Decision of Czech Supreme Administrative Court regarding data breach

Dec 20, 2021

In its judgment No.1 As 238/2021 from 11.11.2021, the Czech Supreme Administrative Court dealt with a question whether or not liability for data breach is absolute under Czech law. Although the case was considered under the rules of old Directive 95/46/EC, the court held that these conclusions can also apply to the GDPR. The case involved a leak of hundreds of thousands of data from a large Czech e-shop.

The Czech DPA fined e-shop owner for this leak, even though e-shop claimed to have complied with all at the time available and reasonable security measures. Although the Municipal Court in Prague upheld the DPA’s decision, the Supreme Administrative Court overturned the judgment. According to the Supreme Administrative Court, the Municipal Court considered as essential whether there had been a data breach and, consequently, whether the e-shop in question had detected the misuse of personal data in time. As this had not been the case, there was no need, according to the Municipal Court in Prague, to address the quality of the security measures taken by e-shop. In other words, if the e-shop did not protect the personal data and did not detect the theft in time, it was, in the opinion of the Municipal Court, without any further clear that the measures taken by the e-shop were insufficient. However, the Supreme Administrative Court rejected this approach. According to the Court, the controller or processor cannot foresee all potential scenarios that may occur. The e-shop should have of course foreseen the risk of potential cyber-attacks and should take reasonable measures. However, this does not mean that controller had to be able to defend itself against any attack. It can hardly be expected that the security measures taken will always be strong enough to repel any possible cyber attack, even a sophisticated and targeted one.

The decision is available (in Czech) here.

Recent news

Opinion on the change in the regulation of cookies

Opinion on the change in the regulation of cookies

In the Czech Republic, the Electronic Communications Act was amended with effect from 1 January 2022. This change introduced the opt-in principle for cookies and other similar network identifiers, which corresponds to the text of the ePrivacy Directive. Following...

read more
National Insights: Digital and Data Strategies & Data Protection

National Insights: Digital and Data Strategies & Data Protection

Information Review of the Statement (Statement on the Digital Services Package and Data Strategy) of the EDPB (European Data Protection Board) of 18 November 2021 regarding concerns in relation to proposals for digital and data strategies and recommendations for data protection under the General

read more