A fine of CZK 975,000 (39.000 EUR) has been imposed on the Czech Ministry of the Interior for the widespread processing of data on persons who have been ordered to be isolated due to proven COVID-19 disease. According to the Office, the case involved approximately 2,000,000 people who contracted the disease between 1 April 2021 and 8 March 2022.
As the Data Protection Authority found, the Police collected personal health data of such people on a preventative basis without any link to the specific case under investigation (e.g., without any link to the suspicion that the person concerned was in breach of the quarantine rules set out in the legislation). In doing so, however, it exceeded the powers provided by law for the handling of this type of personal data.
In this case, the Ministry of the Interior, as a public authority, could have been fined for a personal data protection offence. The personal data here was processed for the purpose of preventing, detecting and detecting crime, which is regulated by Title III of the Czech Act on the Processing of Personal Data. Such processing of personal data therefore falls under the regime of the so-called criminal law directive, Directive 2016/680/EU, and not the GDPR. And here – unlike the processing of personal data under the GDPR regime, where the Czech Republic has adopted an exception preventing the imposition of fines on public entities – the imposition of penalties on public entities is not excluded.
Find more information about the Czech Association for the Protection of Personal Data: www.efdpo.eu/czech-republic