Supervisory and Control Activities of the Office for Personal Data Protection for the second half of 2020

We would like to inform you that the Office for Personal Data Protection (“Office”) has published an overview of its supervisory and control activities for the second half of 2020 on its websites. Below, please find a summary of the Office’s most important conclusions and statements therefrom. All records of the inspections performed for the above time-period may be found on the Office’s websites here: Kontrolní činnost v oblasti ochrany osobních údajů – 2. pololetí: Kontroly za rok 2020: Úřad pro ochranu osobních údajů (uoou.cz).

Verification of Identity and Making Copies of Identity Cards

As part of the inspection carried out (UOOU-02511/19), the Office stated that for the processing of personal data for the purposes of obtaining a copy of the data subject’s identity card and verifying the identity of the data subject, the consent of the data subject pursuant to Article 6 (1) (a) of the GDPR is required, which must comply with the formal and material requirements set in Articles 4 (11) and 7 of the GDPR (free and informed consent, which the controller is able to provide as evidence, etc.). The Office also reiterated that the personal data processed may be stored only for the necessary time-period and only to the extent necessary in relation to the purpose of the processing of such data.

Processing of Personal Data in Direct Marketing

As part of the inspections carried out (UOOU-00660/20 and UOOU-03074/20), the Office stated that for the processing of personal data in direct marketing, the conclusion of an appropriate agreement between the controller and the processor of such personal data is required, whereas such agreement may not be used to process personal data for another controller. The Office also reiterated that such processing of personal data cannot be based solely on Article 6 (1) (f) of the GDPR (i.e. processing is necessary for the purposes of the legitimate interests of the relevant controller or a third party) as, in the opinion of the Office, it is not a legitimate title to the processing of personal data in direct marketing.

Biometrics in Document Signing

As part of the inspection carried out (UOOU-09654/18), the Office stated that the collection and storage of dynamic biometric signatures in connection with the conclusion of written agreements constitutes a breach of Article 5 (1) (c) of the GDPR (i.e. the violation of the principle of minimizing the processing of personal data). Regarding this, the Office pointed out the fact that neither the Civil Code nor any special legal regulation requires the dynamic biometric signature for the validity of legal acts in writing. The collection and storage of such signatures are thus not necessary for the purposes of concluding and storing the contractual documentation as a simple image of the data subject’s signature on the dematerialized contractual documentation is sufficient.

Consent to the Processing of Personal Data in the State of an Emergency Related to the Occurrence of the Coronavirus

As part of the inspection carried out (UOOU-01419/20), the Office stated that the legal title for the processing of personal data defined in Article 6 (1) (d) of the GDPR (i.e. the processing is necessary for the protection of the vital interests of the data subject or another natural person) cannot be automatically accepted as a legitimate legal title for such processing of personal data simply because a state of emergency has been declared in connection with the occurrence of the Coronavirus, respectively, that such legal title cannot automatically replace the data subject’s consent to the processing of personal data pursuant to Article 6(1) (a) of the GDPR. Within such state of emergency, it is thus still necessary to comply with all provisions of the GDPR, in particular, the information obligations of the personal data controller pursuant to Articles 13 and 14 of the GDPR.

Keeping Records of Access to Personal Data

As part of the inspection carried out (UOOU-02100/20), the Office stated that keeping records of the controller on access to personal data of data subjects is not stated in the GDPR as an obligation of the controller, but such conduct is considered standard part of the protection of personal data. The Office further pointed out that the choice of the controller not to keep such records leads to greater responsibility for the measures taken to secure personal data. Therefore, in the event of unauthorized access to or misuse of personal data, when the controller is not able to prove who, when and for what purpose accessed the personal data, the controller is fully liable for any unlawful consequences.

Processing of Personal Data on Websites in the Form of Flipping Data from Public Registers

As part of the inspection carried out (UOOU-00196/20), the Office stated that simple flipping personal data from publicly accessible registers (e.g. ARES, commercial register, etc.) to other websites constitutes a breach of the relevant provisions of the GDPR, as the disclosing entity does not have any legal title to such conduct (the legal title referred to in Article 6 (1) (f) of the GDPR cannot be applied in such situation). The Office also pointed out that in the case of simple flipping of personal data, the controller insufficiently fulfils its information obligation towards data subjects (mere publication of information on the website cannot be considered as fulfilment of the information obligation).

Publication of Photographs of Employees on Employer’s Websites

As part of the inspection carried out (UOOU-03225/19), the Office stated that the legal title for the publication of a photograph of an employee, in general, may also be the legitimate interest of the controller as defined in Article 6 (1) (f) the GDPR, but only if the controller actually demonstrated a legitimate interest in the processing of such personal data which would override the interests or fundamental rights and freedoms of the data subject. Therefore, if the controller publishing the photographs of the employees does not duly prove another legal title to such processing of personal data, such activity may take place only with the proper consent of the data subject to such processing.

Use of Cookies

As part of the inspection carried out (UOOU-00374/20), the Office stated that the website administrator is obliged to provide users/visitors of the websites with information on the use of cookies in an easily accessible way so that the users/visitors do not need to actively search for such information.

As part of another inspection carried out (UOOU-00381/20), the Office pointed out that in connection with the processing of cookies, it is necessary to comply with all principles of personal data processing arising from national and European legislation, especially the principle of personal data processing only to the extent necessary and only for the necessary time. If circumstances allow, the controller should also proceed to anonymize or pseudonymize the processed data to the maximum extent possible.

As part of another inspection carried out (UOOU-00350/20), the Office drew attention to the fact that the Czech Republic had insufficiently transposed the amended EU directives, as after changing the regime from OPT-OUT to OPT-IN, the Czech legislator continued to work with the OPT-OUT regime, i.e. with the regime in which the personal data controller has the possibility to process the personal data of data subjects automatically (subject to the condition of proper information) and only implement the subsequently expressed wishes of data subjects not to process their personal data. The Office further stated and reaffirmed that a general consent to the processing of cookies granted through the settings of an internet browser can be considered as consent meeting the defining features pursuant to Article 4 (11) of the GDPR.

In case of any question or comment, please do not hesitate to contact us.