Czech Republic: UOOU announces investigation of private supplier of online COVID-19 vaccination registration system

The Office for Personal Data Protection (‘UOOU’) announced, on 1 February 2021, that it is investigating a private supplier, following receipt of complaints containing serious suspicions of breaches of personal data protection legislation during data processing, as part of the online registration for COVID-19 vaccination. In particular, the UOOU highlighted that the purpose of the investigation will be assessing the legitimacy of the transfer of personal data to the US via cookies, verifying the data security measures of such transfers, and identifying whether the information obligation when processing personal data within the system was fulfilled.

More specifically, the UOOU stated that the Ministry of Health of the Czech Republic and the National Agency for Communication and Information Technologies had, on 20 January 2021, sent a notification to the UOOU in relation to the data breach that occurred within the registration system, highlighting an error in the functionality of the reservation system operated by a private supplier, resulting in the disclosure of individual insurance numbers and dates of birth, and subsequent transfer of such data to Google Analytics. Lastly, the UOOU noted that following the investigation, it will order the Ministry of Health (i.e. data controller) or the private supplier (i.e. data processor) to take any necessary further steps.

You can read the statement, only available in Czech, here.