The Office for Personal Data Protection (the “OPDP”) published its annual report for 2025, which, alongside the traditional overview of its supervisory and decision-making activities, also offers a relatively clear picture of the direction in which the area of personal data protection is regulatorily evolving. The report reflects not only the continuing digitalisation of both the public and private sectors, but also the rise of artificial intelligence, the development of new digital services, and the gradual expansion of the European regulatory agenda that directly affects personal data protection. At the same time, it confirms that personal data protection can no longer be perceived purely as a matter of compliance with the General Data Protection Regulation (the “GDPR”), but increasingly as part of a broader regulatory framework of the digital economy, rules governing data handling, and the responsible use of new technologies.
The year 2025 was significant for the OPDP symbolically as well – on 1 June, 25 years had passed since the commencement of its activities. The annual report therefore provides not only a reflection on the development of the OPDP to date and its activities in the past year, but also a concrete signal to controllers and processors of personal data as to which areas will be subject to increased regulatory oversight and which principles of personal data protection the OPDP emphasises in its activities.
The OPDP Control Plan for 2025 as a Map of Regulatory Priorities
The annual report builds on the OPDP control plan for 2025, which focused on four main areas: i) the processing of personal data in loyalty programmes, ii) the operation of camera systems, iii) the use of data from public administration registers and information systems, and iv) the processing of personal data in the Schengen Information System. In addition, the OPDP participated in the Europe-wide coordinated supervisory action Coordinated Enforcement Framework 2025 (the “CEF 2025”), this time focused on the exercise of the data subject’s right to erasure of personal data, i.e. the so-called right to be forgotten.
Looking at the specific inspection findings, it is clear that the common denominator of supervisory activity was an emphasis on the fundamental principles of the GDPR – in particular the principle of data minimisation, the correct choice of legal basis for processing, transparency towards data subjects, and the necessity and proportionality of the selected technical and organisational solutions.
Proportionality in particular appears in the annual report as a recurring theme – especially where controllers implement technologically sophisticated solutions without sufficiently demonstrating why they cannot be replaced by a less invasive means. A typical example, according to the OPDP, is biometric attendance systems, in respect of which it points out that the pursued purpose of attendance recording can generally also be achieved by standard tools, such as access cards or other recording systems, without the need to process biometric data, which, when used for the unique identification of a natural person, are subject to a stricter protection regime.
Biometric Data under Increased Oversight
One of the most prominent topics of the annual report is the use of biometric technologies, both in the public and private sectors. Biometric data, such as fingerprints, facial images, or other unique physical features or behavioural characteristics that enable the identification of a specific person, constitute, from the perspective of personal data protection, a particularly sensitive category of data, the processing of which is subject to stricter conditions.
Particular attention was drawn to the inspection of the automatic biometric facial recognition system operated by the Police of the Czech Republic at Václav Havel Airport in Prague. As part of the operation of the camera system, the police used automatic facial recognition technology, whereby biometric data of persons recorded by the camera system were compared with a reference database of so-called “persons of interest”. The OPDP concluded that the processing of biometric data for the purpose of the unique identification of a natural person was not based on explicit statutory authorisation. Following legislative changes, the system was deactivated as of 1 August 2025, and the biometric data were erased.
Equally important was the inspection of the processing of recordings from personal cameras worn by members of the Police of the Czech Republic. In this context, the OPDP identified shortcomings in the area of logging access to recorded footage, i.e. in recording who accessed the recordings, when, and for what reason. In practice, recordings could be accessed without an adequate audit trail, which the Office assessed as a deficiency in the area of personal data security.
The OPDP adopted a similarly strict approach towards employers using biometric attendance systems. In several cases, the Office found that employers failed to demonstrate an appropriate legal basis for the processing of biometric data or breached the principle of minimisation because the same purpose of attendance recording could have been achieved by less invasive means, such as access cards or other recording systems. In this context, the OPDP expressly recommends that, before introducing similar systems, the necessity and proportionality of such a solution be thoroughly assessed and less invasive alternatives be preferred.
Data Minimisation as a Permanent Priority
In addition to biometrics, the report confirms the OPDP’s continuing strong emphasis on the principle of personal data minimisation under Article 5(1)(c) GDPR.
A significant example is the inspection of the operation of a retail chain’s loyalty programme, in whose registration form information on gender was mandatorily required, while the customer had no option not to provide this information. The OPDP concluded that such information is not necessary for the performance of the contractual relationship arising from participation in the loyalty programme. In addition, the OPDP also analysed the legal basis for processing itself and pointed out that determining the correct legal basis cannot be mechanically linked to the formal designation of processing as “consent” but must always correspond to the actual nature of the relationship between the controller and the data subject.
