UOOU (Czech Republic) - N/A

From GDPRhub
Authority: UOOU (Czech Republic)
Jurisdiction: Czech Republic
Relevant Law: Article 6 GDPR
Article 13 GDPR
Article 35 GDPR
Type: Investigation
Outcome: Violation Found
Started: n/a
Decided: n/a
Published: n/a
Fine: 975,000 CZK
Parties: Ministry of the Interior
National Case Number/Name: N/A
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Czech
Original Source: UOOU (in CS)
Initial Contributor: Bernardo Armentano

The Czech DPA imposed a fine of CZK 975,000 (approximately €41,500) on the Czech Ministry of the Interior for the widespread collection of health data of individuals diagnosed with Covid-19 who had been ordered to remain in isolation during the pandemic.

English Summary


In April 2021, more than 1 year after the beginning of the Covid-19 pandemic, the Police of the Czech Republic began a wide collection of data on the health status of people infected with the coronavirus. The aim was to monitor compliance with isolation orders and prevent the spread of contagion. Until March 2022, sensitive data of approximately 2 million people were processed by the Ministry of the Interior. Upon becoming aware of the fact, the Czech DPA initiated an investigation into possible violations of data protection regulations.


After its investigation, the Czech DPA concluded that the police carried out a general large scale collection of data, since the activity was not related to specific situations. For this reason, it held that the Ministry of the Interior exceeded its police powers. The DPA emphasized that public powers must be exercised within the limits of the law - a limitation that applies even in extraordinary circumstances such as a pandemic. It recalled that the law that regulates police action in Czech Republic does not authorize the mass collection of sensitive data. Therefore, it held that the data processing lacked a legal basis.

The DPA further emphasized that, even when there is a legal basis for data processing, the controller must comply with its obligations under the GDPR. One of these obligations is to provide adequate information to data subjects so that they can exercise their rights, including the right to object to the processing of their personal data. In the case at hand, the DPA found that the Ministry of the Interior failed to provide sufficient information about data processing.

Finally, the DPA noted that the systematic processing of such a large set of sensitive data requires the performance of a data protection impact assessment under the advice of a data protection officer. This assessment must consider the risks that the processing raises to data subjects and the necessary measures to mitigate these risks. In the DPA's opinion, if the Ministry had carried out this assessment, it would have come to the conclusion that such blanket collection of personal health data should not be performed at all.

Due to the seriousness of the violations and the number of people affected, the DPA imposed a fine of CZK 975,000.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Czech original. Please refer to the Czech original for more details.

Fine imposed on the Ministry of the Interior of the Czech Republic in the amount of 975,000

CZK for the general processing of data on the persons to whom it was due

proven disease of COVID-19 ordered isolation, was the decision of the chairman

Office for the Protection of Personal Data confirmed. According to the Office, the case involved

approximately 2,000,000 people contracted the disease since April 1

2021 to March 8, 2022.


public authorities may exercise their power only in the manner established by law. This

it always applies, that is, even under extraordinary circumstances, including a pandemic. Law on

The police of the Czech Republic does not allow the widespread collection of so-called sensitive personal data,

including health information. Their area

processing carried out additionally without adequate information intended for the persons concerned

concerning such data, it can carry with it very serious risks." Jiří stated

Kaucký, Chairman of the Office for Personal Data Protection.

As the Office for Personal Data Protection discovered,

The police collected personal data about the health status of people across the board and preventively

regardless of the specific case being investigated. In doing so, however, she overstepped her authority,

which the law provides for the handling of this type of personal data[1].

The Office also draws attention to violations of other obligations which

should the Police of the Czech Republic comply with in connection with the processing of personal data.

In particular, the information obligation was not properly fulfilled in relation to persons whose

the data was related to a proven disease of COVID-19

collected and processed. At the same time, sufficient information is essential

precisely so that the persons in question can oppose unauthorized handling

with their personal data in a timely and adequate manner.

Another misconduct that the Office for Personal Protection

of the data he found consisted in the omission of two steps foreseen by law,

which had the initiation of such an extensive and serious collection of personal data

prevent. The police of the Czech Republic should have first carried out a so-called assessment of the impact on protection

personal data. Intended method of general collection and processing of health data

then she should have discussed the situation with the Office for Personal Data Protection in advance. For these

types of personal data processing are determined by law[2]

both of these steps as mandatory, primarily for the prevention of risk in persons whose

personal data to be processed.

The fact that it is not a formality and that the possible effects on

it is really necessary to assess the protection of personal data in advance, according to the chairman of the ÚOOÚ

evident from this particular case. "If the Police of the Czech Republic took these steps

carried out, she would find out in time - either by herself, in assessing her own planned activity,

or later in discussion with our office that such blanket

the collection of personal health information, according to existing laws,

may not perform at all. For the offense for which the fine was imposed, it probably would

it didn't have to happen at all," adds Jiří Kaucký, chairman of the Office.

Information about the health status of persons in the context

with the disease of COVID-19, the police did not start collecting until April 2021, that is

more than a year after the outbreak of the pandemic. "So it cannot be said that it is about execution

preparatory steps, consisting of an assessment of the legal framework and potential risks

the planned collection of this data, there was not enough time," he states

Chairman of the Office for Personal Data Protection.

There was a fine for a breach of privacy in this case

possible to grant to the Ministry of the Interior as a public authority[3].

Personal data were processed here for the purpose of preventing, searching and detecting crimes

activities regulated by Title III. of the Personal Data Processing Act.

Such processing of personal data therefore falls under the so-called criminal law regime

Directive[4]. And here - unlike

processing of personal data in the GDPR regime - imposing penalties on the public

does not exclude subjects.

For breaching the duties of the governing body

in the Title III regime. of the Personal Data Processing Act is possible

impose a fine of up to CZK 10 million. “Due to the seriousness of what was discovered

misconduct, to the number of persons whose data was processed and to others

the assessed amount of 975,000 crowns is completely reasonable given the circumstances of the case,"

concludes Jiří Kaucký.

[1] Law no.


Coll., on the Police of the Czech Republic

[2] Law no.

110/2019 Coll., on the processing of personal data; specifically, Title III of this Act

[3] On

unlike personal data processing offenses under the GDPR where

public authorities cannot be punished


Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, on

for the protection of natural persons in connection with the processing of personal data by those concerned

authorities for the purpose of prevention, investigation, detection or prosecution of crimes

or execution of sentences, on the free movement of such data and on the cancellation of the framework

Council Decision 2008/977/JHA