Key Points

  • The state of personal data protection enforcement has changed significantly since the adoption of the GDPR and impacted the decision-making practice of all national authorities.

  • This article provides a complex examination of the decision-making practice of one such national authority—the Office for Personal Data Protection of the Slovak Republic.

  • The analysis provided in this article is based on the examination of 180 decisions adopted by the Slovak DPA since the GPDR application, evaluating its enforcement practices with the objective of identifying fine imposition practices and distinguishing different categories of decisions with common characteristics.

Introduction

Personal data protection enforcement in the European Union (EU) has evolved significantly since the adoption of Directive 95/46/EC.1 Despite the Directive’s objective to harmonize data protection regulation in the EU, its implementation resulted in differing enforcement practices of its Member States. The Directive called for the adoption of suitable measures to ensure its full implementation but did not specify the framework to be followed in practice. This led to the adoption of different sanction mechanisms throughout the EU. Studies provided by such institutions as the European Union Agency for Fundamental Rights,2 or in academic writing,3 summarized the state of personal data protection in the EU during the Directive’s application and identified its deficits. Papers analysing individual sanctions applicable under this Directive,4 highlighted its toothlessness,5 elucidated deficits regarding the imposition of administrative fines by national authorities,6 and discussed possible solutions considering the potential of competition law to influence the sanctioning of data protection infringements in the future legislation.7

The rising importance of personal data protection and the inadequate legal framework resulted in the adoption of the General Data Protection Regulation (GDPR).8 The GDPR approached the subject of its enforcement differently, through the definition of penalties that may be imposed by national authorities in cases of its infringement together with specific conditions to be assessed during enforcement. Further clarification on the enforcement process was provided by the Article 29 Data Protection Working Party in its Guidelines on the application and setting of administrative fines,9 that defined principles to be followed by national authorities when imposing administrative fines for GDPR infringements and specified the criteria to be considered in this regard. These guidelines, however, did not provide detailed instructions, for example, on the calculation of fines,10 so as to enable the national authorities to determine effective, proportionate, and dissuasive corrective measures to be imposed on the basis of individual assessment of each case of infringement.

Following the adoption of GDPR, numerous authors analysed its enforcement in practice. The studies provided evaluated the results of the publicly available decisions of national authorities published either by the authorities themselves or, more often, by private companies. These studies analysed the penalties adopted in different time periods, including the early application of GDPR.11 With the continuing application of the new legislation, the following studies included larger datasets on the enforcement practices employed by the national authorities.12 The aforementioned studies focused, in general, on the amount of fine imposed, the identification of the infringed GDPR provisions and the number of fines issued per country. Other authors focused on the possibility of predicting the amount of fines imposed by the competent national authorities.13

Lintvedt recently considered whether the fines issued by national authorities achieved the desired deterrent effect of compliance with GDPR in practice and highlighted the lack of transparency in the practices of national authorities with regard to the calculation of fines.14 It must be noted that GDPR does not presume the need for harmonization of fines across the Member States (with the exception of cross-border cases). Considering further the fact that the basis for the majority of studies mentioned above had to be a publicly available database of penalties imposed by national authorities operated by a private party and not official registers of competent authorities, the non-transparency of enforcement mechanisms employed, including the calculation of fines issued, is evident.15 This is further evidenced by the continuing efforts of researchers to assemble a repository of GDPR-related documents (judgments, opinions, reports, guidances, etc) and make it available for further research.16

According to Article 51(2) GDPR, DPAs shall contribute to the consistent application of GDPR throughout the EU. The provision in question represents strong requirement for consistent decision-making in the EU data protection area.17 Furthermore, transparency of DPA decisions is crucial for the public control of consistency mechanism as foreseen by Article 63 GDPR. All the named mechanisms and provisions, either directly or indirectly require consistent application of GDPR in the EU.

The issue of non-transparency can also be identified with regard to the practice of the Slovak data protection authority—The Office for Personal Data Protection of the Slovak Republic (DPA). The Slovak DPA is a state administration body with nationwide competence to supervise the protection of personal data and protect the corresponding fundamental rights of natural persons. The DPA is structured into different departments (department of inspection, of administrative proceedings, of legal services, of information security and certification and of internal administration) and includes a data protection officer. It is led by a president and its vice-president. The Slovak DPA is a budgetary organization with an annual budget not exceeding €2 million since GDPR adoption. The staffing of this DPA ranges from 40 to 50 employees (according to the latest annual report published by the DPA, it employed 44 employees in 2022). In comparison with other Member states with similar population as Slovakia, Denmark’s national DPA employed 80 employees and worked with the annual budget of €7.2 million in 2022,18 and Ireland’s DPA employed 196 employees with a budget of €23.2 million in the same year.19 On the positive side, the national DPA publishes annual reports that provide, as regards sanctioning, the following information: the number of fines issued in a calendar year, the summary amount of fines imposed, the average amount of fine, the lowest and highest fine issued with a short description of the corresponding infringement, and a short summary of selected cases from the DPA case law.20 Notwithstanding the foregoing, no other official guidelines on the DPA enforcement practices, for example, on the method for fine calculation, are publicly available, even after 5 years of GDPR application. The DPA similarly does not publish its decisions issued in proceedings on GDPR infringements, which is contrary to the practices of other national authorities.21 The private databases available are also of little help in this regard—the already mentioned GDPR Enforcement Tracker includes only nine recorded fines adopted by the Slovak DPA (referencing annual reports and press articles).

