Activity of the office for personal data protection (OPDP) has grown considerably during the 4 months since the GDPR entered into force. The OPDP investigates cases of significant societal interest on the basis of a prepared inspections plan, at the same time it conducts also ad hoc checks if there is an impulse for it or if they receive a complaint from the subject of the personal data. During an inspection, the OPDP must assess the scope, character, or duration of the breach, and for example also the way how the administration works on correcting it, or what measures have been adopted to prevent the same thing in the future.

The office is currently investigating a suspected leak of personal information within these entities:

• a savings bank where personal data of 300 people have been forwarded to other people by mistake,
• an operator of a PC game sale portal who has not reported an alleged leak of tens of thousands logins,
• a non-governmental non-profit organization which made the data of their subjects public on their website,
• a subject which shall remain unknown whose USB flash drive containing personal data has been found inside a shopping mall,
• Register of debtors (CERD) where the OPDP found specific breaches such as: the subject of the data not being informed, absence of explanation, entering of new unverified debtors, processing of unnecessary data etc. The office will impose on the operator measures in order to rectify the situation. These measures should remove the misconduct discovered during the inspection. The office plans on monitoring closely how these measures are applied and on informing the public about this issue.
• the SOLIDIS company which on the basis of a licence agreement obtained personal data of ca. 1,6 million natural persons and was not able to provide proof of agreement of these people. A fee of 800 thousand CZK has been imposed against this company.

In the case of the SOLIDIS company, when deciding the penalty, the OPDP took into consideration the scope and amount of personal data processed, and the scope of encroachment into one’s privacy. The OPDP also said that they will continue to pay close attention to the practice where some companies use databases provided by a third party for sending of business offers.