Logo L&E Global
Czech Republic

Czech Republic: Seemingly Trivial Flaws in Privacy Policies Do Matter

The Czech Data Protection Authority inspected a company’s data processing activities and identified discrepancies between the information presented in privacy policies and the reality of the situation. In sections devoted to providing information on recipients of personal data, the company published a list of processors, but by reviewing the respective contracts between the company and those alleged processors, the Data Protection Authority discovered that they were actually controllers.

Although confusing a controller and a processor in a privacy policy might seem irrelevant with respect to security of data or the data subject’s right to privacy, this rather formal mistake was evaluated by the Data Protection Authority as a violation of Article 12(1) GDPR, i.e. the obligation to “provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. As a consequence, the Data Protection Authority fined the company with a penalty of approx. € 1000.

In spite of the fact that the penalty was more a symbolic gesture than anything else, it shows the increasing tendency of the Data Protection Authority not to tolerate even minor infringements. Businesses should therefore, pay attention to all of the GDPR requirements, including the transparency principle, which, if observed properly, should serve as a showcase of up-to-date and accurate data processing activities. This is no less true for employment-related data processing, which is the sign of an honest relationship between an employer and its workers.

Key Action Points for Human Resources and In-house Counsel 

“Privacy policy is the climax of everything the company does with personal data” – the decision to penalise errors in a privacy policy reveals the obvious: it is necessary to correctly design all of the processing activities, think about the objectives, reasons and intentions behind each pursuit, consider the engagement of processors and other recipients of data; then, once the scheme meets all of the GDPR requirements, the next step will be to describe it properly in privacy notices and policies.