NSS - 10 As 190/2020 - 39

From GDPRhub
Revision as of 04:22, 28 April 2022 by SR (talk | contribs) (→‎Facts)
NSS - 10 As 190/2020 - 39
Courts logo1.png
Court: NSS (Czech Republic)
Jurisdiction: Czech Republic
Relevant Law: Article 32 GDPR
Article 83(7) GDPR
Czech Law on Data Processing 2019
Czech Law on Data Protection 2000
Decided: 25.02.2022
Published:
Parties:
National Case Number/Name: 10 As 190/2020 - 39
European Case Law Identifier:
Appeal from: MSPH (Czech Republic)
14 A 26/2019 - 37
Appeal to: Not appealed
Original Language(s): Czech
Original Source: NSS (in Czech)
Initial Contributor: ea

The Czech Supreme Administrative Court held that a hospital did not amount to a public body within the meaning of Article 83(7) GDPR. According to the Court, such a body must be established by law, perform tasks in the public interest, not have its own property and be financed from public budgets.

English Summary

Facts

In 2018, the Czech DPA held that the controller, a hospital, had violated the duty to implement sufficient security safeguards under § 13 of the Czech Law on Data Protection 2000 (implementing the Data Protection Directive). The DPA issued a fine of 1,634 EUR to the controller. The controller requested a judicial review of the DPA's decision. In 2020, the City Court of Prague (MSPH) confirmed the DPA's decision. The controller subsequently requested a judicial review at the Supreme Administrative Court (NSS).

The appeal's main line of argument was that under Article 40(6) of the Czech Charter of Fundamental Rights and Freedoms, the court must apply a legal act enacted after the relevant events had taken place, provided that it is more favourable to the offender. In the specific case, the controller claimed that the MSPH should have applied the new law, namely the GDPR and its implementing act - the Czech Law on Data Processing 2019 - instead of the old Law on Data Protection 2000. The controller considered the former to be more favourable in two respects.

First, the controller considered that it would not have been found in violation of the duty to implement sufficient security standards under Article 32 GDPR in the same way as it was found to be under § 13 of the Law on Data Protection 2000. This is because the controller's duty to "keep electronic records" under § 13(4)(c) of the Law on Data Protection 2000[1] is nowhere to be found in Article 32 GDPR which does not explicitly refer to such a specific obligation and is therefore more favourable.

Second, the controller argued that even if it had been a violation of Article 32 GDPR, the DPA or the court could not have issued a fine against it under Article 83(7) GDPR. The latter provision stipulates that "[e]ach Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State." In the specific case, the Czech Republic had actually laid down such rules in § 62(5) of the GDPR implementing act - the Law on Data Processing 2019 - which provided that an administrative fine shall not be issued against "public authorities and bodies". The controller considered itself to be a public authority or body and hence exempt from any administrative fines under the new law.

Hence, the NSS had to consider if the newly introduced provisions were more favourable to the controller or not. Consequently, the NSS had to consider two questions. First, whether Article 32 GDPR was more favourable to the controller than § 13 of the Law on Data Protection 2000. Second, the NSS had to decide whether the controller could have benefitted from § 62(5) of the Law on Data Processing 2019 which states that the DPA shall not issue an administrative fine to public authorities and bodies as defined in Article 83(7) GDPR.

Holding

First, the NSS held that the duty to implement sufficient security standards under the GDPR was not more favourable to the controller than the old law. Although § 13(4)(c) of the Law on Data Protection 2000 does not have an explicit corresponding counterpart in the GDPR, the controller also violated the more general § 13(1) which obliges the controller to "take such measures to prevent unauthorised or accidental access to, alteration, destruction or loss of personal data, unauthorised transfers, other unauthorised processing or other misuse of personal data." The NSS did not consider this duty to be less favourable to the controller than the corresponding duty under Article 32 GDPR.

Second, the NSS held that the controller could not have benefitted from the exemption for public authorities and bodies from administrative fines under § 62(5) of the Law on Data Processing 2019. This was because the controller (a hospital) was not a public authority or body within the meaning of Article 83(7) GDPR. In interpreting what amounts to a public authority or body under Article 83(7) GDPR, the NSS held that such entity will normally be established by law and designed to perform tasks in the public interest. It will not have its own property and will be financed from public budgets. It is irrelevant whether it is a public institution within the meaning of Freedom of Information Act or the Public Procurement Act, or whether it keeps medical documentation. The NSS concluded that the controller is hence not such a public authority or body as it is a joint-stock company with its own assets and budget. Although it is predominantly financed by public health insurance, such funding is not public funding because the complainant receives it in return for specific services and patients not unlike private providers. Thus, although the complainant provides healthcare that is certainly in the public interest, it does not amount to a public authority or body within the meaning of Article 83(7) GDPR.

