GDPR inspections in practice: how investigations by the Office for Personal Data Protection are conducted

Are you worried about an inspection by the Office for Personal Data Protection? In this article, you will learn about the exact procedure of an ÚOOÚ investigation, your rights as a person being inspected, and how to avoid fines of up to CZK 351 million. ARROWS lawyers will help you prepare for the inspection and successfully pass it.

Need advice on this topic? Contact the ARROWS law firm by email office@arws.cz or phone +420 245 007 740. Your question will be answered by JUDr. Jakub Dohnal, PhD., LL.M. an expert on the subject.

What is ÚOOÚ and what are its powers during GDPR inspections

The Office for Personal Data Protection (ÚOOÚ) is the central administrative authority of the Czech Republic that oversees compliance with the personal data protection rules set out in the GDPR and Act No. 110/2019 Coll. on the processing of personal data. It has broad investigative and corrective powers that allow it not only to inspect but also to effectively enforce compliance with regulations.

According to Article 58 of the GDPR, the ÚOOÚ has the right to order the controller and processor to provide all information necessary to perform its tasks, to conduct investigations in the form of data protection audits, to obtain access to all personal data, and to enter all premises where the controller or processor operates. In 2024, the ÚOOÚ imposed a record fine of CZK 351 million on Avast Software for the unauthorized processing of the personal data of approximately 100 million users.

ARROWS lawyers deal with GDPR compliance cases on a daily basis and represent clients during ÚOOÚ inspections. For an immediate solution to your situation, please write to us at office@arws.cz.

For detailed information about this legal service, click HERE.

How does the ÚOOÚ initiate an inspection?

The ÚOOÚ can initiate an inspection in several ways. Most often, a notice of the initiation of an inspection is delivered together with an authorization to inspect via a data box or by mail. Alternatively, the inspection may be initiated by presenting the authorization directly on site at the start of the inspection.

The notice of the initiation of an inspection contains a definition of the subject of the inspection, the composition of the inspection team, and usually the first set of questions and requirements. The date of the oral hearing and on-site investigation is usually announced at least 14 days in advance so that the inspected person has sufficient time to prepare.

The ÚOOÚ may initiate an inspection on the basis of:

• Complaints and suggestions from data subjects (in 2024, the ÚOOÚ received a total of 2,288 complaints)
• Its own findings from monitoring the public space
• The annual inspection plan, which is publicly available
• Coordinated European actions (the so-called Coordinated Enforcement Framework)

Note: A complaint from a data subject does not automatically mean that an inspection will be initiated. The ÚOOÚ often first sends a so-called "warning letter" to the controller with a request for correction.

Risks and sanctions	How ARROWS (office@arws.cz) can help
Unannounced initiation of an inspection – unpreparedness for the inspectors' requirements	Preparation of internal documentation and GDPR guidelines
Incorrect or incomplete answers to questions from the ÚOOÚ	Legal consultation and representation in communication with the authority
Absence of a data protection officer (DPO)	Consulting on the appointment of a DPO or securing an external data protection officer
Unsecured personal data	Review and proposal of technical and organizational measures
Violation of the rights of data subjects	Preparation of processes for handling requests from data subjects

Step-by-step inspection process

The inspection itself is governed by Act No. 255/2012 Coll., the inspection rules, in conjunction with the relevant provisions of the GDPR. The inspection is carried out by ÚOOÚ employees on the basis of a written authorization, which must be presented to the inspected person.

Document collection phase

After initiating the inspection, the ÚOOÚ usually requests a written statement and the submission of documents. Inspectors are entitled to request data, documents, and items related to the subject of the inspection or the activities of the inspected entity. The law allows them access to all information necessary to perform a specific task, including information protected by confidentiality.

Typical time-related problems include unexcused missed deadlines or a lack of communication. The solution is to actively communicate with the ÚOOÚ – if the deadline is not convenient for you, let the inspectors know.

Oral proceedings and on-site investigations

Oral proceedings serve to facilitate communication and contact with persons processing personal data. On-site inspections then allow for the verification of information, the inspection of data storage and measures taken, and access to information systems.

On-site inspections are typically attended by 2-4 inspectors and last several hours. The inspected person should ensure the presence of an authorized person and a sufficient number of knowledgeable employees.

At ARROWS Law Firm, we have extensive experience in preparing clients for oral proceedings and on-site inspections. Thanks to our portfolio of more than 150 joint-stock companies and 250 limited liability companies, we know exactly what documents and answers the ÚOOÚ requires. Contact us at office@arws.cz for a tailor-made legal solution.

FAQ – Legal tips for the course of an ÚOOÚ inspection

1. Can I refuse to allow inspectors to enter the company's premises?

No. Inspectors have the legal right to enter buildings, vehicles, and other premises related to the subject of the inspection. Refusal may be classified as a failure to comply with the obligation to cooperate and may be punished by a fine of up to CZK 500,000. If you are dealing with a similar situation, please contact us at office@arws.cz. 

