Decision of Czech Supreme Administrative Court regarding data breach

Dec 20, 2021

In its judgment No.1 As 238/2021 from 11.11.2021, the Czech Supreme Administrative Court dealt with a question whether or not liability for data breach is absolute under Czech law. Although the case was considered under the rules of old Directive 95/46/EC, the court held that these conclusions can also apply to the GDPR. The case involved a leak of hundreds of thousands of data from a large Czech e-shop.

The Czech DPA fined e-shop owner for this leak, even though e-shop claimed to have complied with all at the time available and reasonable security measures. Although the Municipal Court in Prague upheld the DPA’s decision, the Supreme Administrative Court overturned the judgment. According to the Supreme Administrative Court, the Municipal Court considered as essential whether there had been a data breach and, consequently, whether the e-shop in question had detected the misuse of personal data in time. As this had not been the case, there was no need, according to the Municipal Court in Prague, to address the quality of the security measures taken by e-shop. In other words, if the e-shop did not protect the personal data and did not detect the theft in time, it was, in the opinion of the Municipal Court, without any further clear that the measures taken by the e-shop were insufficient. However, the Supreme Administrative Court rejected this approach. According to the Court, the controller or processor cannot foresee all potential scenarios that may occur. The e-shop should have of course foreseen the risk of potential cyber-attacks and should take reasonable measures. However, this does not mean that controller had to be able to defend itself against any attack. It can hardly be expected that the security measures taken will always be strong enough to repel any possible cyber attack, even a sophisticated and targeted one.

The decision is available (in Czech) here.

Recent news

“Networking again at last”

“Networking again at last”

Conflicting views and long-awaited personal conversations marked BvD fall conference and Authorities Day in Munich It was a nail-biter until the very end. First, the hotel booked in Nuremberg for the BvD autumn conference had become too small because the demand for a...

read more
IV. meeting of DPOs in health care in Prague

IV. meeting of DPOs in health care in Prague

On October 20, 2021, the forth meeting of DPOs in health care organised by the Czech Data Protection Association in cooperation with Ministry of Health of the Czech Republic and The General Health Insurance Company (VZP ČR) took place in Prague. 50 participants attended the meeting.

read more