Hence, the NSS held that the GDPR as implemented by the Law on Data Processing 2019 was not more favourable to the controller than the Data Protection Directive as implemented by the Law on Data Protection 2000. Consequently, the NSS held that the MSPH was correct in applying the latter and confirmed its decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Czech original. Please refer to the Czech original for more details.

                                                                         10 As 190/2020 - 39










                                  CZECH REPUBLIC

                                   JUDGMENT

                        ON BEHALF OF THE REPUBLIC

The Supreme Administrative Court ruled in a senate composed of President Ondřej Mrákota and Judge Petr
Šebek and Zdeněk Kühn in the plaintiff's legal case: Tábor Hospital, a.s., Kpt. Jaroše 2000, Tábor,
represented by lawyer Mgr. Jiří Jarušek, Radniční 7a, České Budějovice, against the defendant:
Office for Personal Data Protection, Lt. Col. Sochora 27, Prague 7, against the chairwoman's decision
Office for Personal Data Protection of 13 December 2018, ref. UOOU-08001 / 18-14, pending
on the plaintiff's cassation complaint against the judgment of the Municipal Court in Prague of 20 May 2020,
Ref. 14 A 26/2019 - 37,


                                          t a k t o:


I. Cassation complaint.

II. None of the parties is entitled to reimbursement of costs.




                                   Reason:


                                     I. Definition of the matter

[1] Defendant by decision of 12 October 2018, ref. UOOU-08001 / 18-8, found
plaintiff guilty of committing an offense under § 45 para. h) of Act No. 101/2000 Coll.,
on the protection of personal data and amendments to certain regulations ("Personal Data Protection Act"),
because, as the controller of personal data, he did not take measures to ensure the security of processing
personal data in connection with the keeping of electronic medical records; specifically
the plaintiff was accused that from an unspecified period at least until 11 January 2018: a) audit records
(logs) in the hospital information system did not make it possible to identify and verify why
the electronic medical records were inspected, b) the plaintiff did not perform regular
access control to electronic medical records. According to the defendant, the plaintiff thus infringed
the obligation stipulated in § 13 par. 1 of the Personal Data Protection Act. It was imposed on him for that
fine CZK 80,000.


[2] The plaintiff appealed to the defendant's chairwoman, who concluded
she confirmed the offense, but found the fine to be disproportionate and reduced it to CZK 40,000.

[3] The plaintiff's action against the decision of the President of the defendant Municipal Court in Prague
rejected. He concluded that, if the applicant had kept records of who and when was personal, 10 As 190/2020


recorded and processed the data, but did not insist that the reason for the access be recorded
into electronic medical records and personal data processing, proceeded in contradiction
with the law. The city court did not find any mistake in the fact that the law on protection was applied
personal data and not Regulation (EU) No 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data (the "Regulation").


                                    II. Cassation proceedings


[4] The plaintiff (complainant) challenged the judgment of the Municipal Court in a cassation appeal. Believes,
that the judgment is unreviewable because the city court did not address its reference to the commentary
to the Personal Data Protection Act. He further argued that the Municipal Court had misinterpreted Section 13 (4)
letter c) of the Personal Data Protection Act and illegally assessed the question of what legal regulation they had
be used. According to the complainant, the law on personal data protection should not have been applied, but
Regulation, as it does not contain the obligation enshrined in § 13 par. 4 let. c) of the Protection Act
personal data. Nor can such an obligation be inferred from Article 32 of the Regulation, as it does incorrectly

Municipal Court. The complainant further alleged that the city court had not taken it into account when assessing the sanction
later legislation (Act No. 110/2019 Coll., on the processing of personal data),
which is more favorable to the complainant. The Personal Data Processing Act does not allow for storage
sanction for an administrative penalty against a public body. The complainant considers that he is a public
as it keeps medical documentation (according to Act No. 372/2011 Coll., on health services
and conditions of their provision), is a public contracting authority (according to Act No. 134/2016 Coll.,
on the award of public contracts), a public institution within the meaning of Act No. 106/1999 Coll.,
on Free Access to Information) and its activities are largely funded
public health insurance. Although the complainant is a person governed by private law, he is an established person

South Bohemian Region in order to fulfill the public interest.