2. How long does an ÚOOÚ inspection take?

The length of the inspection depends on the complexity of the case. It can take from a few weeks to many months. The quality and speed of cooperation of the inspected person has a significant impact. To speed up the process, we recommend consulting with ARROWS lawyers – write to office@arws.cz.

What are your rights and obligations as an inspected person

The rights and obligations of the inspected person are defined by the inspection rules and are interlinked with the rights and obligations of the inspectors.

Basic obligations

The audited person is obliged to provide the auditors with the necessary cooperation, create conditions for the performance of the audit, and enable the auditors to exercise their powers. Specific obligations include:

• Allow access to premises and documents
• Provide truthful and complete explanations
• Submitting the required documents within the specified time limit
• Ensuring conditions for the performance of the inspection (suitable space, technical means)

A fine of up to CZK 500,000 may be imposed for failure to comply with the obligation to cooperate. It is important to note that the obligation to cooperate does not cease to exist upon payment of the fine.

Fundamental rights

The inspected person has the right to object to the bias of the inspector, to request the presentation of the inspection authorization, to familiarize themselves with the content of the inspection report, and to raise objections to the inspection findings.

Inspection report and the possibility of raising objections

The result of the inspection is always an inspection report, which must be drawn up within 30 days of the last inspection activity, or within 60 days in complex cases. The report contains the inspection findings and is sent to the inspected person.

The inspected person may submit written objections to the inspection findings stated in the report within 15 days of delivery of the report. The objections must clearly state which audit findings they are directed against and must include the reasons for the disagreement.

Objections are handled by the auditor's superior, and the deadline for handling them may be extended by 30 days in complex cases. The audit ends with the handling of the objections or the expiry of the deadline for their submission.

Preparing objections requires in-depth knowledge of procedural rules and the substantive issues of the GDPR. ARROWS lawyers are ready to help you – write to office@arws.cz.

Risks and sanctions	How ARROWS (office@arws.cz) can help
Missing the deadline for filing objections	Legal representation and monitoring of deadlines
Insufficiently justified objections	Preparation of legally qualified objections with references to case law
Failure to take into account all relevant facts	Comprehensive legal analysis of audit findings

What happens after the audit is completed

If the audit does not find any violations, the audited person will receive a report without negative findings. If violations are found, the ÚOOÚ may:

1. Call for corrective action – the controller is given the opportunity to remedy the identified deficiencies themselves
2. Initiate administrative proceedings to impose corrective measures – the ÚOOÚ may order the controller to bring the processing into compliance with the GDPR within a specified period
3. Initiate misdemeanor proceedings – with the possibility of imposing a fine

The corrective powers of the ÚOOÚ include, among other things, issuing warnings, ordering compliance with data subjects' requests, imposing temporary or permanent restrictions on processing, including its prohibition, or ordering the erasure of personal data.

Amount of fines for GDPR violations

The ÚOOÚ may impose fines in two categories for GDPR violations:

• Up to EUR 10,000,000 or 2% of total annual turnover – for less serious violations
• Up to EUR 20,000,000 or 4% of total annual turnover – for serious violations

Under the Czech Personal Data Processing Act, fines of up to CZK 10,000,000 may be imposed for certain offenses, or up to CZK 5,000,000 for qualified offenses.

When determining the amount of the fine, the ÚOOÚ takes into account the criteria set out in Article 83 of the GDPR, including the nature, gravity, and duration of the infringement, the number of data subjects affected, the extent of the damage, and the measures taken to mitigate the consequences.

FAQ – Legal tips on the consequences of an inspection

1. Can the ÚOOÚ prohibit the processing of personal data?

Yes. The ÚOOÚ has the power to impose temporary or permanent restrictions on processing, including a complete ban. This is an extreme measure used in cases of serious violations. If you are facing such a measure, do not hesitate to contact our office – office@arws.cz.

2. Do I have to submit a corrective report after an inspection?

Yes, if requested by the inspector. The deadline for submitting a report on the elimination or prevention of deficiencies is usually 60 days from the end of the inspection. The report may also include a description of measures that are still in the preparation stage. Do you need help preparing the report? Write to office@arws.cz.

What is the ÚOOÚ focusing on in 2025

Every year, the ÚOOÚ publishes an inspection plan that outlines its supervisory priorities. For 2025, the ÚOOÚ will focus primarily on:

Loyalty programs of retail chains – checking whether consents to the processing of personal data obtained through loyalty programs meet the requirements of the GDPR, in particular whether they are truly free.

Use of data from public registers – banks, insurance companies, and other private-law users will be inspected in terms of the necessity and purposefulness of processing data from the basic population register.

Camera systems in means of transport – assessment of the necessity of camera systems, the length of time recordings are stored, and the fulfillment of data subjects' rights.

Sending commercial communications via internet comparison sites – verification of legal grounds for sending marketing communications.

Right to erasure (right to be forgotten) – as part of a coordinated European action, the ÚOOÚ will focus on the implementation of this right by controllers.

