Changeflow GovPing Data Privacy & Cybersecurity Avast Fined 351 Million CZK for GDPR Violation
Urgent Enforcement Added Final

Avast Fined 351 Million CZK for GDPR Violation

Favicon for www.uoou.cz Czech UOOU
Filed
Detected
Email

Summary

The Czech Office for Personal Data Protection issued a final and binding decision imposing a fine of 351 million CZK on Avast Software s.r.o. for unlawful GDPR violations. The DPA found that Avast transferred pseudonymized internet browsing history tied to unique identifiers from approximately 100 million users to its subsidiary Jumpshot during 2019, despite informing users the data was anonymous for trend analytics. The DPA determined the data was not properly anonymised and could be re-identified, and the processing purpose extended beyond the claimed statistical analytics.

Why this matters

The DPA's core finding — that pseudonymized browsing data tied to a unique identifier is not anonymised under GDPR — is the operative compliance point for any company relying on anonymisation claims to shield data transfers. Firms that share or monetise user behavioural data with third parties, or that have claimed anonymisation without technical evidence of irreversibility, should audit whether their practices meet the standard this decision establishes.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by UOOU on uoou.gov.cz . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .
View original document View source feed page

What changed

The Czech DPA issued a final and binding decision imposing a 351 million CZK fine on Avast Software for GDPR violations involving the transfer of pseudonymized browsing data from approximately 100 million users to Jumpshot. The DPA found that Avast misled users by claiming the transferred data was anonymised when re-identification was possible, and that the true purpose extended beyond stated statistical analytics. The decision was coordinated with other EU supervisory authorities under the One Stop Shop mechanism due to cross-border processing.

Companies processing EU personal data — particularly those relying on claimed anonymisation or pseudonymisation to exempt data from GDPR — should review their anonymisation standards and ensure any third-party data sharing aligns with stated processing purposes and user disclosures. The DPA's reasoning that even pseudonymized browsing data tied to a unique identifier does not constitute adequate anonymisation provides regulatory context for data sharing practices across the EU.

Penalties

351 million CZK

Archived snapshot

Apr 20, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Czech DPA imposed fine of 351 million CZK for GDPR infringement

  1. Home
  2. News
  3. Business communication
  4. Article Date published

15.4.2024

Back to list

Avast Software s.r.o. was fined 351 million CZK by the Office for Personal Data Protection in a final and binding decision. The Office imposed said fine for an unlawful processing of personal data of users of its Avast antivirus program and its browser extensions which verifiably took place during a period in 2019.

Avast processes personal data of the users of its antivirus software when it provides services of this software. It transferred a part of these data, which related to roughly 100 million of its users, to Jumpshot INC. during the period under review in 2019, especially pseudonymized internet browsing history tied to a unique identifier. Jumpshot presented itself as a company that, among other things, granted data access to “marketers” who were provided with “insights into online consumer behaviour” and offered following of “user journeys at the atomic level”.

The users were erroneously informed about transfer of anonymous data for the purpose of trend analytics by Avast. Although Avast stated that it used robust anonymisation techniques, it was proved that data transferred from individual antivirus software installations were not anonymised, since reidentification of at least a part of the data subjects based on the transferred data could occur. Furthermore, the purpose of processing these data was not (merely) to create statistical analyses as Avast claimed.

**"The Office put an emphasis in the decision on the fact that Avast is one of foremost experts on cybersecurity that offers tools for data and privacy protection to the public. Its customers could not have expected that this company in particular would transfer their personal data. That is, data based on which not only an identity of someone can be discovered but also their interests, personal preferences, residence, wealth, profession, and other data concerning their privacy,”
stated about the decision President of the Czech Office for Personal Data Protection Jiří Kaucký.

Due to the fact that this was a case of cross-border processing of personal data of clients across the whole European Union, the case was handled together with other concerned EU supervisory authorities within cooperation mechanism (One Stop Shop).

More news

Read more news.

No more items All news

Mentioned entities

General Data Protection Regulation

Parties

Avast Software s.r.o. Jumpshot INC.

Related changes

Favicon for www.cnb.cz Press Release Listing - Multiple Categories and Years
Routine Apr 20, 2026 Czech National Bank Banking & Finance

Get daily alerts for Czech UOOU

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.uoou.cz
Czech UOOU uoou.cz/en/news
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from UOOU.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
UOOU
Filed
April 15th, 2024
Instrument
Enforcement
Branch
Executive
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies
Industry sector
5112 Software & Technology
Activity scope
GDPR enforcement Data sharing practices
Geographic scope
CZ CZ

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Compliance frameworks
GDPR
Topics
Cybersecurity Consumer Protection

Browse Categories

Agriculture & Food Safety 73 Banking & Finance 406 Consumer Protection 89 Courts & Legal 411 Data Privacy & Cybersecurity 89 Defense & National Security 53 Education 55 Energy 100 Environment 151 Gaming 2 Government & Legislation 430 Healthcare 15 Healthcare & Life Sciences 375 Immigration 10 Insurance 75 Labor & Employment 132 Pharma & Drug Safety 21 Professional Licensing 7 Real Estate & Housing 77 Securities & Markets 153 Tax 78 Telecom & Technology 50 Trade & Sanctions 141 Transportation 91

Get alerts for this source

We'll email you when Czech UOOU publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!