[5] The complainant therefore requested that the SAC set aside the judgment under appeal and refer the case back to the municipal court
for further proceedings.

[6] The defendant disagrees with the cassation complaint and proposes to dismiss it. Judgment of the city
the court also considers its decision to be in accordance with the law. He states that in his time
decision on the processing of personal data has not yet been effective, but considers that

that this is not a more favorable standard for the complainant, as the complainant is not a public body.


                   III. Assessment of the case by the Supreme Administrative Court

[7] The appeal is unfounded.

                        III. 1. Unreviewability of a municipal court judgment


[8] First, the SAC dealt with the alleged unreviewability of the Municipal Court judgment.

[9] The unreviewability of a decision for lack of reasons must be interpreted in its own right
in the real sense, ie as the impossibility of reviewing a decision for the impossibility of ascertaining
the content itself or the reasons for which it was issued (cf. resolution of the Enlarged Senate of the SAC
of 19 February 2008, Ref. 7 Afs 212/2006 - 76). The institute of unreviewability is not allowed
arbitrarily extend and apply it to cases where the court has the substance of the objection of a party to the proceedings

duly deals with and explains why it does not consider the participant's arguments to be correct, albeit explicitly
in the statement of reasons for the decision does not respond to all conceivable aspects of the objection raised and commits, 10 As 190/2020 - 40
continuation

partial failure to state reasons. The decision on unreviewability is reserved
the most serious flaws of the decision, when for the absence of reasons or for incomprehensibility really
the decision cannot be reviewed on the merits. Unreviewable decision for lack

for such reasons, it has a place especially if the administrative body or court omits the participant's objection
to react completely (thus also implicitly) (cf. judgments of the SAC of 17 January 2013, ref. 1 Afs 92/2012 - 45,
or from June 29, 2017, ref. 2 As 337/2016 - 64). The fact that the administrative authorities cannot be overlooked
and the courts are not obliged to deal with every partial objection if they oppose the participant's claim
the procedure will give rise to a legal opinion in the competition of which the opposition as a whole will not stand. Such a procedure
The Constitutional Court also found it constitutionally compliant in its judgment of 12 February 2009, file no. III. ÚS 989/08,
according to which: “It is not a violation of the right to a fair trial if the general courts do not draw their own conclusions
on the detailed opposition (and refutation) of the individual objections raised, if he opposes his own comprehensive

an argumentation system that reasonably and reasonably interprets that supporting the correctness of their conclusions is itself
sufficient in itself ’.

[10] This was also the case here. Municipal court alleged misinterpretation
§ 13 par. 4 let. c) of the Personal Data Protection Act. He clearly stated
why it considers it necessary for the record to include information on the reason for the processing
personal data (paragraph 50 et seq. of the judgment). The municipal court therefore provided a sufficiently verifiable statement
your opinion on this contentious issue. The very fact that he did not express himself

to the complainant's reference to commentary literature, does not cause his inexplicability
judgment. In addition, in the present case, the municipal court expressly stated in the judgment that the measure
which the complainant considered sufficient to fulfill the obligation (interview with the
who looked into the database) is not considered sufficient. Inexplicability is not a manifestation
the complainant's unfulfilled subjective ideas about how detailed the judgment should be
justified, but an objective obstacle which prevents the Court of Cassation from examining the contested
decisions (cf. judgments of the Supreme Court of 28 February 2017, ref. 3 Azs 69/2016 - 24, and of 27 September 2017,
Ref. 4 As 146/2017 - 35). The applicant's disagreement with the reasoning and conclusions of the judgment under appeal
at the same time it does not cause its unexamination (see, for example, the judgments of the SAC of 12 November 2013,

Ref. 2 As 47 / 2013- 30, or dated 29 April 2010, ref. 8 As 11/2010 - 163).

              III. 2. Incorrect interpretation of § 13 par. 4 let. c) of the Personal Data Protection Act

[11] The complainant first argued that the municipal court had misinterpreted § 13 para. c) of the Act
on the protection of personal data.

[12] The complainant was found guilty by a decision of the defendant for violating Section 13 (1) of the Act

on the protection of personal data. He was to do this by two acts: a) by keeping his audit records
(logs) in the hospital information system did not make it possible to identify and verify why
the electronic medical records were inspected, which also violated § 13 par. 4 let. C)
the Personal Data Protection Act; and (b) that the complainant did not carry out regular access checks
to electronic medical records.

