THE BREACH OF PERSONAL DATA
PROTECTION BY PUBLIC AND
PRIVATE AUTHORITIES
Pavel Molek, Supreme Administrative Court of the Czech
Republic
Lisbon 24/3/2017
TWO CONCEPTS OF BREACH OF PERSONAL
DATA PROTECTION
Narrow meaning: GDPR: Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the Protection of
Natural Persons with Regard to the Processing of Personal Data and on
the Free Movement of Such Data (GDPR) Art. 4/12:
„‘personal data breach’ means a breach of security leading to the accidental or

unlawful destruction, loss, alteration, unauthorised disclosure of, or
access to, personal data transmitted, stored or otherwise processed“
Prevention: Art. 32: Security of processing
„the controller and the processor shall implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk, including inter alia as
appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of
processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in
the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and
organisational measures for ensuring the security of the processing.“

TWO CONCEPTS OF BREACH OF PERSONAL
DATA PROTECTION
Narrow meaning: GDPR Art. 4/12
Consequences: Art. 33: Notification of a personal data breach to the
supervisory authority
„1.In the case of a personal data breach, the controller shall without undue delay and,
where feasible, not later than 72 hours after having become aware of it, notify the
personal data breach to the supervisory authority competent in accordance with Article
55, unless the personal data breach is unlikely to result in a risk to the rights and
freedoms of natural persons. (…)
2.The processor shall notify the controller without undue delay after becoming aware of
a personal data breach.“
 Consequences: Art. 34: Communication of a personal data breach to
the data subject
„1.When the personal data breach is likely to result in a high risk to the rights and
freedoms of natural persons, the controller shall communicate the personal data breach
to the data subject without undue delay.
2.The communication to the data subject referred to in paragraph 1 of this Article
shall describe in clear and plain language the nature of the personal data breach (…)“

TWO CONCEPTS OF BREACH OF PERSONAL
DATA PROTECTION
Broad/human rights meaning: violation of right to
personal data protection
 Article 8 Charter of Fundamental Rights of the EU
„Protection of personal data
1. Everyone has the right to the protection of personal data concerning
him or her.
2. Such data must be processed fairly for specified purposes and on the
basis of the consent of the person concerned or some other legitimate
basis laid down by law. Everyone has the right of access to data
which has been collected concerning him or her, and the right to have it
rectified.
3. Compliance with these rules shall be subject to control by an
independent authority.“

LEGAL FRAMEWORK
Article 8 European Convention for the Protection of Human Rights
and Fundamental Freedoms
„Right to respect for private and family life
1. Everyone has the right to respect for his private and family life, his home and his
correspondence.
2. There shall be no interference by a public authority with the exercise of this right
except such as is in accordance with the law and is necessary in a democratic society
in the interests of national security, public safety or the economic well-being of the
country, for the prevention of disorder or crime, for the protection of health or
morals, or for the protection of the rights and freedoms of others.“
 Convention for the Protection of Individuals with regard to
Automatic Processing of Personal Data 1981
„Art. 1 The purpose of this Convention is to secure in the territory of each Party for
every individual, whatever his nationality or residence, respect for his rights and
fundamental freedoms, and in particular his right to privacy, with regard to
automatic processing of personal data relating to him ('data protection').“

FRAME OF RELATIONSHIP
Vertical relationships as a starting point
 Horizontal relationships
 Indirect horizontal relationships
 Article 4 GDPR

„7. controller: means the natural or legal person, public
authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the processing of personal data;
(…);
 8. processor: means a natural or legal person, public authority,
agency or other body which processes personal data on behalf of the
controller…“

FRAME OF PROPORTIONALITY
 Test

of proportionality:
Is there a legitimate
purpose?