These considerations motivated the authors to provide an in-depth analysis of the state of GDPR enforcement in Slovakia. The conclusions presented in this article widen the scope of the current research, which focuses on the analysis of sanctions imposed under GDPR, the identification of the infringements that led to their issuance, or the analysis of the infringement of different GDPR obligations.22 In this regard, the authors provide a complex examination of the DPA’s decision-making practice with the objective to answer the following research question:

What is the state of the administrative enforcement of personal data protection regulation in Slovakia and can it be considered effective?

To answer this research question, the authors stipulate the following research sub-questions:

RQ1: What types of infringements are sanctioned most often in Slovakia?

RQ2: What is the DPA’s practice as regards determining aggravating and mitigating circumstances applicable in a given case?

RQ3: Does the fulfilment of the controller’s obligation to notify data breaches impact the DPA’s decision?

RQ4: Can specific groups of DPA decisions be distinguished, and anomalies identified?

RQ53: Can any practices of the DPA regarding the fine imposition be determined?

This article is organized into five sections. The ‘Methodology’ section provides the methodology overview. The ‘Nature of the DPA’s proceedings and types of infringements’ section discusses the nature of the analysed proceedings and the types of infringements sanctioned in Slovakia. The ‘Aggravating and mitigating circumstances’ section considers the use of aggravating and mitigating circumstances in the DPA’s practice. The ‘Data breach notification’ section analyses the controller’s obligation to notify data breaches and its evaluation in the DPA’s decision making. The ‘Imposition of sanctions’ section examines the DPA’s fine imposition practices. The ‘Groups of decisions and detected anomalies’ section distinguishes different groups of decisions and identifies anomalies taking into account the broader scope of enforcement.

Methodology

From a methodological point of view, this article employs a systematic content analysis (SCA). SCA can be defined as a methodical, replicable technique for compressing many words of text into fewer content categories based on explicit coding rules.23 The advantage of this approach is that it can produce both qualitative and quantitative results by enabling the researcher to compress many words of text into fewer content categories based on explicit rules of coding.24 According to Salehijam,25 the following stages of SCA in legal research can be distinguished:

  1. determination of a suitable research question or hypothesis;

  2. collection of data for analysis;

  3. coding of the data;

  4. drawing conclusions and observations; and

  5. discussion of findings in a manner understandable to the legal community.

The research questions relevant to our research are presented in the previous chapter. Below we provide more detailed notes on the individual stages of SCA as applicable for this article.

Collection of data and dataset

In the EU, no official database documenting the individual decisions of national authorities sanctioning GDPR infringements has been established. The analysis provided in this article is, therefore, based on a dataset of decisions obtained directly from the Office for Personal Data Protection of the Slovak Republic based on a freedom of information request in accordance with the Slovak Act No 211/2000 Coll. on free access to information (‘Freedom of Information Act’). The DPA provided the decisions examined in this article to the authors on 22 December 2022.

The authors have analysed 180 decisions adopted by the DPA in the period from November 2018 to October 2022. Given the length of this period (almost 4 years), the authors believe the analysis can demonstrably reflect the enforcement practices employed by the DPA after the GDPR application in Slovakia. Twenty-one decisions sanctioning the controller with a procedural fine for its non-cooperation with the DPA were excluded from the further analysis, as they did not include any analysis of personal data infringements but focused solely on the proceedings preceding the adoption of a decision on the merits of the case.

Data coding

The objective of the data coding stage is to create a suitable representation of individual decisions in a code representing individual attributes. In this article, we use three types of attributes, namely numerical (eg, amount of fine), categorical (eg, type of operator), and binary (eg, type of violation). Binary attributes represent the occurrence or the absence of a specific attribute. The analysis resulted in the selection and collection of a set of attributes classified into the following categories:

  1. decision identification—attributes: decision number, adoption date, identification of the controller and/or processor, nature of the controller, nature of the proceeding;

  2. the initiative for the proceedings beginning—attributes: the initiative of the DPA, controller’s infringement notice, motion of a third party, nature of the third party (if identified);

  3. type of infringement—attributes: the provisions of GDPR and/or the applicable Slovak legislation infringed,26 factual description of the infringement, categorization of the infringement into selected categories;

  4. the aggravating and mitigating circumstances employed; and

  5. the sanction imposed, including the amount of fine issued.

