Enterprise Services

Exceeding Expectations

Czech Republic: UOOU fines Ministry of the Interior

Company News

Violations of the Act the UOOU imposed a fine of CZK 975,000 (approx. €41,553) on the Ministry.

The Office for Personal Data Protection (‘UOOU’) published, on 24 April 2023, a statement on its decision to fine the Ministry of the Interior of the Czech Republic CZK 975,000 (approx. €41,553) for violation of Act No. 273/2008 on the Police of the Czech Republic (‘the Act on Police’) and Act No. 110/2019 Coll. on Personal Data Processing (‘the Act’), following an investigation.

Background to the case

In particular, the UOOU highlighted that the case concerned the processing of personal data of persons who were ordered to be isolated due to a proven case of COVID-19, and that approximately two million people contracted the disease between 1 April 2021 and 8 March 2022. More specifically, the UOOU clarified that the police of the Czech Republic collected personal data about the health of persons across the board as a preventative measure.

Findings of the UOOU

Following its investigation, the UOOU found that the police collected personal data about the health of persons without connection to a proven case of COVID-19. Likewise, the UOOU noted that sufficient information regarding collection is necessary in order to allow the person in question to defend themselves against unauthorised personal data collection.

In addition, the UOOU found that the police failed to conduct a Data Protection Impact Assessment (‘DPIA’) on the initiation of such an extensive and serious collection of personal data. Further, the UOOU noted that the police should have discussed the intended general collection and processing of health data with the UOOU in advance. Specifically, Jiří Kaucký, Chairman of the UOOU stated that ‘[i]f the Police of the Czech Republic had taken these steps, they would have found out in time – either by themselves, when assessing their own planned activities, or later when discussing with [the UOOU]- that, according to existing laws, they are not allowed to carry out such a general collection of personal data about health status at all’.

Therefore, the UOOU found the police to have violated the Act, owing to the failure to conduct a mandatory DPIA prior to the collection and processing of health data.

Outcomes

As a result of the aforementioned violations of the Act on the Police and the Act, the UOOU imposed a fine of CZK 975,000 (approx. €41,553) on the Ministry.

You can read the press release, available in Czech, here.