GDPR Enforcement in Slovakia

Trend: Have the national data protection authorities in Slovakia focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

The Slovak data protection authority (“Úrad na ochranu osobných údajov Slovenskej republiky”, the “UOOU”) has announced its control plan for 2025. The plan’s first part focuses on data processing in Schengen and European information systems and agencies. The plan’s second part focuses on the risks associated with specific processing activities or the use of new technologies and procedures; namely, the UOOU will investigate data processing concerning the following data subjects – customers of public pharmacies, participants in courses organised by driving schools, visitors of restaurants, cafes and other facilities under CCTV surveillance.

Overall, what was the most significant fine in Slovakia to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

The UOOU issued its highest known fine of EUR 50,000 at the end of 2019 to the Social Insurance Company for violation of Article 32 of the GDPR. In this case, the Social Insurance Company failed to ensure an adequate level of protection of the personal data processed when a postal parcel containing the personal data of an applicant for a disability pension was lost during communication with foreign social security authorities. The information about the possible challenge of this decision before the court has not been identified. However, the insurer continued to deny the violation and publicly stated that it was challenging the decision in court.

How is the data protection authority organised in Slovakia? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

The UOOU is a state administration body with nationwide competence. In exercising its powers, it acts independently. Its budget for 2024 was initially around EUR 1.9 million, but later it was increased to around EUR 2.9 million. The UOOU has approx. 40 employees and is based in Bratislava.

How does a fine procedure work in Slovakia? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

The UOOU imposes fines by decisions issued within administrative proceedings. The initiation of the proceedings is reported to the participants of the proceedings. Decisions of the UOOU are not published, but instead only delivered to the participants. The chairman of the UOOU decides on appeals. Final decisions on fines are reviewable by the administrative court.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

Fines contribute to the revenue of the state budget.

Is there a common, official calculation methodology for fines in Slovakia (such as the fining models in the Netherlands or Germany)?

No, the UOOU imposes fines depending on the circumstances of each individual case, taking into account various factors, such as the category of the respective personal data, the gravity of the breach, the number of data subjects affected, previous breaches, etc.

Can public authorities be fined in Slovakia? If they can: Where does this money go?

The law does not differentiate between private and public controllers, meaning that public authorities can also be fined. The respective fines contribute to the revenue of the state budget.

In Slovakia, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

The UOOU only publishes a fraction of all cases in its annual report, where they are described in general terms, private companies are not identifiable and the fine amounts are not disclosed. Nonetheless, it is possible to obtain copies of individual decisions on the basis of the Act No. 211/2000 Coll. on Free Access to Information.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2024?

Yes, the UOOU provides aggregated information on the total number of cases and the total amount of fines in its annual reports. The UOOU has not yet published its annual report for 2024. According to information available from other sources, 38 decisions on fines became final and non-appealable in 2024, totalling to approx. EUR 84,000, with the average fine being EUR 2,226.

Does Slovakia have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

At the moment, there is no option to file a class action against the data controller in Slovakia.

What is more relevant in Slovakia: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

In Slovakia, administrative fines do not prevent private claims from being made in separate proceedings. However, private litigation regarding personal data processing is not very common. Fines issued by the UOOU are much more common and relevant and, for businesses, much more noticeable.