[13] According to Article 13 (1) of the Personal Data Protection Act, the controller and the processor are obliged to accept
measures to prevent unauthorized or accidental access to personal data, to their personal data

alteration, destruction or loss, unauthorized transfers, their other unauthorized processing, as well as
misuse of personal data. This obligation applies even after the processing of personal data has ended.

[14] According to § 13 par. c) of the Personal Data Protection Act is in the field of automated
the controller or processor shall also be obliged to acquire the processing of personal data within the framework of the measures referred to in paragraph 1
electronic records that make it possible to identify and verify when, by whom and for what reason personal data were recorded
or otherwise processed., 10 As 190/2020



[15] The complainant considers that the cited provisions do not imply an obligation to
the reason for recording or other processing of personal data was included in the electronic record (log)
data, but it is sufficient for this reason to be ascertainable. However, we cannot agree with that. He could be
explicit purely grammatical interpretation of § 13 par. 4 let. c) of the Personal Data Protection Act
to complain of the complainant, the municipal court correctly proceeded from the meaning of the cited provision
and evaluated the established obligation in the context of the entire § 13 of the Personal Data Protection Act.

He also referred, where appropriate, to the judgment of the Supreme Court of 30 January 2013, ref. 7 As 150/2012 - 35, in which
The SAC explicitly stated that the so-called logs according to § 13 par. c) of the Personal Data Protection Act
are "records of who, when and for what reason recorded or otherwise processed personal data".
Only such a record, which contains information not only about who and when personal data
processed, but also the reason for this processing, is then able to fulfill the meaning of the law on protection
personal data, as only then can it be traceable and verifiable “who, when, how
and why "it processed personal data in the information system. Such a requirement is also high
preventive effect against the misuse of data from the information system, because everyone with it

legally working, must be aware that it is possible to retrospectively verify who, when and in what way
worked with the information system, and whether this was done legitimately. As stated by the NSS in the above
 judgment no. 7 As 150/2012 - 35: "any person who unlawfully manipulates data contained in a system
who processes them automatically must be aware that her actions may be aided by such a record
traced and detected '.

[16] The NSS therefore identifies with the municipal court that it is already in the electronic record itself
(log) the reason for recording or processing personal data must be included. Complainant's voucher

the possibility of conducting a follow-up interview with the employee who accessed the database,
and thus find out the reason for his approach, he cannot succeed, because he does not respect the wording of § 13 par. C)
of the Personal Data Protection Act or the meaning of the personal data protection legislation. In such
In this case, it is not possible to carry out a proper interim or ex-post check to see if it has not taken place
to unauthorized access to the database.

[17] The complainant's reference to the commentary on the law cannot change anything in the above
on the protection of personal data. The conclusion of the municipal court does not contradict the commentary.

If the comment admits the fulfillment of the obligation enshrined in § 13 par. 4 let. c) of the Protection Act
personal data also "in combination with appropriate organizational measures", the complainant no such
does not mention an appropriate organizational measure that would be eligible to be met. Subsequent
an interview with the person who looked at the database is not such a measure. Certainly you have to agree
with the complainant that the legitimacy of the reason for processing personal data must be verified
the administrator himself, in principle on the basis of data provided by the person who personally
accessed the data. However, this person must state the reason for looking at the database
immediately before or shortly before access to personal data. You can't agree to do that

the reason shall be stated only during the subsequent inspection, which may be carried out many months after such
approach. First of all, he may no longer remember the specific reason at all (especially in situations where he views
into the information system often, as is certainly the case for the complainant's staff), in addition
the above-mentioned preventive effect is not fulfilled here. In this case, it was not inadmissible
expanding interpretation of § 13 par. 4 let. c) of the Personal Data Protection Act.

                               III. 3. Application of incorrect legislation


                                              AND)
[18] The complainant disagrees with the City Court's assessment of which legislation was for him
more favorable. First of all, he considers that the defendant should have applied the regulation and not the law of protection
personal data., 10 As 190/2020 - 41
continuation


[19] The Municipal Court ruled in favor of the complainant that in assessing which legislation
is more favorable to offenders, it is not possible to limit oneself to comparing criminal rates, but it is necessary

assess the specific case in advance in accordance with all the provisions of the old and new legislation
and then with regard to all the provisions on the conditions of criminal (here misdemeanor) liability
(also to the reasons for its termination) and punishment (also to the possibility of conditional sentence, waiver
from punishment, etc.) to consider which is more favorable (judgment of the Supreme Court of 5 June 2018,
Ref. 4 As 96/2018 - 45). Thus, even if the municipal court found the defendant's approach, which he considered only
penalty rates, defective in this respect, agreed with the conclusion on the application of the law on protection
personal data.


