Do you want to know all the important GDPR changes and recommendations for the last year 2023? We bring you a clear summary of the 100-page Annual Report 2023 of the Czech Data Protection Authority. You will learn, among other things, interesting facts about the inspections carried out, the development of legislation, conclusions from public consultations or practical tips, such as how to set up a cookie bar.
From the annual report of the Czech Data Protection Authority ("DPA"), we have selected topics that both businesses and consumers face. We will look at what recommendations the DPA has issued in relation to cookie bars, what the rules are for sending commercial communications, how to address making copies of ID cards and other issues such as surveillance camera systems in municipalities or whistleblowing.
Cookie bars
One of the frequently discussed and well-known issues is the setting of cookie bars. Web administrators have accepted that they must show cookie bars to new visitors, but there is still disagreement on how they should be set - graphically and in terms of content.
Instead of a cookie bar, you may encounter a cookie "wall" that makes it impossible to view the content of the website until the visitor has accepted the cookies. In other cases, there may be no cookie bar at all. We also encounter inconsistencies between the content of the bar and the storage of cookies. A separate chapter is the enforcement of the "Pay or ok" model.
For not obtaining consent to uploading cookies to the end devices of website users, the most frequent offence related to cookie bars last year, the DPA imposed two final fines in 2023 - in the amount of CZK 602,000 and CZK 898,000, respectively. Moreover, fines can be expected to increase in the coming years. This is because their level will be increasingly influenced by the European Data Protection Board's Guidelines on the calculation of administrative fines under the GDPR from spring 2023, which seek to harmonise imposing fines under the GDPR across the EU.
The second most frequent infringement in 2023 was the lack of compliance with the information obligation, which was committed by more than 50% of the websites inspected. A less common fault was the impossibility (or significant complication of the possibility) of withdrawing consent to personal data processing through cookies, especially by placing the "accept" and "deny" buttons in different layers within the cookie bar.
Inconsistencies regarding the placement of the "accept" and "deny" buttons may be related to the lack of precise instructions. Current practice indicates that these options do not need to be arranged side by side, so "deny" can be placed in the corner of the cookie bar or elsewhere. However, decision-making practice also states that both basic options should be offered in the first layer of the cookie bar. The European Data Protection Board describes other undesirable "dark patterns", including different button sizes or targeted use of colours.
The DPA mentions that the website administrator should provide a list of all cookies that are collected on the website. It is not sufficient to state that cookies belonging to a certain category are collected, but they must be sufficiently identified - by indicating the publisher of the cookies and/or the name. Visitors to the website should be transparently informed about what cookies the website may store and for what purpose.
Sending commercial communications
In 2023, a record fine of CZK 7.7 million was imposed for the illegal sending of commercial communications, which we already wrote about in our November article. For those who have not heard of this case, the company included commercial communications from other entities in its order confirmation emails, thereby committing an offence. Promotion of third parties by email without an adequate legal basis is spam. Please note that the unsubscribe option should always be included in the email containing a commercial communication, which was also not observed in the fined case.
Copying of ID cards
The copying of ID cards by banking institutions or other business entities is one of the topics discussed, as in general the copying of ID cards is prohibited by a specific regulation.
However, even in the case of a specific statutory authorisation, its exercise may be subject of disputes. For example, under Act No. 253/2008 Sb., on Certain Measures against the Legalization of the Proceeds from Crime and Terrorist Financing ("AML Act"), banking institutions had to prove the identity of their customers. However, it was not clear whether they could copy ID cards to fulfil this obligation.
Last year, the DPA together with the Financial Analytical Office published updated methodological guidelines on this topic. The amendment to the AML Act, which will come into force later this year, will eventually help to clarify the issue. Specifically, Section 25(8) of the AML Act, which will come into force on 1 January 2025, authorises credit and financial institutions to make a copy of an ID card or a digital copy of an ID card.
To entities that are not obliged persons under the AML Act, the DPA recommends that they make a copy of an ID card only incompletely, and only those parts that they actually need. The making of a reduced copy of an ID card by means of the "blackout" template does not require the consent of the holder of the document, as it is not a full-fledged copy within the meaning of Act No. 269/2021 Sb., on ID Cards.
Other interesting facts
In addition to the above, the DPA’s annual report contains many important topics that are part of the current discussion on personal data protection. Besides the aforementioned areas, it also deals with the processing of personal data for marketing purposes, unauthorised publication or disclosure of such data, and the obligation of data controllers to monitor their processors. Of these topics, we have selected the following three areas for a brief mention:
Whistleblowing
Last year, Act No. 171/2023 Sb. on Whistleblower Protection was passed. The DPA also commented on this in connection with the restriction on the exercise of the data subject's rights. For example, if a person as data subject makes a request for erasure of personal data during an ongoing investigation of a whistleblowing report, the company cannot comply with such a request. This is a statutory restriction on the exercise of the data subject's rights. However, the DPA points out that this restriction on the exercise of the data subject's rights entails an obligation to inform the DPA of this fact without delay.
Our experience with internal reporting system implementations shows that the adaptation of GDPR documentation is an important part of it, which can sometimes run up against the technical limits of the chosen ethical line supplier. Then a creative and legally technical solution is needed.
Surveillance camera systems in municipalities
An inspection carried out by the DPA, which focused on surveillance cameras in municipalities, confirmed that municipalities cannot independently operate a surveillance camera system. Municipalities are not authorised by law or other legal regulation to operate this type of camera system. The solution is usually to conclude a public contract with the municipal police.
Transfer of personal data to the USA
Transfer of personal data to the USA has become easier since last year - we'll see for how long - provided the receiving company is certified under the Data Privacy Framework. At the same time, however, standard contractual clauses can be concluded with this recipient of personal data. According to the DPA, the concurrent use of both measures is not in conflict. While the DPA describes this concurrence as the adoption of more safeguards for the protection of personal data, we see it as a practical safeguard in case the framework is further invalidated by a court decision.
Conclusion
It is clear from the annual report that the DPA actively monitors and addresses a wide range of topics related to the protection of personal data - from the processing of data for marketing purposes to issues related to the transfer of personal data abroad. We believe that in 2024, the focus will be on consent management, i.e. (not only on) cookie bars and their settings, as well as on sending commercial communications.
If you want assistance with any of the above, please feel free to contact us at any time.
The full text of the DPA’s Annual Report 2023 can be found here.
