Cities and municipalities in the Czech Republic have approached the obligations arising from the right to the protection of personal data differently. If we look away from those who have only formally secured DPOs position and rely on the absence of fines, we come to a smaller group of those with an honest approach and a genuine effort to secure a range of responsibilities. But they often fail in many situations.
In our practice, we often encounter the reluctance of information system suppliers. The vast majority of them do not understand much about personal data protection, have no legal background and rely on the fact that until now, no city or municipality asked anything similar. At best, they offer a pre-prepared formal processing contract, which, however, usually lacks a number of GDPR obligations. Very often they also forget about the proper regulation of liability for damage or try to limit their liability. The very first question of identification of the nature of processing operations, ie: whether or not they are processing or controlling operations, is often the subject of months of discussions. In the event of problems, cities do not get the cooperation needed. It is thus only possible to terminate the existing contractual relations and secure a new system supplier. However, the problem is that such changes are often organisationally, legally and practically very demanding. In addition, there is often a lack of sufficient competition in the market. In some cases, there is a project financed by grants, where there is no other possibility – based on the reluctance of the processor/controller to solve problems – than to terminate it. The external or internal data protection officers thus get into trouble, because during almost every action/inspection he or she encounters shortcomings and reluctance on the side of the city’s suppliers. And these cities are subsequently disproportionately burdened by the “longing” of suppliers towards person of their DPO. In the end, the DPOs gradually come to the conclusion that it is better to stick to the maxim – whoever does nothing, will not spoil anything. By being inactive, they will not cause difficulties for themselves. Those who are more ingenious keep issuing opinions on individual information systems, where they describe legal shortcomings and submit them to the controller in order to meet their obligations, at least to a minimum amount. Cities put these opinions into a drawer and so the show goes on.
The reader of this article could ask about suppliers of which information systems are we talking. We have experience with suppliers of library systems, client profiles, Smart Cities Systems, systems designed for informing citizens via SMS messages, school registers, suppliers of information systems used for state file service management, etc. Cities rarely find a supplier with whom they have very positive cooperation. The question is, what about that? Cities have only minimal space and willingness to address this issue. Double, when they do not need to fear that they could face a fine for breach of data protection obligations. Suppliers rely on the fact that cities cannot receive a fine, so there will be no damage to compensate….
P.S. The GDPR Conference, with a panel discussion focused on public administration, which will take place on October 6, 2022 in Prague, will focus on these and similar topics. The Czech Data Protection Association organises the conference.
Author: Bc. Radek Kubíček, MBA works as a DPO with a focus on public administration. He is a member of the expert commission for public and state administration, commission for education of Czech Data Protection Association, and founder of the “Safe public authority” and “Safe Organization” project.