[20] According to the Municipal Court, although the regulation contained in the Regulation does not explicitly
which would correspond to § 13 par. 4 let. c) of the Personal Data Protection Act, however
this obligation can be deduced from Article 32 of the Regulation. This provision regulates the obligation of administrators
and processors to secure personal data by means of appropriate technical and organizational measures,
among which, according to the municipal court, the obligation to ensure due diligence could also be included
protection of personal data so that they cannot be accessed without giving a reason. Municipal Court
to this he also referred to the judgment of the Supreme Court of 27 June 2019, ref. 4 As 140/2019 - 27, which he assessed
the relationship between Section 13 (1) of the Personal Data Protection Act and Article 32 of the Regulation.


[21] According to Article 32 of the Regulation, taking into account the state of the art, implementation costs, nature, scope,
context and purposes of the processing, as well as risks of rights and freedoms of varying probability and severity
natural persons, the controller and the processor shall take appropriate technical and organizational measures to ensure the level
security corresponding to the given risk, then there is an illustrative list of security methods
and the provision that, in assessing the appropriate level of safety, particular account shall be taken of the risks it poses
processing, in particular accidental or unlawful destruction, loss, alteration, unauthorized disclosure
personal data transmitted, stored or otherwise processed, or unauthorized access to them.


[22] In the present case, the complainant was found guilty of a misdemeanor
according to § 45 par. 1 let. h) of the Personal Data Protection Act, according to which the offense is committed
one who, as controller, does not take or implement measures to ensure the security of the processing of personal data
(§ 13). According to the statement of the contested decision of the defendant, the complainant violated § 13 par. 1 of the Act
on the protection of personal data (the obligation to take measures to prevent unauthorized
or accidental access to personal data, to their alteration, destruction or loss, to unauthorized transfers, to their
other unauthorized processing as well as other misuse of personal data) by: (a) audit trails
(logs) in the hospital information system did not make it possible to identify and verify why it was

and (b) the complainant did not carry out regular inspections
access to electronic medical records.

[23] In the present case, the complainant was therefore found guilty of violating Section 13 (1) of the Act
on the protection of personal data, which it committed in two separate negotiations. It doesn't matter
of them (missing reasons for inspection in audit records) can also be subordinated to § 13 par. 4
letter c) of the Personal Data Protection Act, the defendant with regard to the conduct of the other (failure to implement
regular inspections) found that by both acts the complainant had violated the more general § 13 para. 1

of the Personal Data Protection Act. It does not change the fact that the defendant's reasoning in the decision
he also mentioned the violation of § 13 par. 4 let. c) of the Personal Data Protection Act (which, moreover,
directly refers to § 13 par. 1), because the statement of the decision, which is binding and enforceable,
found only a violation of § 13 paragraph 1 of this Act. Just in relation to the last one quoted
the provision which the complainant is found to be in breach of must then be determined whether it is later
legal regulation more favorable for the complainants., 10 As 190/2020


[24] As the Municipal Court rightly stated in the judgment under appeal, the SAC has already considered this issue
and in the judgment no. 4 As 140/2019 - 27 concluded that Article 32 of the Regulation is not relevant
to § 13 par. 1 of the Personal Data Protection Act by a more favorable regulation (paragraphs 25 et seq. of the judgment).
It is therefore not decisive that Article 32 of the Regulation does not contain such specific requirements as Paragraph 13 (4)
letter c) of the Personal Data Protection Act, but whether the adjustment of obligations under Article 32 of the Regulation
corresponds to the regulation stipulated in § 13 par. 1 of the Personal Data Protection Act. That's right
according to the NSS it is also. Both provisions regulate the obligation of the controller and the processor of personal data

ensure adequate personal security through appropriate technical and organizational measures
data against unauthorized disclosure or access. Being doing so in different words can't be minor
interpret the differences of wording in such a way that the regulation places in contrast to the Personal Data Protection Act
lower requirements for the controller or processor of personal data and that this is a legal regulation
more favorable, as the complainant considers.

[25] The SAC therefore agrees with the Municipal Court that the defendant did not err in concluding that
that the Regulation was not more favorable to the complainant.


                                               B)

[26] The complainant also argues that the municipal court should have applied the law when assessing the sanction
on the processing of personal data, as it did not allow for the imposition of a sanction for an administrative public penalty
entity (Section 62 (5) of the Personal Data Processing Act in conjunction with Article 83 (7) of the Regulation).

