The Prague Municipal Court has recently upheld the decision of the Office for Personal Data Protection (ÚOOÚ), which saw the Office impose a fine of CZK 80,000 on a private Czech company for the course of a promotional campaign that the Company ordered and had carried out by a foreign service provider. The case for particularly interesting in that the Court dealt with the interpretation of the concept of disseminator of the communication and the practical limits of the Company's liability as a controller of personal data.
The Office investigated the campaign based on complaints from the recipients of e-mails, who were pointing out that they had not given their consents to the sending of commercial communications. The Office performed an inspection at the Company (as the ordering party), during which the company failed to present the necessary consents. The Company argued that it was the foreign service provider as the actual e-mail sender who should have the consents available, which the service provider had allegedly assured the Company of after the Company’s inquiry. The Company also noted that the supplier had contractually agreed to comply with all the applicable legal regulations.
The Office did not accept this argument, however. It has insisted that Company as the ordering party was the controller of the personal data, as it had agreed to the distribution, determined its purpose and its means, and therefore it was also responsible for the legitimacy of the data processing and it should not have settled just with the assurance of the service provider. Such an approach has been confirmed by the Court, which emphasized that contractual arrangements are effective between their parties but cannot release the data controller from his strict liability and that it is necessary to apply the term “disseminator” not only to the party that actually distributed the commercial communications but the party that ordered it as well.