16 December 2016

Following a freedom of information request, the Office for Personal Data Protection in the Czech Republic (the "Office") published all decisions issued by it in the period from 1 January 2014 to 1 November 2016 concerning penalties imposed on entrepreneurs (legal entities or individuals) for breaches of the Act No. 101/2000 Coll., on the Protection of Personal Data (the "Data Protection Act").

Most notably, the Office published decision No. UOOU-07097/16-27 of 10 August 2016 regarding an incidence of unauthorised or accidental access into an internal client database (the "Decision"). In the Decision, T-Mobile Czech Republic ("T-Mobile") as data controller was held responsible for a breach of the Data Protection Act arising from a leak of client data following the theft of that client data by an employee that held the access rights to the client database. The Office concluded that the technical measures adopted by T-Mobile had not properly prevented the employee from copying data from client database to portable data media or sending them via email. The theft of client data was a direct consequence of such improper measures. The Office also considered respective mitigating and aggravating circumstances that influenced its final penalty amount.

The Office considered the following facts as mitigating circumstances:

  • T-Mobile adopted preventative measures, primarily, the restriction of the ability to transfer client data to external media by employees and re-trained all the employees);
  • T-Mobile had already adopted a number of data protection measures; and
  • the leak was a direct consequence of criminal offence of the employee involved.

It should be noted that over 1 million clients were affected by the leak and for this reason, a higher penalty was imposed. As a result, the penalty imposed by the Office for such breach amounted to CZK 3,600,000 (approx. EUR 133,000) out of the maximum of CZK 10,000,000 (approx. EUR 370,000).

The full text of the Decision can be accessed here (in Czech).

Submitted by Michaela Remešová, Zuzana Hebká, Eva Novakova and Katerina Bardonova of JŠK, advokátní kancelář, s.r.o. – Prague, Czech Republic