[27] As stated by the Enlarged Senate of the SAC in the resolution of 16 November 2016, ref. 5 As 104/2013 - 46,

if the regional court decides in the administrative judiciary on an action against the decision of the administrative body, which was
guilt and punishment for an administrative offense in a situation where the law that was applied was final
administrative decision is amended or repealed, it shall take into account the principle expressed in the second sentence of Article 40 (6).
The Charter of Fundamental Rights and Freedoms, according to which the criminality of an act is assessed and the sentence is imposed in accordance with the law,
which came into force only after the crime has been committed, if it is more favorable for the offender.

[28] In this case, the judgment of the municipal court was issued on 20 May 2020. Protection Act
personal data was abolished with effect from 24 April 2019 by the Personal Data Processing Act

which entered into force on the same day. If only the law on personal data processing
more favorable to the applicant, the municipal court had a duty to assess the legality of the sentence
follow this law.

[29] Pursuant to Section 62 (5) of the Personal Data Processing Act, the defendant waives storage
administrative penalty also in the case of controllers and processors referred to in Article 83 (7) of the Regulation.

[30] Pursuant to Article 83 (7) of the Regulation, each Member State may lay down rules concerning

whether and to what extent administrative fines can be imposed on public authorities and public bodies
established in that Member State.

[31] In the present case, the complainant committed an offense under § 45 para. h)
of the Personal Data Protection Act, which consisted of failing to take or implement security measures
security of personal data processing (§ 13). It corresponds to this offense in the new legislation
offense according to § 62 par. 1 let. a) of the Act on the processing of personal data in connection
with Article 32 of the Regulation.


[32] Pursuant to Section 62 (5) of the Personal Data Processing Act, in conjunction with Article 83 (7)
the regulation, the defendant waives the imposition of an administrative penalty in the case of controllers and processors,
which is a public authority and a public body. The SAC has reached the same conclusion in its judgment, 10 As 190/2020 - 42
continuation

of 11 February 2020, Ref. 4 As 376/2019 - 31, as well as a commentary on the Personal Data Processing Act:
"If a public authority or public body commits an offense, the Office shall waive the imposition of an administrative penalty.
(see Vlachová, B., Maisner, M. Personal Data Processing Act. Comment. C. H. Beck,

Prague, 2019, p. 131).

[33] However, who means a public body within the meaning of this provision is the law
on the processing of personal data or the regulation. It is clear from the nature of the matter that such
The body will normally be established by law and be designated to perform tasks in the public interest (otherwise
has not been described as public) and at the same time will not dispose of its own property, but will
financed from public budgets (similarly cf. the above-cited judgment of the Supreme Court)
Ref. 4 As 376/2019 - 31). On the contrary, it will be fundamentally undecided whether it is a public institution within the meaning of

of the Act on Free Access to Information or by the contracting authority pursuant to the Procurement Act
public procurement, or whether it keeps medical records.

[34] Without the NSS now having the notion of a public entity within the meaning of § 62 para. 5 of the Act
on the processing of personal data, it can be clearly concluded that the complainant such
is not a public body.

[35] The complainant is a public limited company with its own assets and management. It is possible

agree that it is "mainly financed by public health insurance funds".
However, such financing cannot be considered as financing from public budgets. Complainant
as a hospital (joint stock company) it does not receive funding for its operation and functioning
directly from public budgets, but receives them in return for specific actions and patients,
which it "reports" to health insurance companies. After all, any other is financed in the same way
entity providing medical care (private hospital or private doctor). So to be a complainant
Provides health care that is certainly in the public interest, is a joint stock company that is not
financed from public budgets. It is thus not a public body with which the defendant would have
according to § 62 par. 5 of the Personal Data Processing Act to decide on the waiver of punishment.

Thus, the Municipal Court did not err if it did not apply the law on personal data processing,
as this is not more favorable to the complainant.


                                IV. Conclusion and costs of the proceedings

[36] The complainant's objections were unfounded, so the SAC rejected the cassation complaint.


[37] The complainant was unsuccessful in this case and is therefore not entitled to compensation
costs of the appeal proceedings. The defendant shall not incur any costs in excess of his normal official duties
activities did not arise.


Instruction: Appeals against this judgment are inadmissible.



                                  Done at Brno, 25 February 2022

                                                                        Ondřej Mrákota
                                                                         President of the Senate
  1. § 13(4)(c) stipulates that the controller must "keep electronic records that make it possible to identify and verify when, by whom and for what reason personal data were recorded or otherwise processed".