UOOU (Czech Republic) - N/A
UOOU - N/A | |
---|---|
Authority: | UOOU (Czech Republic) |
Jurisdiction: | Czech Republic |
Relevant Law: | Article 6 GDPR Article 13 GDPR Article 35 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | n/a |
Decided: | n/a |
Published: | n/a |
Fine: | 975,000 CZK |
Parties: | Ministry of the Interior |
National Case Number/Name: | N/A |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Czech |
Original Source: | UOOU (in CS) |
Initial Contributor: | Bernardo Armentano |
The Czech DPA imposed a fine of CZK 975,000 (approximately €41,500) on the Czech Ministry of the Interior for the widespread collection of health data of individuals diagnosed with Covid-19 who had been ordered to remain in isolation during the pandemic.
English Summary
Facts
In April 2021, more than 1 year after the beginning of the Covid-19 pandemic, the Police of the Czech Republic began a wide collection of data on the health status of people infected with the coronavirus. The aim was to monitor compliance with isolation orders and prevent the spread of contagion. Until March 2022, sensitive data of approximately 2 million people were processed by the Ministry of the Interior. Upon becoming aware of the fact, the Czech DPA initiated an investigation into possible violations of data protection regulations.
Holding
After its investigation, the Czech DPA concluded that the police carried out a general large scale collection of data, since the activity was not related to specific situations. For this reason, it held that the Ministry of the Interior exceeded its police powers. The DPA emphasized that public powers must be exercised within the limits of the law - a limitation that applies even in extraordinary circumstances such as a pandemic. It recalled that the law that regulates police action in Czech Republic does not authorize the mass collection of sensitive data. Therefore, it held that the data processing lacked a legal basis.
The DPA further emphasized that, even when there is a legal basis for data processing, the controller must comply with its obligations under the GDPR. One of these obligations is to provide adequate information to data subjects so that they can exercise their rights, including the right to object to the processing of their personal data. In the case at hand, the DPA found that the Ministry of the Interior failed to provide sufficient information about data processing.
Finally, the DPA noted that the systematic processing of such a large set of sensitive data requires the performance of a data protection impact assessment under the advice of a data protection officer. This assessment must consider the risks that the processing raises to data subjects and the necessary measures to mitigate these risks. In the DPA's opinion, if the Ministry had carried out this assessment, it would have come to the conclusion that such blanket collection of personal health data should not be performed at all.
Due to the seriousness of the violations and the number of people affected, the DPA imposed a fine of CZK 975,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Czech original. Please refer to the Czech original for more details.
Fine imposed on the Ministry of the Interior of the Czech Republic in the amount of 975,000 CZK for the general processing of data on the persons to whom it was due proven disease of COVID-19 ordered isolation, was the decision of the chairman Office for the Protection of Personal Data confirmed. According to the Office, the case involved approximately 2,000,000 people contracted the disease since April 1 2021 to March 8, 2022. "Organs public authorities may exercise their power only in the manner established by law. This it always applies, that is, even under extraordinary circumstances, including a pandemic. Law on The police of the Czech Republic does not allow the widespread collection of so-called sensitive personal data, including health information. Their area processing carried out additionally without adequate information intended for the persons concerned concerning such data, it can carry with it very serious risks." Jiří stated Kaucký, Chairman of the Office for Personal Data Protection. As the Office for Personal Data Protection discovered, The police collected personal data about the health status of people across the board and preventively regardless of the specific case being investigated. In doing so, however, she overstepped her authority, which the law provides for the handling of this type of personal data[1]. The Office also draws attention to violations of other obligations which should the Police of the Czech Republic comply with in connection with the processing of personal data. In particular, the information obligation was not properly fulfilled in relation to persons whose the data was related to a proven disease of COVID-19 collected and processed. At the same time, sufficient information is essential precisely so that the persons in question can oppose unauthorized handling with their personal data in a timely and adequate manner. Another misconduct that the Office for Personal Protection of the data he found consisted in the omission of two steps foreseen by law, which had the initiation of such an extensive and serious collection of personal data prevent. The police of the Czech Republic should have first carried out a so-called assessment of the impact on protection personal data. Intended method of general collection and processing of health data then she should have discussed the situation with the Office for Personal Data Protection in advance. For these types of personal data processing are determined by law[2] both of these steps as mandatory, primarily for the prevention of risk in persons whose personal data to be processed. The fact that it is not a formality and that the possible effects on it is really necessary to assess the protection of personal data in advance, according to the chairman of the ÚOOÚ evident from this particular case. "If the Police of the Czech Republic took these steps carried out, she would find out in time - either by herself, in assessing her own planned activity, or later in discussion with our office that such blanket the collection of personal health information, according to existing laws, may not perform at all. For the offense for which the fine was imposed, it probably would it didn't have to happen at all," adds Jiří Kaucký, chairman of the Office. Information about the health status of persons in the context with the disease of COVID-19, the police did not start collecting until April 2021, that is more than a year after the outbreak of the pandemic. "So it cannot be said that it is about execution preparatory steps, consisting of an assessment of the legal framework and potential risks the planned collection of this data, there was not enough time," he states Chairman of the Office for Personal Data Protection. There was a fine for a breach of privacy in this case possible to grant to the Ministry of the Interior as a public authority[3]. Personal data were processed here for the purpose of preventing, searching and detecting crimes activities regulated by Title III. of the Personal Data Processing Act. Such processing of personal data therefore falls under the so-called criminal law regime Directive[4]. And here - unlike processing of personal data in the GDPR regime - imposing penalties on the public does not exclude subjects. For breaching the duties of the governing body in the Title III regime. of the Personal Data Processing Act is possible impose a fine of up to CZK 10 million. “Due to the seriousness of what was discovered misconduct, to the number of persons whose data was processed and to others the assessed amount of 975,000 crowns is completely reasonable given the circumstances of the case," concludes Jiří Kaucký. [1] Law no. 273/2008 Coll., on the Police of the Czech Republic [2] Law no. 110/2019 Coll., on the processing of personal data; specifically, Title III of this Act [3] On unlike personal data processing offenses under the GDPR where public authorities cannot be punished [4] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, on for the protection of natural persons in connection with the processing of personal data by those concerned authorities for the purpose of prevention, investigation, detection or prosecution of crimes or execution of sentences, on the free movement of such data and on the cancellation of the framework Council Decision 2008/977/JHA