera systems using biometrics, control of the use of cookies and the dissemination of business communications. The Control Plan also includes the control of entities providing non-bank loans – the Office wishes to verify the procedures upon requesting and processing personal data when processing applications for a financial product, as well as to verify the correctness of meeting the information obligation of the controllers and their actions in cases where the persons affected by the processing exercise their rights.

Within the public sector, the Office will check, for example, the District Social Security Administration, the visa information system and the national register of covered health services. The Office will also focus on ensuring the safety of personal data of pupils and their teachers.

Smart quarantine

From the perspective of personal data protection, an interesting and partly controversial achievement is the project of the so-called smart quarantine.

What is it?

Smart Quarantine is a system that aims to prevent the spread of COVID-19 in the Czech Republic, while easing the measures issued by the government in times of emergency in order for life in the country to gradually go back to the state before the outbreak. It is currently being tested in the Olomouc Region, the Central Bohemian Region and Prague, and other regions are gradually being included. The system was fully launched on 1 May.

How does the system work?

According to the published information, the Public Health Office calls the patient at their phone number and informs him/her that he/she has tested positive. It will ask him/her for his/her consent to the processing of personal data obtained from the telephone operator and the bank in order to create the so-called memory map. If consent is not granted, the patient will be asked to list the people he/she has met in recent days and the places he/she has visited. However, this information may not be completely accurate, because the patient may not remember everything. If consent is granted, data from the telephone operator and credit card information will help identify where the patient was present and potentially infected people. The Public Health Office will inform the detected persons telephonically and they will undergo a test for the presence of the coronavirus. Data from the memory map will be erased or anonymised no later than after 6 hours.

Confusion about how personal data is processed in the context of smart quarantine

However, a number of uncertainties as to the processing of personal data still remain. The first one concerns whether consent of the positively tested person should be obtained for the processing (i.e. for the creation of the memory map). Although the Ministry of Health, in extraordinary measure MZDR 12398/2020-1/MIN/KAN, makes the processing of personal data conditional upon consent, which corresponds to the regime of Article 6(1)(a) of the GDPR, the Office for Personal Data Protection (the “Office”) in its statement of 2 April states that the data are processed by public authorities in the exercise of official authority or, where appropriate, by private controllers in the public interest, within the meaning of Article 6(1)(e) of the GDPR. Despite this, consents to the processing are collected.

Furthermore, it is not clear to what extent the personal data processing issues have been consulted with the Office itself. At the end of March 2020, the President of the Office asked the Minister of Health for specific documentation on the smart quarantine project. Following incorrect media information (incorrectly pointing to its approval role), the Office states that only basic information has been sent by the Ministry. Subsequently, there was also a joint meeting with the management of the Ministry, the Chief Health Officer of the Czech Republic and the data protection officer of the Ministry of Health. The Office’s comments were partially incorporated into the project and correct information on all aspects of the processing of personal data in the smart quarantine project was published on the website.

However, the Office does not appear to have received the complete documentation and thus it cannot comment further on the individual measures and technologies. Of course, the consultation of certain parts does not relieve controllers and processors of the obligation to actively use tools to protect personal data themselves, thus preventing risks through an ongoing control and informing the persons concerned about key details of the project.

It is also worth noting that the smart quarantine project uses datasets (e.g. telecommunication data), a collection option that has been the subject of judicial discussions for years (Constitutional Court, Court of Justice of the European Union).

It will be interesting to observe the smart quarantine project, both in terms of its practical functioning and in terms of the precedent setting of similar projects, which by nature must balance between substantial interventions into privacy of individuals and the protection of important public interests.