Methods for drawing conclusions and observations

The conclusions and observations presented in this article are primarily based on a statistical correlation between two binary parameters. For this purpose, we used Pearson’s correlation.27 The range of this coefficient is from −1 to 1, where:

  1. 0.2 to −0.2 indicates no or negligible relationship;

  2. 0.2 to 0.4 or −0.2 to −0.4 indicates a weak to moderate relationship;

  3. 0.4 to 0.7 or −0.4 to −0.7 indicates a strong relationship; and

  4. 0.7 to 1 or −0.7 to −1 indicates a very strong relationship.

Not all obtained correlations are statistically significant. To determine which of the acquired correlations between attributes are statistically significant, we performed a chi-square test of independence for the variables in a contingency table.28 The null hypothesis assumed independence between the variables. We rejected the null hypothesis if the calculated p-value was less than 0.05, indicating a statistically significant correlation between the attributes. Conversely, if the p-value was higher, we accepted the null hypothesis, concluding that there is no statistically significant correlation between the attributes. We used statistical correlation in the ‘Nature of the DPA’s proceedings and types of infringements’, Aggravating and mitigating circumstances’, and ‘Data breach notification’ sections of this article.

A partial research objective was to analyse the DPA’s decision-making practice. For this purpose, we used clustering methods to separate individual objects of interest into groups without knowing the resulting group (unsupervised learning). We focused on clustering using categorical/binary attributes in the research framework. There are several methods for clustering categorical-featured datasets, but the most direct counterpart to numeric clustering is K-modes.29 K-modes method defines clusters based on the number of matching categories between data points (in our case representing decisions of the Slovak DPA).30

One of the input parameters for the clustering method is the number of clusters into which the clustering method should divide the input data. We used the Elbow method,31 and the Silhouette coefficient (score) to determine the appropriate number of clusters.32

Prior identification of anomalies enables a more accurate clustering. In this regard, we searched for those decisions that represented the greatest extreme from the imaginary average across all investigated attributes (outliers). Concurrently, the search for these outliers allowed us to find decisions that differ the most from the established decision-making practice of the DPA. For this research, we selected nine methods for detecting outliers. These present methods without a teacher, the computational complexity of which is maximally quadratic. Within the article, we used several models for outliers’ detection with several parameters (eg, contamination value of 0.05): LOF,33 ECOD,34 ROD,35 Isolation forest,36 Loda,37 INNE,38 COPOD,39 PCA,40 and One-Class Support Vector Machines.41

We ran 82 different models and examined how many models identified the decision as an outlier. We then ranked these decisions and selected the most-often identified outliers. These outliers were subsequently excluded from clustering. Clustering and outlier detection were employed in the ‘Groups of decisions and detected anomalies’ section of this article.

Nature of the DPA’s proceedings and types of infringements

The objective of the DPA’s proceedings on personal data protection that resulted in the issuance of the decisions analysed in this article, was to determine whether the personal data protection rights of natural persons were infringed or to ascertain the infringement of the applicable personal data protection legislation. In case of infringement detection, the following process included the adoption of corrective measures or a fine, if these were deemed reasonable and effective.

The proceedings on personal data protection were initiated either by the motion of the concerned person or by the DPA itself. Our analysis has shown that the majority of the proceedings were based on the motion of the concerned person (89 cases). The remaining proceedings (70 cases) were initiated directly by the DPA. The reasons for the DPA’s initiative included notification of the incident by the controller (in 12 cases), third-party motion or results of the control previously executed by the DPA.

The subjects, against which these proceedings were directed, consisted of different natural or legal persons. As regards legal persons, these included different categories of both state and private subjects, specifically private companies (92), regional self-governing units (small municipalities, cities, or higher territorial self-governing units) (36), state organizations (11), schools (6), non-governmental organizations (3), and other subjects. In only four cases, the controller was a natural person.

To determine the types of infringements sanctioned by the DPA, the authors identified the provisions of the applicable legislation that were infringed and considered the factual description of the infringement as described in the individual decisions with the objective of determining the different categories of infringements sanctioned in Slovakia. It must be noted that the infringements identified in Table 1 are limited to the violations specified in the analysed decisions and do not cover all possible violations of personal data protection legislation (eg, the infringement of all principles with the exemption of the accuracy principle has been detected). The individual categories of infringements (provided with decreasing incidence) are defined in Table 1.

Table 1 The types of infringements sanctioned by the DPA.

