Court case Us I-2208/2024-6 – Court Ruling (Croatia, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A controller brought an action before the Administrative Court of Zagreb seeking annulment of a decision made by the Agencija za zaštitu osobnih podataka (Croatian DPA) where they were fined €2,500. The contested decision had found that controller had infringed Article 13 GDPR by using CCTV in and outside of their premises, a kebab shop, with signage only being visible upon entering the store. It was also found that an outdoor terrace had no signage at all. The controller argued that the fine amount was excessive and requests annulment of the decision and its adoption without the fine. The controller further agued that in relation to the outdoor terrace, this area is only accessible through the shopping centre where there are existing signs highlighting that CCTV is in operation. The controller contended that a warning under Article 58(2)(1) GDPR in lieu of a fine would have been more appropriate in the circumstance. The DPA argued that the decision was taking lawfully and based on a correct application of the law. The DPA noted that the small notices were not visible to data subjects before entering the recording perimeter and the notice published on the controller’s website was insufficient and did not include the contact details of the controller. The DPA further submitted that they were obliged to impose and administrative fine in the circumstances as a more lenient sanction in this case was not provided for under the law. The Court firstly highlighted an inconsistency in the contested decision. The DPA had at one point highlighted the existence of CCTV in the outdoor terrace, but further on in the decision, failed to include this area in the list of areas covered by CCTV. The Court further noted that although the decision found an infringement of Article 13 GDPR on the part of the controller, there were no reasons for this provided in the decision. The Court was further critical of the lack of clarity in the DPA’s decision as to the existence or the absence o
GDPR Articles Cited
A controller brought an action before the Administrative Court of Zagreb seeking annulment of a decision made by the Agencija za zaštitu osobnih podataka (Croatian DPA) where they were fined €2,500. The contested decision had found that controller had infringed Article 13 GDPR by using CCTV in and outside of their premises, a kebab shop, with signage only being visible upon entering the store. It was also found that an outdoor terrace had no signage at all. The controller argued that the fine amount was excessive and requests annulment of the decision and its adoption without the fine. The controller further agued that in relation to the outdoor terrace, this area is only accessible through the shopping centre where there are existing signs highlighting that CCTV is in operation. The controller contended that a warning under Article 58(2)(1) GDPR in lieu of a fine would have been more appropriate in the circumstance. The DPA argued that the decision was taking lawfully and based on a correct application of the law. The DPA noted that the small notices were not visible to data subjects before entering the recording perimeter and the notice published on the controller’s website was insufficient and did not include the contact details of the controller. The DPA further submitted that they were obliged to impose and administrative fine in the circumstances as a more lenient sanction in this case was not provided for under the law. The Court firstly highlighted an inconsistency in the contested decision. The DPA had at one point highlighted the existence of CCTV in the outdoor terrace, but further on in the decision, failed to include this area in the list of areas covered by CCTV. The Court further noted that although the decision found an infringement of Article 13 GDPR on the part of the controller, there were no reasons for this provided in the decision. The Court was further critical of the lack of clarity in the DPA’s decision as to the existence or the absence o
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case Us I-2208/2024-6 in HR
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case Us I-2208/2024-6 - Croatia (2025). Retrieved from cookiefines.eu
Last updated: