One year of GDPR – taking stock of the first fines and penalties in the Czech Republic

25 May marked the first anniversary of the coming into force of GDPR (the General Data Protection Regulation), which put into place uniform EU-wide rules for the protection of personal data of natural persons. The Czech Data Protection Office has already imposed a number of fines.

On 25 May 2019, 365 days passed since GDPR came into force. The Czech Data Protection Office (ÚOOÚ) in its capacity as the supervisory authority tasked with overseeing GDPR compliance in the Czech Republic marked the occasion by publishing a report on the results of its supervisory work thus far. To date, 38 inspections found 16 instances of a breach against GDPR rules. In eight of these cases, the authority imposed fines, which in their aggregate amount to CZK 370,000.

The smallest fine (CZK 5000) had to be paid by an NPO which had processed inaccurate data and which had denied access to the data processed by it.

The highest fine was CZK 250,000, and hit a bank which continued to store personal data beyond the retention limit which it should have had erased. Other sanctions concerned contracts containing the personal data of customers which had not been adequately been secured, lists of personal data which had been posted on the internet, but also e.g. the leak of a database of online gaming participants.

Compared to the practice in other countries, the fines imposed by the Czech supervisory authority are of a rather educational character (for instance, the French supervisory authority punished Google’s GDPR non-compliance with a fine of EUR 50 million), and are also rather sporadic. Of course, the rather modest frequency and size of penalties is largely due to the fact that, up until April 2019, the Czech Republic had no GDPR adaptation law; in this sense, the Czech Data Protection Office was operating for most of the time in a “makeshift” legal context.

Now that the legal framework in the Czech Republic is complete, we may certainly expect sanctions to be imposed with greater frequency and less leniency.

The preliminary inspection schedules for 2019 suggest that the ÚOOÚ wishes to focus on the processing of personal data with the aid of applications and information systems used by healthcare facilities (i.e., in particular, the processing of data in connection with the taking of biological samples) and, in the online world, on the processing of personal data by the developers and operators of mobile apps.

Website of the Czech Data Protection Office at;
General Data Protection Regulation (GDPR);
Act No. 101/2000 Coll., on the protection of personal data;
and Act 110/2019 Coll., on the processing of personal data



Subscribe to our newsletter

By pressing Subscribe you consent to our data processing terms