How to prepare for an ÚOOÚ inspection

Preparation for an ÚOOÚ inspection should be ongoing, not reactive. Key areas that every controller should regularly check include:

• Records of processing activities – an up-to-date overview of all personal data processing activities in accordance with Article 30 of the GDPR
• Legal grounds for processing – there must be a legitimate legal basis for each category of processing
• Information obligation – whether data subjects are properly informed in accordance with Articles 13 and 14 of the GDPR
• Processing agreements – written agreements with all personal data processors
• Security measures – technical and organizational measures to protect personal data
• Process for handling data subject requests – procedures for the right of access, erasure, rectification, etc.

The ARROWS law firm conducts comprehensive GDPR audits and prepares clients for potential inspections. Because we deal with this agenda on a daily basis, we are able to significantly reduce the preparation time for our clients and minimize the risk of errors. In addition, ARROWS is insured for damages up to CZK 500,000,000, which means maximum security for the client. Please do not hesitate to contact our office – office@arws.cz.

Risks and sanctions	How ARROWS (office@arws.cz) can help
Fines of up to EUR 20 million for serious violations of the GDPR	Comprehensive GDPR audit and compliance setup
Failure to report a data breach within 72 hours	Preparation of processes for handling security incidents
Absence of processing agreements	Preparation and review of agreements with personal data processors
Inadequate security measures	Proposal of technical and organizational measures for data protection
Legal disputes with data subjects for compensation for damage	Representation in legal disputes

International aspect of inspections and cooperation between supervisory authorities

In the case of cross-border processing of personal data, the ÚOOÚ cooperates with the supervisory authorities of other EU Member States through the mechanisms established by the GDPR. The ARROWS law firm also provides legal services in an international context thanks to the ARROWS International network, which has been built up over ten years, and we deal with cases with an international element on an almost daily basis.

For multinational companies, it is crucial to understand which supervisory authority is the "lead supervisory authority" in their case and how to coordinate compliance across jurisdictions. ARROWS lawyers will help you navigate these complex issues. Contact us at office@arws.cz.

Why entrust the preparation for an ÚOOÚ inspection to experts

The issue of GDPR inspections is much more complex in practice than it seems at first glance. Individual steps that appear simple have hidden exceptions, procedural details, links to other regulations, and risks that are often invisible to the layman. For example:

• Formulating responses to questions from the ÚOOÚ requires precise legal argumentation
• The preparation of objections to inspection findings must respect formal and content requirements
• Assessing whether a specific processing operation requires a data protection impact assessment (DPIA) is technically demanding
• The correct setting of legal titles for processing requires in-depth knowledge of case law

The ARROWS law firm deals with this agenda on a daily basis and is also a partner of corporate lawyers for resolving specialized matters. Our portfolio includes more than 150 joint-stock companies, 250 limited liability companies, and 50 municipalities and regions. We pride ourselves on speed and high quality.

If you don't want to risk errors, damages, or fines in the millions of crowns, you can safely leave the whole matter to ARROWS. Just contact our office at office@arws.cz.

FAQ – Frequently asked legal questions about ÚOOÚ inspections

1. Can the ÚOOÚ initiate an inspection without prior notice?

Yes, an inspection can be initiated by presenting an authorization directly on site. However, the ÚOOÚ more often sends a notice of the initiation of an inspection in advance so that the inspected person has time to prepare the documents. If you have received a notice of inspection, contact us immediately at office@arws.cz.

2. What should I do if I disagree with the findings of the inspection?

You can file a written objection to the inspection findings stated in the inspection report within 15 days of its delivery. The objection must clearly state which findings it is directed against and the reasons for your disagreement. Preparing a high-quality objection requires legal expertise – please contact office@arws.cz.

3. Can executives or employees also be fined for GDPR violations?

Yes. In the past, the ÚOOÚ imposed a fine of CZK 1,500,000 on a natural person who, as the sole executive of a company, determined the purposes and means of personal data processing and was thus qualified as a controller. If you have questions about personal liability, please write to office@arws.cz.

4. How often does the ÚOOÚ carry out inspections?

The ÚOOÚ carries out dozens of inspections each year, roughly half of which are initiated on the basis of complaints and half according to an inspection plan. The number of complaints and suggestions has long been around 2,200–2,300 per year. For a preventive consultation, please contact us at office@arws.cz.

5. Do I need to have a data protection officer (DPO)?

Public authorities, entities engaged in large-scale systematic monitoring of individuals, and entities processing sensitive data on a large scale are required to appoint a DPO. Other entities may appoint a DPO voluntarily. Not sure if this applies to you? Contact us at office@arws.cz.

6. When do I have to report a personal data breach?

The controller must report the breach to the ÚOOÚ without undue delay, if possible within 72 hours of becoming aware of it, unless it is unlikely that the breach will result in a risk to the rights and freedoms of natural persons. If you have experienced a security incident, do not hesitate to contact us immediately at office@arws.cz.

Don't want to deal with this problem yourself? More than 2,000 clients trust us, and we have been named Law Firm of the Year 2024. Take a look HERE at our references.