GDPR Enforcement in Slovakia
Deep dive into relevant data protection enforcement cases and insights from Slovakia
Fining practice
Trend: Have the national data protection authorities in Slovakia focused on certain types of non-compliance... Do you see a focus on certain industries/sectors? If so, which ones?
The Slovak data protection authority (“Úrad na ochranu osobných údajov Slovenskej republiky”, the “UOOU”) announced its control plan for 2026. The plan’s first part focuses on data processing in Schengen and European information systems and agencies. The plan’s second part focuses on the risks associated with specific processing activities or the use of new technologies and procedures; namely, the UOOU will investigate processing of personal data by gambling operators, processing of personal data in the conclusion and/or performance of distance contracts, processing of biometric personal data within the framework of employment relationships, collection and further processing of personal data for statistical purposes and processing of personal data in cases where the controller has engaged a processor in the processing.
The UOOU’s 2025 enforcement focus was overwhelmingly on public sector publication of birth identification numbers (in Slovak “rodné číslo”, being the national identification number) in contracts published in the Central Register of Contracts; the most frequently sanctioned entities were municipalities, cities and self-governing regions.
Overall, what was the most significant fine in Slovakia to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?
The highest fine imposed by the UOOU to date amounts to EUR 50,000 and has been issued against the Social Insurance Company (Sociálna poisťovňa) for the violation of Article 32 GDPR (security of processing). The UOOU found that the Social Insurance Company failed to ensure adequate protection of personal data during the delivery of postal consignments.
Information about a possible challenge of this decision before the court has not been identified.
Organisation of authorities and course of fine proceedings in Slovakia
How is the data protection authority organised in Slovakia? Budget, staff, assignment to a ministry?
The UOOU is a state administration body with nationwide jurisdiction established by law. In exercising its powers, it acts independently of any ministry. Its budget for 2025 was around EUR 3.6 million. The UOOU has approx. 60 employees and is based in Bratislava. The authority is headed by a president and represents Slovakia in the European Data Protection Board and EU level enforcement cooperation.
How does a fine procedure work in Slovakia? Can the authority impose fines itself? Procedural steps? Legal remedies?
The UOOU imposes fines by decisions issued within administrative proceedings. Participants in the proceedings are notified upon their initiation. Decisions of the UOOU are not published and are only delivered to the participants. The president of the UOOU decides on appeals. Final decisions on fines are reviewable by the administrative court.
When fines are imposed: Where does the money go? (state treasury / authority budget / other)
The revenue generated from fines is allocated to the state budget.
Is there an official calculation methodology for fines in Slovakia?
No, the UOOU imposes fines depending on the circumstances of each individual case, taking into account various factors, such as the category of the respective personal data, the gravity of the breach, the number of data subjects affected, previous breaches, etc.
Can public authorities be fined in Slovakia? If yes: Where does this money go?
The law does not differentiate between private and public controllers, meaning that public authorities can also be fined. The revenue generated from the respective fines is allocated to the state budget.
Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?
The UOOU only publishes a fraction of all cases in its annual report, where they are described in general terms, private companies are not identifiable and the fine amounts are not disclosed. Nonetheless, it is possible to obtain copies of individual decisions on the basis of the Act No. 211/2000 Coll. on Free Access to Information.
If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).
| Year | No. of fines | Total amount of final fides (EUR) | Average fine abount (EUR) | Total collected in fines (EUR) |
| 2024 | 48 | 89,600 | 1,867 | 88,900 |
| 2023 | 46 | 94,200 | 2,048 | 122,665.66 |
| 2022 | 52 | 60,600 | 1,166 | 106,448.70 |
| 2021 | 53 | 110,900 | 2,092 | 89,289.10 |
| 2020 | 54 | 103,300 | 1,913 | 126,432 |
The above figures are from the UOOU’s annual reports on personal data protection. The annual report for 2025 has not yet been published, but according to information available from other sources, in 2025 over 500 decisions on fines became final and non-appealable, totalling approximately EUR 470,000 (with the average fine being considerably lower than in the previous years)
Other legal consequences of non-compliance in Slovakia
Does Slovakia have model declaratory proceedings/class actions in data protection law?
At the moment, there is no option to file class actions against data controllers in Slovakia.
What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?
In Slovakia, administrative fines do not prevent private claims from being made in separate proceedings. However, private litigation regarding personal data processing is not very common. Fines issued by the UOOU are much more common and relevant and, for businesses, much more noticeable. As regards the outlook for the next 12 months, no significant changes are expected in this respect.
