Data protection enforcement according to Czech law

Sanctions under Czech law

There are three basic types of sanctions for data collectors or processors under Czech law: administrative, criminal and civil.

Administrative fines

The Czech Office for the Protection of Personal Data (the Office) may impose administrative fines for a violation of data protection regulation under Czech Act No. 101/2001 of April 4, 2000 on the Protection of Personal Data (the Act).

The administrative fine depends on several major factors, in particular the type of regulation breach and the data controller or processor.

The fines depend on the fact, if the data controller or processor is a natural or legal person.

Natural persons might violate obligations under specific circumstances, for example:

  • confidentiality (Article 44(1) of the Act)
  • purpose, means or manner of processing specification, exceeding of authority (Article 44(2)(a) of the Act)
  • retain personal data for a longer period (Article 44(2)(d) of the Act)
  • processing without the consent (Article 44(2)(e) of the Act)
  • no proper information (Article 44(2)(f) of the Act)
  • measures for ensuring security of personal data processing (Article 44(2)(h) of the Act) or
  • the notification obligation (Articles 44(2)(i) of the Act)

The Office may impose a fine for up to 1 million of CZK. However, the Office may impose a fine up to 5 million of CZK (Article 44(6) of the Act), in case that the natural person violates these obligations (except confidentiality) in a way that:

  • threatens a substantial number of persons by unauthorized interference in the private and personal lives or
  • sensite data´s obligations are violated

For a legal person or a self-employed natural person, the list is very similar as for a natural person, except for a confidentiality obligation (Article 45 of the Act). An additional obligation is that they must also maintain an inventory of personal data breaches pursuant to Article 88(7) of the Electronic Communications Act No. 127/2005.

The Office may impose a fine for up to 5 million of CZK for a violation of these obligations. Similarly to the natural persons, the Office may impose a fine up to 10 million of CZK (Article 45(4) of the Act), in case that the natural person violates these obligations in a way that:

  • threatens a substantial number of persons by unauthorized interference in the private and personal lives or
  • sensite data´s obligations are violated

A special regime is for breaching prohibition to publish personal data provided by other legal regulation. For both natural and legal persons, the fine is up to 1 million CZK, but might be up to 5 million CZK, in case that the personal data was published by press, film, radio, television, publicly accessible computer network or by other equally effective way (Article 44a or 45a of the Act).

The legal person might be exempted from the liability if they prove that they made all the reasonable efforts to prevent the violation of an obligation. Moreover, the legal person is not liable, in case that the admnistrative body has not initiated the proceedings within 3 years from the date when the violation occurred or within 1 year from the date the administrative body became aware of the violation.

When deciding about the amount of the fine, the Act specified the criteria (Article 46(2) of the Act) to be taken into account:

  • the seriousness
  • manner
  • duration and
  • consequences of the unlawful behaviour and
  • the circumstances under which the unlawful behaviour was committed

Finally, the Office might impose not only sanctions, but also measures that a data controller or processor must implement in order to eliminate the established shortcomings and the Office also set a deadline for their elimination (Article 40 of the Act).

In order to see the anonymized decisions of the Office about imposing sanctions and administrative fines, you may visit the website.

Criminal sanctions

Under specific criteria, the natural person or a legal person might be sanctioned criminally. There are three different levels of the punishment, depending on the seriousness of the crime.

First level:

A natural person might be sanctioned, if they (Article 180(1) of the Czech Criminal Code No. 40/2009 (the Criminal Code)):

  • even negligently wrongfully publish, communicate, make available, process or misappropriate personal data gathered on another person in connection to an exercise of public authority and cause a serious detriment to rights or rightful interests of the person to which the personal data are related to, or
  • even negligently breach a state imposed duty of silence by wrongfully publishing personal data obtained in connection with their occupation, employment or function and cause a serious detriment to rights or rightful interests of the person to which the personal data are related to.

In the first case, the code refers to several subtypes of data processing and also processing in general. Therefore, it is possible to argue that the violation of any type of data processing in connection to the exercise of public authority pursuant to the Data Protection Act may be sanctioned criminally.

The second case is for both public authority, as well as private data processing. However, it does not include any type of data processing, but only wrongful publishing of personal data.

A natural person might be sentenced to:

  • an imprisonment for up to three years or
  • a prohibition of an activity.

Second level:

If the natural person commited one of the above-mentioned violations:

  • as a member of an organised group
  • by press, film, radio, television, publically accessible computer network or in another similarly effective way
  • causes substantial damage (at least 500,000 CZK) or
  • with the intention to gain substantial profit for themselves or for another person (at least 500,000 CZK)

Such a natural person may be sentenced to:

  • the imprisonment for one to five years
  • pecuniary penalty or
  • prohibition of activity.

Third level:

If the natural person commited one of the above-mentioned violations:

  • and caused extensive damage or (at least 5,000,000 CZK)
  • with the intention to gain extensive profit for themselves or for another (at least 5,000,000 CZK)

Such a natural person may be sentenced to:

  • the imprisonment for three to eight years

A legal person

The legal person might be criminally sanctioned in these cases:

  • if the authorized representative or its member or other person with a decision-making authority within a legal person decided to wrongfully publish personal data
  • if the legal person does not implement technical and organisational measures for data security, internal directives, maximum time periods or a control of rules and an employee wrongfully published personal data

In both cases, the behavior of the legal person must have resulted in a serious detriment to the data subject or a person to which the personal data are related to.

The legal person might be sanctioned with a abolishment of the legal person, confiscation of property, pecuniary penalty, confiscation of assets, prohibition of an activity, etc. (Article 15 of the Legal Persons Criminal Liability Act No. 418/2011).

The legal person might be exempted from the liability if they prove that they made all justifiable efforts to prevent the violation of an obligation (Article 8(5) of the Legal Persons Criminal Liability Act No. 418/2011).

Civil sanctions

In case that a data subject found or presumed that the controller or the processor were processing their personal data in contradiction with the protection of private and personal life of the data subject or in contradiction with the law, the data subject may:

  • ask the controller or processor for an explanation
  • require from the controller or processor to remedy the arisen state of affairs. It can mean in particular blocking, correction, supplementing or liquidation of personal data
  • sue for damages pursuant to the general regulation of civil liability

If the personal data processing by the data controller or a data processor leads to a breach of legal obligations, there is a joint and severe liabilities of the data processor and the data controller (Article 21(4) of the Act).