Infringement ofCorresponding provisionNumber of decisions
The lawfulness principleArticle 5(1)(a) GDPR65 decisions
The transparency principleArticle 5(1)(a) GDPR56 decisions
The integrity and confidentiality principleArticle 5(1)(f) GDPR31 decisions
The data subject’s right to receive response to its request within the time period of 1 month from its deliveryArticle 12(3) GDPR31 decisions
the data minimization principleArticle 5(1)(c) GDPR19 decisions
The accountability principleArticle 5(2) GDPR19 decisions
The storage limitation principleArticle 5(1)(e) GDPR14 decisions
The data subject rightsArticles 12–23 GDPR9 decisions
The prohibition of the national identification number publicationArticle 78(4) of the Act No 18/2018 Coll.9 decisions
The controller’s obligations regarding record keepingArticle 30 GDPR8 decisions
The purpose limitation principleArticle 5(1)(b) GDPR7 decisions
The controller’s obligations regarding the data protection officerArticles 37–39 GDPR6 decisions
The obligations of the processorArticle 28 GDPR2 decisions
The fairness principleArticle 5(1)(a) GDPR2 decisions
The controller’s obligations regarding the data protection impact assessmentArticle 35 GDPR1 decision
The controller’s obligation to adopt appropriate technical and organizational measuresArticle 24(1) in combination with Article 32(1) and (2) GDPR1 decision
The controller’s obligation to notify the supervisory authority about the personal data breachArticle 33 GDPR1 decision
The controller’s obligation to provide instructions for processingArticle 29 GDPR1 decision
Infringement ofCorresponding provisionNumber of decisions
The lawfulness principleArticle 5(1)(a) GDPR65 decisions
The transparency principleArticle 5(1)(a) GDPR56 decisions
The integrity and confidentiality principleArticle 5(1)(f) GDPR31 decisions
The data subject’s right to receive response to its request within the time period of 1 month from its deliveryArticle 12(3) GDPR31 decisions
the data minimization principleArticle 5(1)(c) GDPR19 decisions
The accountability principleArticle 5(2) GDPR19 decisions
The storage limitation principleArticle 5(1)(e) GDPR14 decisions
The data subject rightsArticles 12–23 GDPR9 decisions
The prohibition of the national identification number publicationArticle 78(4) of the Act No 18/2018 Coll.9 decisions
The controller’s obligations regarding record keepingArticle 30 GDPR8 decisions
The purpose limitation principleArticle 5(1)(b) GDPR7 decisions
The controller’s obligations regarding the data protection officerArticles 37–39 GDPR6 decisions
The obligations of the processorArticle 28 GDPR2 decisions
The fairness principleArticle 5(1)(a) GDPR2 decisions
The controller’s obligations regarding the data protection impact assessmentArticle 35 GDPR1 decision
The controller’s obligation to adopt appropriate technical and organizational measuresArticle 24(1) in combination with Article 32(1) and (2) GDPR1 decision
The controller’s obligation to notify the supervisory authority about the personal data breachArticle 33 GDPR1 decision
The controller’s obligation to provide instructions for processingArticle 29 GDPR1 decision
Table 1 The types of infringements sanctioned by the DPA.

Infringement ofCorresponding provisionNumber of decisions
The lawfulness principleArticle 5(1)(a) GDPR65 decisions
The transparency principleArticle 5(1)(a) GDPR56 decisions
The integrity and confidentiality principleArticle 5(1)(f) GDPR31 decisions
The data subject’s right to receive response to its request within the time period of 1 month from its deliveryArticle 12(3) GDPR31 decisions
the data minimization principleArticle 5(1)(c) GDPR19 decisions
The accountability principleArticle 5(2) GDPR19 decisions
The storage limitation principleArticle 5(1)(e) GDPR14 decisions
The data subject rightsArticles 12–23 GDPR9 decisions
The prohibition of the national identification number publicationArticle 78(4) of the Act No 18/2018 Coll.9 decisions
The controller’s obligations regarding record keepingArticle 30 GDPR8 decisions
The purpose limitation principleArticle 5(1)(b) GDPR7 decisions
The controller’s obligations regarding the data protection officerArticles 37–39 GDPR6 decisions
The obligations of the processorArticle 28 GDPR2 decisions
The fairness principleArticle 5(1)(a) GDPR2 decisions
The controller’s obligations regarding the data protection impact assessmentArticle 35 GDPR1 decision
The controller’s obligation to adopt appropriate technical and organizational measuresArticle 24(1) in combination with Article 32(1) and (2) GDPR1 decision
The controller’s obligation to notify the supervisory authority about the personal data breachArticle 33 GDPR1 decision
The controller’s obligation to provide instructions for processingArticle 29 GDPR1 decision
Infringement ofCorresponding provisionNumber of decisions
The lawfulness principleArticle 5(1)(a) GDPR65 decisions
The transparency principleArticle 5(1)(a) GDPR56 decisions
The integrity and confidentiality principleArticle 5(1)(f) GDPR31 decisions
The data subject’s right to receive response to its request within the time period of 1 month from its deliveryArticle 12(3) GDPR31 decisions
the data minimization principleArticle 5(1)(c) GDPR19 decisions
The accountability principleArticle 5(2) GDPR19 decisions
The storage limitation principleArticle 5(1)(e) GDPR14 decisions
The data subject rightsArticles 12–23 GDPR9 decisions
The prohibition of the national identification number publicationArticle 78(4) of the Act No 18/2018 Coll.9 decisions
The controller’s obligations regarding record keepingArticle 30 GDPR8 decisions
The purpose limitation principleArticle 5(1)(b) GDPR7 decisions
The controller’s obligations regarding the data protection officerArticles 37–39 GDPR6 decisions
The obligations of the processorArticle 28 GDPR2 decisions
The fairness principleArticle 5(1)(a) GDPR2 decisions
The controller’s obligations regarding the data protection impact assessmentArticle 35 GDPR1 decision
The controller’s obligation to adopt appropriate technical and organizational measuresArticle 24(1) in combination with Article 32(1) and (2) GDPR1 decision
The controller’s obligation to notify the supervisory authority about the personal data breachArticle 33 GDPR1 decision
The controller’s obligation to provide instructions for processingArticle 29 GDPR1 decision

