A „taste” of the Czech Data Protection Authority's 2022 activities - key attention points!

A review of the reports allows us to identify the main areas that the DPA is focusing its attention on, to assess the sanction risk connected with certain processing activities and to suggest what priorities data controllers and processors should be focusing their efforts on to achieve compliance with the GDPR.

Based on the numbers disclosed in the last activity report of 2022, the DPA has intensified its supervisory activities compared to the past years (based on the activity reports of 2020 and 2021) in all the sectors falling within its scope: protection of personal data, dissemination of unsolicited commercial communications and free access to information. 

The DPA also registered a slight increase in reported data breaches, however under the assumption that the number of overall breaches, which were not notified, is higher. A total of 313 data breaches were reported, where the most frequently occurring cause of breach was a cyber-attack, for the most part based on a ransomware. 

In the area of health-care, the most common cause remains human error (such as the forwarding of medical records to the wrong care facility or unauthorized access to medical records by health care professionals). 

In this context, the DPA once again calls for compliance with regard to the correct formulation of the notification to the authority and identifies recurring failures of data controllers to fulfil their obligations to inform data subjects.  

The DPA has reminded data controllers and processors that knowledge of the Czech language is a functional requirement for the fulfilment of a DPO’s tasks pursuant to art. 37(5) of the GDPR. 

If necessary, the DPO may be able fulfil this language requirement with the assistance of a team, but must be able to communicate effectively with data subjects and cooperate with the DPA when needed. 

Compliance with the statutory requirements on the use of cookies by website operators was regarded as the challenge of the year. 

Indeed, following the introduction of the opt-in regime for non-technical cookies (with the amendment of the Act on Electronic Communication at the beginning of 2022), the DPA observed a number of shortcomings in the setting of cookie-banners, due to a lack of sufficient information and due to non-compliance with the requirement of prior, specific and informed consent in line with the GDPR. 

In order to support and correctly guide website operators in understanding the opt-in requirement, the DPA published information materials and guidelines. 

Nevertheless, a quick visit to the websites of medium and large market operators still reveals widespread non-compliance. 

The DPA has shown some leniency following the introduction of the opt-in requirement, however the results of the inspections in this area are likely to be disclosed later this year.

In the area of commercial communication, the DPA evidenced that most complaints concerned commercial messages sent via SMS without legal grounds, in non-compliance with the obligation to indicate the name of the person on whose behalf the communication is made and without providing the possibility for the recipient to refuse the further sending of such commercial messages. 

In this regard, one should not forget that the involvement of third parties does not exempt the beneficiary company from liability for the disseminated commercial communication.

Last but not least, the DPA reported on its efficient cooperation with the National Office for Cyber and Information Security (NÚKIB - Národní úřad pro kybernetickou a informační bezpečnost) in the field of cybersecurity and stated that the general expansion of digitisation, increasing use of artificial intelligence and other technologies will most likely result in an intensification of the coordinated inspections carried out by the two authorities.