A similar regulatory approach is also apparent in the area of real estate services. Here, the OPDP criticised excessive collection of data, including information on marital status, place of birth, copies of identity cards, or data collected for purposes that ultimately never materialised (for example, the preparation of a lease agreement that was never concluded). In this context, the Office expressly pointed out that overly general and broadly set processes for the processing of personal data without regard to the specific case may lead to a breach of the principle of minimisation.
For controllers of personal data, this is an important reminder that the regulatory question does not rest solely on whether certain data may potentially be useful, but primarily on whether its processing is genuinely necessary for the specific purpose.
The Right to Erasure and Transparency of Processes
Within the framework of the coordinated European action CEF 2025, the OPDP examined the procedures of controllers in handling requests for the erasure of personal data under Article 17 GDPR. The investigation revealed potential shortcomings, particularly in the area of transparency of processes – for example, in situations where controllers did not sufficiently inform data subjects of the possibility of lodging a complaint with a supervisory authority or seeking judicial protection in the event of a refusal of a request for erasure. Shortcomings were also identified in the limited means by which data subjects may exercise their right, or in the insufficient traceability of information on the procedure for handling such requests.
At the same time, the OPDP pointed to the technical complexity of the erasure process itself, particularly in older information systems, extensive cloud solutions, or in relation to data backups, where the right to erasure must be balanced against the requirement of data integrity and continuity.
Personal Data Protection as Part of Broader Digital Regulation
The annual report also confirms that the OPDP’s agenda is far from ending with traditional supervision under the GDPR. In 2025, the Office also intensively focused on new European digital regulations, in particular the Digital Services Act (DSA), the Digital Markets Act (DMA), the Artificial Intelligence Act (AI Act), the Data Governance Act, and the Data Act. These legal instruments are gradually creating a new regulatory framework for the functioning of the digital economy, which affects not only personal data protection, but also the transparency of online platforms, the responsible use of artificial intelligence, data governance and sharing, and the rules of competition in the digital environment. The competence of the OPDP is thus gradually expanding – alongside traditional supervisory activity in the field of personal data protection, it is increasingly becoming involved in the broader digital regulatory agenda that concerns the protection of individuals’ rights in the online environment.
For controllers and processors of personal data, this means in practice the need to perceive personal data protection in broader contexts than before. Alongside compliance with obligations under the GDPR, the proper setting of internal processes in data handling, transparency of automated decision-making, and the responsible implementation of new technological solutions, in particular systems using artificial intelligence, will become increasingly important.
Growing Number of Submissions and Higher Expectations from Controllers
One of the most striking figures in the annual report is the year-on-year increase in the number of submissions and complaints by more than 68%, which, according to the OPDP, represents the highest level since the GDPR became effective. At the same time, the Office expressly states that this trend significantly burdens its decision-making capacities and increases demands on the efficiency, speed, and quality of its activities.
Several concurrent factors may be seen behind this development. The processing of personal data has become an inseparable part of the everyday functioning of businesses, institutions, and digital platforms. With the growing extent of automated data processing, wider use of cloud solutions, customer profiling, service personalisation, and the rise of AI systems, the number of situations in which the rights of data subjects may be affected is simultaneously increasing. In addition, there is also a noticeable long-term growth in individuals’ awareness of their rights under the GDPR, which naturally translates into a greater willingness to turn to the supervisory authority.
From the perspective of controllers of personal data, it is significant that the OPDP continues to emphasise the controller’s responsibility not only for the lawfulness of processing, but also for the ability to demonstrate compliance with the legal framework. It is precisely the absence of sufficient documentation, insufficient justification of the chosen legal basis, or disproportionately broadly set processes that repeatedly appear as problematic areas.
Conclusion
The annual report of the OPDP for 2025 confirms several clear regulatory trends: stronger oversight of the use of biometric technologies, a continuing emphasis on the principle of data minimisation, more detailed scrutiny of legal bases for processing, and the growing importance of transparency and accountability of controllers. At the same time, it shows that personal data protection is becoming increasingly interconnected with the broader digital regulatory agenda, the importance of which will continue to grow in the coming years.
For controllers and processors of personal data, it is therefore an appropriate time to review not only formal documentation in the area of personal data protection and the setting of processes under the GDPR, but also the very substance of processing operations – their necessity, proportionality, legal basis, and preparedness to withstand potential regulatory inspection.
In the event of any questions in the area of personal data protection, we at PEYTON legal are always at your disposal.
Mgr. Jakub Málek, managing partner – malek@plegal.cz
Mgr. Kateřina Vyšínová, junior lawyer – vysinova@plegal.cz
Anna Němcová, legal assistant – nemcova@plegal.cz
21. 5. 2026