On 24 April 2023, the Czech Data Protection Authority (DPA) has fined the Czech Ministry of the Interior CZK 975,000 (approximately €41,500) for collecting sensitive health data of individuals who were diagnosed with Covid-19 and ordered to remain in isolation during the pandemic.
The police collected the data to monitor compliance with isolation orders and prevent the spread of the virus. The Ministry of the Interior processed the data of approximately 2 million people until March 2022.
The DPA found that the police carried out a general large scale collection of data that was not related to specific situations, which exceeded the Ministry of the Interior’s police powers. The DPA held that the data processing lacked a legal basis, as the law that regulates police action in the Czech Republic does not authorize the mass collection of sensitive data. The DPA emphasized that public powers must be exercised within the limits of the law, even during a pandemic.
The DPA also found that the Ministry of the Interior failed to provide sufficient information to data subjects about data processing and that a data protection impact assessment should have been performed. The assessment would have considered the risks that the processing raises to data subjects and the necessary measures to mitigate these risks. The DPA believed that if the Ministry had carried out this assessment, it would have concluded that blanket collection of personal health data should not be performed at all. The fine was imposed due to the seriousness of the violations and the number of people affected.