Czechia: Issued ruling in the UOOU public lawsuit against AVAST regarding alleged violations of data transfer requirements

On 16 March 2023, the Czech Data Protection Authority (UOOU) issued a ruling in a public lawsuit against AVAST, alleging violations of data transfer requirements. The UOOU penalized AVAST for allegedly unlawfully sharing personal data of its customers with a third-party company, which contradicted the GDPR. AVAST, a company that offers antivirus programs and browser extensions, collected the browsing history of internet users who installed and used their products. This data was then transferred to an American company without proper legal basis or adequate information provided to the customers. The Czech authority determined that the browsing history associated with customers should be regarded as personal data and that the transfers were unlawful. AVAST was fined CZK 350 million (approximately EUR 13 million), which accounts for 1.9% of its turnover and 6% of its annual profits.