The Office for Personal Data Protection (the Czech Data Protection Authority, “DPA”) has published its inspection plan for 2025 (in Czech only). This document annually indicates what controllers and processors of personal data should prepare for in the given period. The DPA is now clearly targeting some key areas with strong relevance to society where the lack of legal certainty meets technological progress.
1. Data from registers: private sector under scrutiny
The DPA will focus on the way private entities use data from registers and information systems of public administration. The DPA mentions banks and insurance companies as examples. In particular, the DPA will check whether it is indeed necessary to process the data and whether the information obligation is being met towards data subjects. It has been quite a long time since entities with large data sets, known as big data controllers, have been under increased scrutiny. Those who have already invested in the privacy setup of relevant in-house processes, are unlikely to be surprised. Others should watch out.
2. Discount for consent: loyalty programmes in the spotlight
Another area that the DPA will focus on is making discounts conditional on consent to the processing of personal data, e.g., in the context of loyalty programmes of retail chains. In particular, the DPA will look into the legal title of the processing and the question of whether consent is truly free. The topic has been resonating in the media and the professional public for some time. An inspection by the DPA could therefore clarify the rules and potentially spur discussion on “digital exclusion”, i.e. whether consumers should be allowed to benefit from certain advantages even without digital tools and registration.
3. Cameras in transport: technology vs. privacy
The continued trend of installing CCTV systems in transport vehicles will be scrutinised, in particular as to where these systems are necessary and how long the footage should be retained. As the prices fall and the CCTV equipment becomes more sophisticated, there is an increasing risk of excessive intrusion into passenger privacy. The DPA is likely to focus on the assessment of the legitimacy and scope of the records as well as the fulfilment of the information obligation. Not all carriers fully comply with these obligations.
4. Marketing from comparison sites: who is (still) the customer?
The DPA will also look into the sending of commercial communications by operators of internet comparison sites. According to the wording of the inspection plan, this is likely to be a more extensive investigation, which could also help interpret the concept of “customer” and the related legal relationships in the context of direct marketing. Controllers should review their databases, the consents given and their mailings based on a legitimate interest, and the process of sending out commercial communications.
What else is the DPA planning?
In addition to the above, the DPA will also focus on anonymisation standards for requests under the Freedom of Information Act, continuing to inspect embassies in respect of visas and municipalities in respect of the Schengen Information System. The DPA is also involved in a European coordinated inspection scheme concerning the right to erasure. The details are not yet known.
In the current period, we also expect the 2024 annual report to be published, providing a summary of the DPA’s activities for the past calendar year and an outlook for future developments.
What should you do to be prepared?
Controllers are advised to:
- review the legal titles of processing in loyalty programmes,
- check the scope of information obtained from public registers and the way it is used,
- check the deployment of CCTV systems and the way in which data subjects are informed,
- evaluate the strategy for sending commercial communications in terms of the legal qualification of recipients.
2025 is likely to raise fundamental questions about the balance between technological progress, business model and privacy or personal data protection. Our dedicated data protection and cybersecurity team at HAVEL & PARTNERS is available to assist you in setting up transparent communication with data subjects and/or reviewing any related processes.