Free access to information
Criminal investigation
Public safety
Protection of property
Publicity of judgements
Necessity (is there
alternative measure less
intrusive and equally
effective?)
 Balancing (costs and
gains)

BREACH BY SUBJECTS BOUND TO PROVIDE
INFORMATION
© cabincostructures
BREACH BY POLICE
For prevention, investigation, detection or prosecution of
criminal offences
 ECtHR S. and Marper v. the United Kingdom (GC, 4
December 2008, app. nos. 30562/04 and 30566/04)

BREACH BY POLICE
S. and Marper v. U.K.: British perspective:
„65. The profile was merely a sequence of numbers which provided a means
of identifying a person against bodily tissue, containing no materially
intrusive information about an individual or his personality. (…)
92. As at 30 September 2005, the National DNA Database held 181,000
profiles from individuals who would have been entitled to have those profiles
destroyed before the 2001 amendments. Of those profiles, 8,251 were
subsequently linked with crime-scene stains which involved 13,079 offences,
including 109 murders, 55 attempted murders, 116 rapes, 67 sexual
offences, 105 aggravated burglaries and 126 offences of the supply of
controlled drugs.
93. The Government also submitted specific examples of the use of DNA
material for successful investigation and prosecution in some eighteen specific
cases.“

BREACH BY POLICE
S. and Marper v. U.K.: ECtHR perspective:
„75. The Court observes, nonetheless, that the profiles contain substantial amounts of unique
personal data. While the information contained in the profiles may be considered objective and
irrefutable in the sense submitted by the Government, their processing through automated means
allows the authorities to go well beyond neutral identification. The Court notes in this regard that
the Government accepted that DNA profiles could be, and indeed had in some cases been, used for
familial searching with a view to identifying a possible genetic relationship between individuals.
They also accepted the highly sensitive nature of such searching and the need for very strict controls
in this respect. In the Court’s view, the DNA profiles’ capacity to provide a means of identifying
genetic relationships between individuals (…) is in itself sufficient to conclude that their retention
interferes with the right to the private life of the individuals concerned.
76. The Court further notes that it is not disputed by the Government that the processing of DNA
profiles allows the authorities to assess the likely ethnic origin of the donor and that such
techniques are in fact used in police investigations (…). The possibility the DNA profiles create
for inferences to be drawn as to ethnic origin makes their retention all the more sensitive and
susceptible of affecting the right to private life. (…).
77. In view of the foregoing, the Court concludes that the retention of both cellular samples and
DNA profiles discloses an interference with the applicants’ right to respect for their private lives,
within the meaning of Article 8 § 1 of the Convention.“

BREACH BY POLICE

S. and Marper v. U.K.: ECtHR perspective:
„119. …the Court is struck by the blanket and indiscriminate nature of the power of retention in
England and Wales. The material may be retained irrespective of the nature or gravity of the
offence with which the individual was originally suspected or of the age of the suspected offender;
fingerprints and samples may be taken – and retained – from a person of any age, arrested in
connection with a recordable offence, which includes minor or non-imprisonable offences. The
retention is not time-limited; the material is retained indefinitely whatever the nature or seriousness
of the offence of which the person was suspected. Moreover, there exist only limited possibilities for
an acquitted individual to have the data removed from the national database or the materials
destroyed (…); in particular, there is no provision for independent review of the justification for
the retention according to defined criteria, including such factors as the seriousness of the offence,
previous arrests, the strength of the suspicion against the person and any other special
circumstances. (…)
BREACH BY POLICE

S. and Marper v. U.K.: ECtHR perspective:
122. Of particular concern in the present context is the risk of stigmatisation, stemming from the
fact that persons in the position of the applicants, who have not been convicted of any offence and
are entitled to the presumption of innocence, are treated in the same way as convicted persons. In
this respect, the Court must bear in mind that the right of every person under the Convention to
be presumed innocent includes the general rule that no suspicion regarding an accused’s innocence
may be voiced after his acquittal…
125. In conclusion, the Court finds that the blanket and indiscriminate nature of the powers of
retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not
convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance
between the competing public and private interests and that the respondent State has overstepped
any acceptable margin of appreciation in this regard. Accordingly, the retention at issue
constitutes a disproportionate interference with the applicants’ right to respect for private life and
cannot be regarded as necessary in a democratic society. This conclusion obviates the need for the
Court to consider the applicants’ criticism regarding the adequacy of certain particular safeguards,
such as too broad an access to the personal data concerned and insufficient protection against the
misuse or abuse of such data. “
BREACH BY POLICE