The decisions that formed the basis for our analysis included a range of 1–7 infringements per decision (with 1 being the median). In many of the analysed decisions (72), a combination of multiple infringements has been detected and sanctioned by the DPA. To illustrate, the most infringements (7) were identified in a decision sanctioning the deficiencies of a camera monitoring system employed that included, for example, the infringement of the lawfulness principle (controller did not prove the override of the legitimate interest as a legal basis), data minimization principle (the scope of personal data processed was not adequate in relation to the purposes for which they were processed), storage limitation principle (personal data were processed for longer than necessary), transparency principle (failure to provide the required information to data subjects), etc.

It is interesting to note which infringement combinations occurred most often in the analysed dataset. The most common combination of infringements presents the infringement of the lawfulness principle and the transparency principle (detected in 24 decisions). In this regard, the absence of a legal basis for personal data processing was combined with the failure to provide the required information about it. Further common combinations include the infringement of the transparency principle and the data minimization principle (in 15 decisions), the infringement of the transparency principle and the accountability principle (in 15 decisions), the infringement of the transparency principle and storage limitation principle (in 12 decisions), the lawfulness principle and the accountability principle (in 10 decisions), the data minimization principle and the storage limitation principle (in 10 decisions), or the infringement of the transparency principle together with data minimization and storage limitation principle (10 decisions).

In Figure 1, selected correlations between different infringements can be observed. Pearson’s correlation method was used for the analysis, following the procedure outlined in the Methodology section. Based on the chi-squared test, we identified 14 significant correlations, which were sorted according to the relationships and are represented below (the Pearson’s coefficient is given in parentheses).

Correlations between individual categories of infringements.
Figure 1.

Correlations between individual categories of infringements.

Strong relationship:

  • [data_minimization]—[storage_limitation] (0.570).

Moderate relationship:

  • [lawfulness]—[integrity_confidentiality] (−0.312);

  • [lawfulness]—[right_to_response] (−0.28);

  • [lawfulness]—[national_ID_publication] (−0.204);

  • [transparency]—[data_minimization] (0.337);

  • [transparency]—[storage_limitation] (0.328);

  • [transparency]—[accountability] (0.337);

  • [transparency]—[record_keeping] (0.312);

  • [purpose_limitation]—[DPO_obligations] (0.279);

  • [data_minimization]—[storage_limitation] (0.57);

  • [data_minimization]—[record_keeping] (0.27);

  • [storage_limitation]—[record_keeping] (0.233);

  • [integrity_confidentiality]—[right_to_response] (−0.202); and

  • [accountability]—[record_keeping] (0.27).

A strong correlation (0.570) was identified between the infringement of the data minimization principle and the infringement of the storage limitation principle. This indicates a close connection between the scope of personal data processing and the time of this processing—both limited to what is necessary in relation to the purposes for which personal data are processed. This means, in practice, that if personal data were processed beyond the necessary scope, it was also likely to be processed for a longer time than necessary. This combination of infringements was identified in our dataset most often in relation to the use of video surveillance systems that often-monitored areas beyond what was necessary for the purpose of ensuring the controller’s security (eg, public communications or private properties of third parties) and stored data for a longer time than necessary.42

An interesting indirect correlation was also identified between the infringement of the lawfulness principle and the infringement of the integrity and confidentiality principle (−0.312). This finding could imply the mutual exclusiveness of these types of infringement in our dataset.

As regards our first research question, we can conclude that the scope of GDPR infringements identified included the infringement of a broad range of GDPR provisions, the majority of which involved the infringement of personal data processing principles (Article 5 GDPR). Moreover, in almost half of the analysed decisions (72), a combination of multiple infringements has been detected and the most common infringement combinations were identified. Few interesting correlations between individual infringements highlighted the nature of infringements sanctioned by the DPA.

Aggravating and mitigating circumstances

The applicable legislation conditions the imposition of fines for personal data protection infringement on the consideration of different circumstances of a particular case. GDPR foresees several factors to be taken into account, for example, the nature, gravity, and duration of the infringement, actions taken to mitigate the damage suffered, categories of personal data affected, intention or negligence, etc.43 The individual aspects of the case are evaluated by the DPA and can be considered as aggravating or mitigating circumstances to determine, for example, the amount of fine imposed.

To ascertain whether a specific practice of the DPA regarding the application of aggravating and mitigating circumstances can be identified, the authors examined their application in the decisions analysed. Our conclusions are based on the circumstances expressly defined by the DPA as aggravating or mitigating circumstances in the individual decisions.

