Czech regulator's plans for 2016 in the area of personal data

15.03.2016

At the end of this January, the Office for Personal Data Protection (the “Office”) issued a press release informing about the activities on which the Office will focus in 2016. This report may be of interest to specific groups of entrepreneurs, since they have to “keep their eyes peeled” for compliance of their activities with the requirements imposed on personal data protection. It may also be useful to reflect on this issue thoroughly now, since we may expect fundamental changes in this area in the upcoming months and years.

According to its press release, the Office will primarily focus this year on those areas of personal data processing, which may involve a higher level of risk. Such areas undoubtedly include the “cloud computing”, which is quite problematic especially as regards cross-border transfers of personal data.

Also the data processed by the public administration bodies will be inspected in order to establish whether the personal data processed by statutory databases are not used for other purposes – this might be of particular importance to private entities working for public administration bodies. The Office also intends to check the processing of biometric data that are subject to a special legal regime. The press release also notes that the Office intends to check 16 entities from various industries, including a selected municipality, as well as entities engaged in educational and archiving services, and also a selected operator providing services in the field of tourism.

The statistics show that the protection of personal data is far from being an insignificant, as evidenced by the number of complaints or suggestions raised last year, which exceeded four thousand. One of the reasons may also be the constantly increasing public awareness of this area. Unlawful processing or use of personal data can be quite costly: some of the fines imposed last year amounted to more than a million Czech crowns. It is thus not recommended to underestimate the compliance requirements imposed on the activities of entities administering personal data.