W. v. the Netherlands (20 January 2009, app. no. 20689/08)
M. K. v. France (18 April 2013, app. no. 19522/09)
„42. Furthermore, the Court notes that the decree draws no distinction based on whether or not the person concerned has been
convicted by a court, or has even been prosecuted…
45. The Court notes that while the retention of information stored in the file is limited in time, it nevertheless extends to twentyfive years. Having regard to its previous finding that the chances of deletion requests succeeding are at best hypothetical, a twentyfive-year time-limit is in practice tantamount to indefinite retention, or at least, as the applicant contends, a standard period rather
than a maximum one.
46. In conclusion, the Court considers that the respondent State has overstepped its margin of appreciation in this matter, as the
regulations on the retention in the impugned database of the fingerprints of persons suspected of having committed offences but not
convicted, as applied to the applicant in the instant case, do not strike a fair balance between the competing public and private
interests at stake. Consequently, the retention of the data must be seen as a disproportionate interference with the applicant’s right
to respect for his private life and cannot be regarded as necessary in a democratic society.“
© Keywordsuggest
BREACH BY USING CCTV
Peck v. U.K. (28 January 2003, app. no. 44647/98)
 SAC (8 June 2016, sp. zn. 3 As 118/2015)

OTHER BREACHES BY…
Intelligence service (Segerstedt-Wiberg and Others v.
Sweden, 6 June 2006, app. no. 62332/00)
 Criminal court

B. B. v. France, 17 December 2009, app. no. 5335/06
 Z. v. Finland, 25 February 1997, app. no. 22009/93

OTHER BREACHES BY…

Professional private photographer (Reklos and Davourlis v.
Greece, 15 January 2009, app. no. 1234/05)
„35. The Court reiterates that, although the object of Article 8 is essentially that of protecting the
individual against arbitrary interference by the public authorities, it does not merely compel the State to
abstain from such interference (…)
38. The Court notes that the Government focussed their arguments on the fact that in the present case the
images in question were not published but simply reproduced with a view to being sold to the baby’s parents.
The Government thus alleged that, as there had been no publication of the offending images, there could not
have been any infringement of the baby’s personality rights.
As a person’s image is one of the characteristics attached to his or her personality, its effective protection
presupposes, in principle and in circumstances such as those of the present case (see paragraph 37 above),
obtaining the consent of the person concerned at the time the picture is taken and not simply if and when it
is published. Otherwise an essential attribute of personality would be retained in the hands of a third party
and the person concerned would have no control over any subsequent use of the image.“
COMPENSATION….?
GDPR preamble
„(146) The controller or processor
should compensate any damage
which a person may suffer as a
result of processing that infringes
this Regulation. The controller or
processor should be exempt from
liability if it proves that it is not
in any way responsible for the
damage. (…) Data subjects
should receive full and effective
compensation for the damage they
have suffered. (…)



Czech reality
 Administrative
sanction…?

Protection of
personality…?

Diversion in criminal
proceeding…?
COMPENSATION….?

Article 82 Right to compensation and liability
1.Any person who has suffered material or non-material damage as a result of an infringement of this Regulation
shall have the right to receive compensation from the controller or processor for the damage suffered.
2.Any controller involved in processing shall be liable for the damage caused by processing which infringes this
Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with
obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful
instructions of the controller.
3.A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way
responsible for the event giving rise to the damage.
4.Where more than one controller or processor, or both a controller and a processor, are involved in the same
processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each
controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the
data subject.
5.Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage
suffered, that controller or processor shall be entitled to claim back from the other controllers or processors
involved in the same processing that part of the compensation corresponding to their part of responsibility for
the damage, in accordance with the conditions set out in paragraph 2.
(…)
THANK YOU FOR ATTENTION