Aggravating circumstances identified in the analysed decisions (provided with decreasing incidence) included:

  1. the nature and the gravity of infringement determined by the higher upper limit of administrative fine that may be imposed (Article 83(4) GDPR)—identified in the majority of decisions (151) [Breach_nature_and_severity],

  2. the manner, in which the infringement became known to the DPA, where the following situations applied: concerned party motion, third-party motion, control results and/or media—in 86 decisions [Infringement_notification_aggravating],

  3. number of concerned persons (ranging from 5 to more than 600,000) or their specific nature (children, employees, jobseekers, disability pension applicants, etc)—in 64 decisions [Nature_or_number_of_affected_persons],

  4. duration of infringement, meaning in practice anything between a time period longer than 1 month (in case of unlawful publication of national identification number) to a time period exceeding 3 years—in 49 decisions [Infringement_duration],

  5. nature of personal data that included not only special categories of personal data (in our dataset specifically data concerning health, biometric data, political opinions, and religious beliefs), but also other personal data (data revealing the economic identity of the subject, data on the data subject movement or copies of national identification documentation)—in 28 decisions [Special_categories_of_personal_data_affected],

  6. existence of a previous GDPR infringement by the controller—in 20 decisions [Previous_GDPR_infringement],

  7. the controller’s obligation was not fulfilled (eg, in one case, the controller refused to fulfil measures imposed by the DPA, specifically declined to adjust the retention period, and refuted the application of the transparency obligations) or it was fulfilled at a later date (after DPA request for cooperation or after the concerned party notice)—in 17 decisions [Obligations_not_fulfilled_or_fulfilled_later],

  8. non-adoption of appropriate technical and organizational measures by the controller (Article 24 (1) GDPR)—in 2 decisions [Non-adoption_of_appropriate_measures],

  9. special nature of the controller (identified in only two cases, first where the controller processed personal data as a public authority and used it beyond the scope of its competence, and secondly in the case of the Slovak Bar Association that, according to the DPA, should as a professional association act in accordance with GDPR)—in two decisions [Controller_special_nature],

  10. the (possible) severely negative impact of the infringement on the data subject (e.g. employment termination)—in 2 decisions [Severely_negative_impact_of_infringement],

  11. the possibility of acquiring a financial profit from the infringement—in only 1 decision [Possible_financial_gain].

Mitigating circumstances identified (provided with decreasing incidence) included:

  1. negligent or non-intentional character of the infringement (justified in many instances by human failure)—identified in 113 decisions [Negligent_infringement],

  2. no proprietary or other harm caused to the concerned party and no other harmful consequences that would directly affect the concerned party or endanger its private or family life—identified in 108 decisions [Absence_of_high_negative_impact],

  3. no financial profit from the infringement acquired—in 104 decisions [Absence_of_financial_gain],

  4. infringement of ordinary personal data—in 95 decisions [Ordinary_personal_data],

  5. absence of a previous GDPR infringement by the controller—in 93 decisions [No_previous_GDPR_infringements],

  6. small number of affected persons (usually 1–3 persons, however, in one case the infringement of rights of 12 persons was also classified as this mitigating factor)—in 71 decisions [Lower_number_of_affected_persons],

  7. the controller’s initiative in consequent remedy of infringement—in 50 decisions [Initiative_in_later_remedy],

  8. one time or non-repeated infringement—in 50 decisions [Individual_or_not-repeated_infringement],

  9. cooperation of the controller with the DPA—in 32 decisions [Cooperation_with_national_authority],

  10. the negative impact of the COVID-19 pandemic on the controller—in 27 decisions [Controller_impacted_by_COVID-19],

  11. short duration of the infringement—in 21 decisions [Infringement_short_duration],

  12. the manner, in which the infringement became known to the DPA, specifically on the basis of controller’s notification—in 11 decisions [Infringement_notification_mitigating],

  13. the nature of the controller—applicable as regards natural persons not processing personal data within their professional capacity and legal persons providing public services (schools, museums, church organizations) – in 8 decisions [Controller_nature],

  14. the adoption of security measures aimed at preventing harmful consequences of data breach incident or its recurrence by the controller—in 7 decisions [Adoption_of_necessary_security_measures].

In this regard, it is interesting to consider the number of aggravating and mitigating circumstances applied by the DPA in individual decisions. As regards aggravating circumstances, their numerical incidence ranges from 0 to 6, where on average the DPA applies 2.6 aggravating circumstances per case. On the other hand, the DPA is more active when determining the applicable mitigating circumstances. These range, in practice, from 0 to 10 mitigating circumstances with the average amount being 4.9 per case. This numerical representation confirms the view of the authors acquired during the decision analysis, according to which the DPA actively tries to list in its decisions all of the applicable mitigating circumstances, not giving the same attention to the aggravating circumstances that may be relevant in a given case. The reason for this practice may be the DPA’s effort to justify the fines imposed, as these usually present only low, if not symbolic amounts.44

Selected correlations between the aggravating and mitigating circumstances can be observed in Figure 2 (limited to attributes in the strong relationships). The analysis employed Pearson’s correlation method, following the procedure described in the ‘Methodology’ section. Utilizing the chi-squared test, we identified 17 significant correlations, which were then categorized based on the nature of the relationships.

