The Supreme Administrative Court has issued an interesting decision that shows its approach towards the disposal/destruction of personal data by a third party, as instructed by the data controller. In the given case, a town entered into a contract with a private company regarding the disposal/destruction of identification cards and driving licences. The private company did not meet its obligations under the contract and some of the personal documentation was found at a public waste dump.

The Czech data protection office imposed a fine on the town for breaching its duty as a data controller to adopt all possible arrangements to secure that there is no possibility that personal data, be it without authorisation or by chance, is accessed, changed, eliminated, lost, transferred or misused.

Consequently, the courts (the Municipal Court in Prague as well as the Supreme Administrative Court) concluded that a data controller cannot liberate itself from a statutory duty to protect personal data simply by entering into a contract with a private entity. The courts also confirmed that the mere possibility that personal data could be endangered, is sufficient for it to be deemed that a data controller has been derelict in its duties. This means that a breach can already be committed, even if an actual unauthorised disposal of personal data has not even happened yet.

Where organisations operating in the Czech Republic engage any sub-contractors, it should be satisfied the subcontractors will not cause them to be in breach of their obligations as a data controller as this decision makes clear organisations will remain responsible for any data over which they are a data controller.

The full text of the decision can be accessed here (Czech).

Submitted by Eva Novakova, Katerina Bardonova and Michaela Remešová of JSK Law – Prague, Czech Republic in partnership with DAC Beachcroft