Slovak administrative fines due to the breach of GDPR

In conditions of Slovak republic, the sanctions for violation of Regulation 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter just “Regulation”) and of Act no. 18/2018 Coll. consist of a regular fine and a disciplinary fine.

Article of Ján Mrázik – Faculty of Law of Comenius University / dr. Miklós Péter DPO

[Dobos – Kőhidi Attorneys Assocation]

1. Introduction

The sanctions which are regulated given legal norms optional represent the fact that not everyone who has been infringed must automatically end up with the imposition of a sanction. The Office for Personal Data Protection (hereinafter just “Office”) imposes regular fines and disciplinary fines depending on the circumstances of each individual case. The Office, when deciding on the imposition of the fines and the determination of its amount shall take into account, in particular, the nature, gravity and duration of the infringement, the number of the persons concerned, the extent of the damage, if any, and the possible fault of the breach of personal protection data and the measures taken to mitigation of the damage suffered by the persons concerned. The Office also takes into account previous breaches of personal data protection, the degree of cooperation with the Office in rectifying the breach and mitigating the possible adverse consequences of the breach, the category of personal data concerned by the breach and the manner in which the Office is involved in the breach personal data protection.

 2. Regular fines

In the monitored period of 25th of May 2018 to 24th of May 2019 the Office lawfully imposed 38 Regular fines in the total amount of 132,600 euros. In the observed period, the Office collected a total of 129,638.89 euros in fines. The average Regular fine was 3 489 euros. The Office imposed the lowest Regular fine of 500 euros on the operator for failure to cooperate. The highest Regular fine was legally imposed by the Office in the amount of 40,000 euros to the controller for breaching the security of the processing of personal data. For the new period, starting 25th of May 2019 to 24th of May 2020, the full actual reports are still not available (day of processing 25th of August 2020) but from the accessible sources it is known that Office has yet imposed the biggest fine of 50,000 euros and it was imposed on the Social Insurance Agency of Slovakia. The Social Insurance Agency was fined for violating the rules of personal data protection. The Agency erred in correspondence with clients who live abroad – it used second-class postal items and one of them got lost. The social insurance company denied the violation and challenged the verdict in court. The Office finally found the complainant to be right and decided that the Social Insurance Agency seriously violated the regulation on personal data protection, also known as GDPR. This case has made an important precedence and provided important background for the Office to impose higher fines.

The second highest fine of 40,000 euros was imposed for the leakage of personal data by the telecommunications operator Slovak Telekom. The customer initiated the proceedings. The operator Slovak Telekom did not take adequate security measures in the processing of personal data of the petitioner and 22 other customers by sending the contracts with personal data to the wrong customer, and thus violated the obligation to protect the processed personal data. According to valid legislation, the telecommunications company should have distributed the printed contract documentation and delivered it to other customers as well. The personal data of the customers concerned, including their name, residence, day of birth should be protected at any time.

The third highest fine, 7,000 euros, was imposed on company FIN which resides in the northern part of Slovakia, in the city of Žilina. The reason for imposing the fine was discarding of accounting documents. The company of FIN was not allowed to do so and therefore has the Office imposed this fine. It is pretty obvious that the amounts of imposed fines do really have a rising tendency.

3. Disciplinary fines

The disciplinary fines serve to ensure a dignified and undisturbed course of supervisory activity of the Office. The Office may impose a disciplinary fine on the operator, intermediary or to its representative if he obstructs the inspection; or if it does not ensure adequate conditions for its performance. The Office may impose a disciplinary fine also to a person who is not an operator or intermediary for not providing required cooperation of the Office in the performance of supervision. In the conclusion, the Office can impose a disciplinary fine of up to EUR 2,000 if the inspected person does not ensure adequate conditions for the performance of the inspection, and disciplinary fine of up to EUR 10,000 if the inspected person obstructs the inspection. In the reviewed period, the Office imposed four disciplinary fines in the total amount of 9,500 euros of which two in the amount of 500 euros for failure to provide cooperation and two in the amounts of 3,500 euros and 5,000 euros in connection with the obstruction of the inspection. The sanction in the amount of EUR 5,000 was imposed on the GINN Trade Union for obstruction of the inspection.

Questions regarding GDPR / data protectionContact us!

office@doboskohidi.eu

Phone / Whatsapp: +36303088151