Decision of Czech Supreme Administrative Court regarding data breach

Dec 20, 2021

In its judgment No.1 As 238/2021 from 11.11.2021, the Czech Supreme Administrative Court dealt with a question whether or not liability for data breach is absolute under Czech law. Although the case was considered under the rules of old Directive 95/46/EC, the court held that these conclusions can also apply to the GDPR. The case involved a leak of hundreds of thousands of data from a large Czech e-shop.

The Czech DPA fined e-shop owner for this leak, even though e-shop claimed to have complied with all at the time available and reasonable security measures. Although the Municipal Court in Prague upheld the DPA’s decision, the Supreme Administrative Court overturned the judgment. According to the Supreme Administrative Court, the Municipal Court considered as essential whether there had been a data breach and, consequently, whether the e-shop in question had detected the misuse of personal data in time. As this had not been the case, there was no need, according to the Municipal Court in Prague, to address the quality of the security measures taken by e-shop. In other words, if the e-shop did not protect the personal data and did not detect the theft in time, it was, in the opinion of the Municipal Court, without any further clear that the measures taken by the e-shop were insufficient. However, the Supreme Administrative Court rejected this approach. According to the Court, the controller or processor cannot foresee all potential scenarios that may occur. The e-shop should have of course foreseen the risk of potential cyber-attacks and should take reasonable measures. However, this does not mean that controller had to be able to defend itself against any attack. It can hardly be expected that the security measures taken will always be strong enough to repel any possible cyber attack, even a sophisticated and targeted one.

The decision is available (in Czech) here.

Recent news

Position paper on GDPR Evaluation 2024

Position paper on GDPR Evaluation 2024

This paper highlights how, from the perspective of data protection practitioners, the business sector –
particularly small and medium-sized enterprises (SMEs) – can be better supported in meeting data
protection requirements within the context of increasing digitization.

read more