Correlations between the aggravating and mitigating circumstances.
Figure 2.

Correlations between the aggravating and mitigating circumstances.

Strong relationships:

  • [Previous_GDPR_infringement]—[No_previous_GDPR_infringements] (−0.45)

  • [Nature_or_number_of_affected_persons]—[Lower_number_of_affected_persons] (−0.686)

  • [Special_categories_of_personal_data_affected]—[Ordinary_personal_data] (−0.53)

  • [Adoption_of_necessary_security_measures]—[Infringement_notification_aggravating] (0.425)

Moderate relationships:

  • [Breach_nature_and_severity]—[Possible_financial_gain] (−0.346);

  • [Nature_or_number_of_affected_persons]—[Infringement_duration] (0.258);

  • [Nature_or_number_of_affected_persons]—[Infringement_notification_aggravating] (0.332);

  • [Infringement_notification_mitigating]—[Infringement_notification_aggravating] (−0.296);

  • [Infringement_duration]—[Obligations_not_fulfilled_or_ fulfilled_later] (0.254);

  • [Infringement_duration]—[Absence_of_high_negative_impact] (0.254);

  • [Infringement_duration]—[Infringement_short_duration] (−0.26);

  • [Absence_of_high_negative_impact]—[No_previous_GDPR_infringements] (0.378);

  • [Absence_of_high_negative_impact]—[Individual_or_not-repeated_infringement] (−0.318);

  • [Absence_of_high_negative_impact]—[Infringement_short_duration] (−0.209);

  • [Ordinary_personal_data]—[Cooperation_with_national_authority] (0.252);

  • [Lower_number_of_affected_persons]—[Infringement_notification_aggravating] (−0.245);

  • [No_previous_GDPR_infringements]—[Individual_or_not-repeated_infringement] (−0.227).

Interesting to note is the correlation between the categories of [Previous_GDPR_infringement] and [No_previous_GDPR_infringement] (−0,450). These categories should be, at first glance, understood as mutually exclusive (which would be indicated if the correlation identified was −1). This is, however, not the case, as the decisions analysed included instances where previous GDPR infringements (or their absence) were not evaluated by the DPA as an aggravating (or mitigating) circumstance. As the DPA is the primary competent national authority to investigate GDPR infringements, it should be aware of any controller’s previous infringements and consider them in its decision-making process. In practice, however, not all decisions included this consideration. To illustrate, if the absence of a previous GDPR infringement was mentioned in the DPA’s decision, it was considered a mitigating circumstance in 93 decisions, but not in 46 decisions. The reason why the DPA decided to consider previous infringements or their absence in some decisions, but not in others, is not clear. We can only speculate whether the DPA omitted these considerations intentionally, for instance, if the existence of previous infringements or their absence were deemed as not relevant (considering other aggravating or mitigating circumstances present), or unintentionally, where the DPA simply forgot to consider these aspects of the case.

Another interesting finding includes a correlation between the [Adoption_of_necessary_security_measures] and [Infringement_notification_aggravating] attributes (0.425), which indicates a practice, according to which if controllers proceed to notify the personal data infringements that occurred to the DPA, they are likely to concurrently adopt further measures to rectify the infringement.

The identification of aggravating and mitigating circumstances considered by the DPA in its decisions revealed interesting developments that evolved in the DPA’s practice. Specifically, the DPA’s preference in identifying mitigating circumstances could indicate the DPA’s willingness to adopt modest fines without any significant impact on the infringing controllers. The inability of such fines to deter future infringements or to force the controllers to adopt preventive measures is further discussed in the ‘Imposition of sanctions’ section of this article.

Data breach notification

The DPA’s proceedings on personal data protection can also be initiated on the basis of the controller’s notification of a data breach. The controller is obligated to notify any personal data breach to the DPA as soon as it becomes aware of its occurrence, not later than 72 h after having become aware of it, unless the controller is able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.45

To analyse the notification obligation in practice, the following correlations between the different types of proceedings’ beginning (based on the initiative of the DPA itself [Action_Office], the motion of a third party that claims to be directly affected by their rights as defined in the applicable personal data protection legislation [Action_Motion] or the controller’s notice of infringement [Action_notification_incident]) and the nature of its evaluation as an aggravating [Infringement_notification_aggravating] or mitigating circumstance [Infringement_notification_mitigating] have been identified (illustrated in Figure 3):

Correlations between the different types of proceedings’ beginning.
Figure 3.

Correlations between the different types of proceedings’ beginning.

