Czech Data Protection Authority’s control plan for 2023 published!

The controlling activity of the Office has been visibly increasing and we anticipate that the penalties imposed will also be higher. What is the plan then? 

In the first quarter of 2023, the Office will inspect the use of telemarketing in cooperation with the Czech Telecommunications Office. It will focus mainly on the existence of an appropriate legal basis for the processing and fulfillment of the information obligation towards data subjects. 

The Office further plans to check the processing of personal data by employers in their attendance record systems (incl. systems using biometrical technology, we presume) by sending questionnaires to several preselected employers. 

Based on the evaluation of the answers the Office will select “the winners” for its detailed inspection. It might be interesting to recall that the Office has a history of reporting some types of employment-related misconduct, which, despite not violating GDPR directly,  represented a potential breach of employment laws (such as fake cameras installed near bathrooms used by employees). 

The Office also wants to carry out the inspection of compliance with the statutory conditions for the dissemination of commercial messages via SMS messages, especially with respect to the content of such communication under the relevant laws.

According to its plan for the second term of the year, the Office plans conducting an in-depth inspection of  a major Czech processor of personal data (the name has not been revealed yet). This inspection will assess its general compliance with GDPR and analyze the involvement of other processors, the fulfillment of contractual obligations (Art 28 par. 3 and 4 GDPR) and evidence of the audits performed. 

The Office further announces to continue its inspection of public entities such as the Police of the Czech Republic, the Ministry of Foreign Affairs (visa process), the Ministry of Interior (Eurodac system for processing of fingerprints), as well as of the processing activities carried out for the benefit of the general public such as cameras with biometric functions used for the prevention, investigation or detection of criminal activities, or processing related to the  identity card issue process.

The Office will naturally continue with the inspections based on the complaints received and based on its own initiative.

Last but not least, the Office will participate, along with other European supervisory authorities, in a coordinated monitoring action of the European Data Protection Board focused on personal data protection officers (“DPOs”). The monitoring will especially assess whether the DPO’s function is only formal “on paper” or whether they really perform their statutory duties in practice. 

In light of the recent ruling of the Court of Justice of the European Union (case C‑453/21 X-FAB Dresden GmbH & Co. KG),  which addressed, among others, the question of performance of multiple concurrent functions by a DPO, it will be important for controllers to reevaluate whether their DPO can sit “on more chairs” (for instance if an employee holds a senior management position such as HR Manager and DPO at the same time). 

The Court established that Article 38(6) GDPR must be interpreted as to the effect that “a ‘conflict of interests’ may exist where a data protection officer is entrusted with other tasks or duties, which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor, which is a matter for the national court to determine, case by case, on the basis of an assessment of all the relevant circumstances…”