Court case BA-5S/30/2020 – Court Ruling (Slovakia, 2026)

The DPA conducted an investigation on a controller’s premises and issued a fine of €10,000 and an order to take corrective measures. The controller contested the decision and the DPA lowered the fine to €9,000 and amended some of the factual findings. In its second decision, the DPA held that the controller violated the principle of transparency in Article 5(1)(a) GDPR by failing to inform data subjects about the existence of video surveillance at the point of entry in the monitored area and by failing to specify in the record of processing activities the legal basis for such personal data processing. The controller argued that the record of processing activities contained the legal basis for the processing of personal data (a national law provision), and claimed that the requirement to include a mention of Article 6 GDPR was overly formalist. Moreover, the controller argued that the pictograms placed at the entrance to the monitored area along with a notice of information on its website were meant to inform data subjects of the video surveillance carried out there. The DPA also found a violation of the principle of data minimisation in Article 5(1)(e) GDPR due to the longer than necessary data retention times. The controller claimed that the retention period was generally 7 days and only one recording was kept for longer due to an error. Finally, the DPA held that there was no violation in relation to the processing of employee data of the principle of legality in Article 5(1)(a) GDPR with reference to accountability in Article 5(2) GDPR, since the controller submitted at the time of the inspection a proportionality test in regard to the processing of employees’ personal data. The DPA ordered the controller to take measures to inform data subjects about the processing of their personal data in accordance with Article 13 GDPR. The controller contested the second DPA decision in court. The court annulled the DPA’s second decision and remanded the case to t