Over a year has passed since the entry into force of the General Data Protection Regulation, whereas it is possible to evaluate the extent to which the numerous concerns about high administrative fines regulated by the GDPR were confirmed in this initial period.

On 31.5.2019, the Office for Personal Data Protection of the Czech Republic provided information on the fines imposed for breach of the GDPR, respectively made the relevant decisions or orders available. By 31.5.2019 (i.e. over more than a year after the entry into force of the  GDPR) only 9 fines, which have become final, were imposed by the Czech supervisory authority for breach of the GDPR, whose amount was in most of the cases low, respectively at the lower end of the range – 1x CZK 5 000, 2x CZK 10 000, 1x CZK 15 000, 1x CZK 20 000, 2x CZK 30 000, 1x CZK 80 000 and the highest fine of CZK 250 000.

The highest fine of CZK 250 000 was imposed on a bank (in connection with the activity of its registered branch as the branch of a foreign bank), whose main activity is in particular deposit-taking, granting loans and provision of payment services. The inspection was initiated on the basis of the control plan of the Office for 2018, whereas the subject of the control was compliance with obligations regarding processing of the personal data of the clients with respect to loans granted by the registered branch of the bank. The Office for Personal Data Protection identified two breaches of the bank as a controller of the personal data of its clients, namely (i.) breach of the principle of personal data processing provided for in Art. 5 (1) point c) of Regulation (EU) 2016/679, namely the principle, that the personal data have to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed („data minimisation“), by…processing also biometric signature of the clients (which falls within a specific category of the personal data whose processing is possible only in cases specifically provided for) when concluding contracts concerning granting of loans with clients in electronic form for the purpose of conclusion and retention of contractual documentation and simplification of this process, which was not necessary for conclusion of the relevant contract nor for its performance…, and furthermore (ii.) breach of the fundamental data processing principle provided for in Art. 5 (1) point e) of Regulation (EU) 2016/679, namely the principle, that the personal data have to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed („storage limitation“), by… keeping all records of phone calls with clients (without drawing any distinction between e.g. phone calls on the basis of which the business is carried on, and other informative phone calls or phone calls for service support), who have established a framework agreement on provision of banking products and services or a classical credit agreement and/or a revolving credit agreement with the bank, for the entire duration of the agreement and furthermore for the next 10 years after all the obligations of the client have been fulfilled. It is apparent that several serious breaches were concerned, moreover in case of a publicly regulated person. Also the second highest fine (CZK 80 000) was imposed on a company providing banking services, namely for several breaches.

In other case, the breach of Art. 15 (1) of Regulation (EU) 2016/679 was found at several occasions, namely the right of the data subject to obtain confirmation from the controller, whether the personal data relating to him/her have been or have not been processed, and if so, the subject shall be entitled to obtain access to these personal data and information, whereas the fines imposed ranged from CZK 5 000 to CZK 20 000. A fine of CZK 10 000 was imposed for breach of Art. 6 (1) of Regulation (EU) 2016/679, namely the obligation to process personal data only on the basis of some of the legal grounds (whereas the breach has not been remedied even despite a repeated call). All these proceedings have been initiated following complaints of the complainants, i.e. the data subjects.

The case was also of interest for the practise, where the Office established with the person controlled (the control was initiated following a report that a personal data breach has occurred, whereas at the same time the Office has received a complaint) on one hand the breach of Art. 28 (3) of Regulation (EU) 2016/679, namely the obligation specifying that processing by the processor shall be governed by a contract or any other legal act under Union law or under the law of the Member State, and at the same time also the breach of Art. 5 (1) point f) of Regulation (EU) 2016/679, namely the principle that the personal data have to be processed in such a way which will ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures („integrity and confidentiality“) by failing to secure the personal data…of the data subjects, players of the internet online game on the internet address … as a result of which among others these data have been published on the internet address … for a ca 30 minutes. The Office imposed a fine of only CZK 15 000 for these two breaches. We see the importance in particular with respect to the first breach where the requirement to conclude contracts with processors imposes on the processor, among others no small administrative and financial demands, whereas the conclusion of such a contract does not depend only on the will of the controller (in practise, some processors defend themselves from such an obligation, or delay its fulfilment for different reasons). It follows from this example, that for the controller, the breach is associated with the risk of a fine, nevertheless rather in a low (appropriate) amount.

It follows from the ongoing summary that the initial serious concerns about high fines under the GDPR have not been confirmed yet. The Office for Personal Data Protection of the Czech Republic carries out inspections, in particular on the publicly regulated subjects, or subjects which – by its nature – process large amount of the personal data and is practically limited, among other by the number of its inspectors; otherwise the proceedings are rather initiated ad hoc following complaints of the data subjects, or reported by the data controller. The fines imposed so far remain within reasonable limits, or rather at the lower end of the range, even if several breaches have been identified. Among others, also with respect to predictability of the decision-making process of public authorities without unjustified differences in identical or similar cases, we assume that the fines imposed by the Office will continue to be as a rule within the above mentioned limits on the grounds that a high fine would be imposed in an exceptional case of the (by the Office identified) breach with a very serious impact on a wide range of the data subjects.