Úrad na ochranu osobných údajov Slovenskej republiky (ÚOOÚ) – Court Ruling (Slovakia, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Slovak court ruled that Rajec’s City Council violated data protection rules with its CCTV system. This matters because it shows that even public entities must follow strict rules about how they handle personal data.
What happened
Rajec’s City Council was found to have improperly processed personal data through its CCTV system.
Who was affected
Residents and visitors in the monitored areas of Rajec were affected by the council's actions.
What the authority found
The court upheld that the council failed to provide necessary information about the legal basis for CCTV use and kept footage longer than allowed.
Why this matters
This ruling reinforces the importance of transparency and proper data handling practices for all organizations, including government bodies.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The DPA carried out an ex officio inspection of the Rajec’s City Council, the controller, concerning its processing of personal data through a CCTV system. On 27 August 2019, the DPA issued a first-instance decision imposing a €10,000 fine and corrective measures. Following an appeal by the controller, the DPA issued a second-instance decision on 29 November 2019. It partially amended the first-instance decision and reduced the fine to €9,000. The DPA found that the controller had violated the principle of transparency under Article 5(1)(a) GDPR by failing to specify the legal basis for CCTV processing in its records of processing activities and by failing to provide information to data subjects before they entered the monitored area. The DPA also found a violation of the storage limitation principle under Article 5(1)(e) GDPR. According to the DPA, the controller retained CCTV footage for longer than necessary. Although the controller had set a seven-day retention period, the inspection found one recording that had been retained for around 20 days. The controller challenged the DPA’s decision before the administrative court. It argued, among other things, that its records of processing activities referred to relevant national laws and that the GDPR did not require a precise citation of Article 6 GDPR in such records. It also argued that, at the time of the inspection, there were no binding rules on how CCTV information notices had to be provided, and that the single over-retained recording was a one-off human error without consequences for data subjects. During the court proceedings, the Administrative Court of Bratislava examined whether the operative part of the DPA’s decision met the requirements applicable to administrative penalties. The court focused on whether the alleged infringements were described with sufficient precision in terms of the act, time, place and manner of commission. The court annulled the DPA’s decision and remanded the case. The court he
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Úrad na ochranu osobných údajov Slovenskej republiky (ÚOOÚ) in SK
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Úrad na ochranu osobných údajov Slovenskej republiky (ÚOOÚ) - Slovakia (2026). Retrieved from cookiefines.eu
Last updated: