Decision of Czech Supreme Administrative Court regarding data breach

Dec 20, 2021

In its judgment No.1 As 238/2021 from 11.11.2021, the Czech Supreme Administrative Court dealt with a question whether or not liability for data breach is absolute under Czech law. Although the case was considered under the rules of old Directive 95/46/EC, the court held that these conclusions can also apply to the GDPR. The case involved a leak of hundreds of thousands of data from a large Czech e-shop.

The Czech DPA fined e-shop owner for this leak, even though e-shop claimed to have complied with all at the time available and reasonable security measures. Although the Municipal Court in Prague upheld the DPA’s decision, the Supreme Administrative Court overturned the judgment. According to the Supreme Administrative Court, the Municipal Court considered as essential whether there had been a data breach and, consequently, whether the e-shop in question had detected the misuse of personal data in time. As this had not been the case, there was no need, according to the Municipal Court in Prague, to address the quality of the security measures taken by e-shop. In other words, if the e-shop did not protect the personal data and did not detect the theft in time, it was, in the opinion of the Municipal Court, without any further clear that the measures taken by the e-shop were insufficient. However, the Supreme Administrative Court rejected this approach. According to the Court, the controller or processor cannot foresee all potential scenarios that may occur. The e-shop should have of course foreseen the risk of potential cyber-attacks and should take reasonable measures. However, this does not mean that controller had to be able to defend itself against any attack. It can hardly be expected that the security measures taken will always be strong enough to repel any possible cyber attack, even a sophisticated and targeted one.

The decision is available (in Czech) here.

Recent news

Members only: Free online discussion session

Members only: Free online discussion session

4:00 - 6:00 pm CETThe Future of Data Protection in a Time of Restriction on Data Transfers Will the world be divided into “data fortresses”? EFDPO cordially invites members of all EFDPO associations to an online discussion session on the occasion of (but a few days...

read more
Data Protection Day 2023: Free Media Kit

Data Protection Day 2023: Free Media Kit

Data Protection Day is a day of action launched by Council of Europe that has been celebrated annually since 2007 around January 28 - the date on which the European Convention on Data Protection was signed in 1981. In the meantime, Data Protection Day is celebrated...

read more