  • [Action_Office]—[Action_Motion] (−1.0), confirming the mutual exclusiveness of these two categories,

  • [Action_Office]—[Action_notification_incident] (0.274),

  • [Action_Office]—[Infringement_notification_aggravating] (0.307),

  • [Action_notification_incident]—[Action_motion] (−0.274),

  • [Action_notification_incident]—[Infringement_notification_aggravating] (−0.31),

  • [Action_notification_incident]—[Infringement_notification_mitigating] (0.86).

A high correlation (0.86) was found between the controller’s notification of a data breach and its evaluation as a mitigating circumstance by the DPA. With the exception of two decisions (one initiated by the DPA and one by the motion of a concerned party), this was true for all of the examined cases. This corresponds to the author’s view that data breach notification should be considered as a mitigating circumstance, and considering the fact that controllers are obligated to notify certain types of incidents, the failure to do so should be considered an aggravating circumstance. If this is not the case, the controllers may evaluate the disclosure of an incident as economically disadvantageous and proceed without DPA notification.

Notwithstanding the evaluation of a data breach notification as a mitigating circumstance, in the majority of the analysed decisions no data breach notification was provided. In 12 decisions, where the controller notified the DPA about personal data infringement, the controller was issued a fine averaging €4100. In the remaining 147 cases, in which no notification was provided, the fine issued averaged the amount of €1670. This disproportion in the number of data breach notifications can be caused by the controller’s failure to recognize that personal data infringement took place. To illustrate, in cases of infringements consisting of non-provision of a response within the statutory period or non-provision of adequate information to data subjects (infringement of the transparency principle), the controller may not realize that a violation occurred and therefore cannot notify its existence to the DPA. This could explain why the absence of data breach notification was not considered as an aggravating circumstance in the majority of the analysed decisions.

In this regard, it is also interesting to consider the impact of the proceedings’ beginning on the sanction imposed by the DPA. In the 70 decisions adopted as a result of proceedings initiated by the DPA itself, the average amount of fine imposed was approximately €1858. In comparison, in proceedings commenced on the basis of a concerned party motion (89 decisions), the average amount of fine issued was €1855. Considering this, it is clear that the way in which personal data protection proceedings are initiated has no significant impact on the amount of fine imposed as its result.

To conclude, the fulfilment of the data breach notification obligation is, in most cases, considered by the DPA as a mitigating circumstance, leading to its possibility to reduce the amount of fines imposed on the controller. However, as the failure to notify the DPA about personal data infringement is not concurrently deemed as an aggravating circumstance in practice (which could result in the adoption of more severe sanctions), the effect of this obligation’s fulfilment in practice is only minor. Similarly, other ways in which the proceedings before the DPA may be initiated (motion of a concerned party or DPA’s initiative) have no distinguishing impact on the sanctions imposed as a result of these proceedings.

Imposition of sanctions

DPA as the competent authority monitors the application of personal data protection legislation in Slovakia and is entitled to impose administrative fines in case of its infringement. The fines issued should be effective, proportionate, and dissuasive.46

In practice, the Slovak DPA decided to impose this sanction in all of the analysed decisions, often combining it with the obligation to adopt specific measures (in 87 decisions). Table 2 provides an overview of minimum and maximum amount of fines imposed by the DPA on different categories of controllers and calculates the average amount of fine issued.

Table 2

Overview of minimum and maximum amount of fines imposed on different categories of controllers.

Amount of fine
Nature of the controllerCountMinMaxMean
Natural person4€100€400€200
Other7€200€1100€628
Non-governmental organization3€200€4700€1867
Private company92€100€40,000€1967
Public institution11€200€50,000€5236
Regional self-governing unit36€300€4000€1025
School6€200€6000€1433
Amount of fine
Nature of the controllerCountMinMaxMean
Natural person4€100€400€200
Other7€200€1100€628
Non-governmental organization3€200€4700€1867
Private company92€100€40,000€1967
Public institution11€200€50,000€5236
Regional self-governing unit36€300€4000€1025
School6€200€6000€1433
Table 2

Overview of minimum and maximum amount of fines imposed on different categories of controllers.

Amount of fine
Nature of the controllerCountMinMaxMean
Natural person4€100€400€200
Other7€200€1100€628
Non-governmental organization3€200€4700€1867
Private company92€100€40,000€1967
Public institution11€200€50,000€5236
Regional self-governing unit36€300€4000€1025
School6€200€6000€1433
Amount of fine
Nature of the controllerCountMinMaxMean
Natural person4€100€400€200
Other7€200€1100€628
Non-governmental organization3€200€4700€1867
Private company92€100€40,000€1967
Public institution11€200€50,000€5236
Regional self-governing unit36€300€4000€1025
School6€200€6000€1433

The highest fine issued by the Slovak DPA was in the amount of €50,000. This fine was imposed on a public institution—the National Social Insurance Company. The case entailed the infringement of the obligation to implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with GDPR. Specifically, the controller sent personal data of disability pension applicants, including data concerning health, identifiers assigned for individual identification in information systems, and data revealing economic and social identity of the data subject, to holders of social insurance of EU Member States by national post in the form of a second class letter and not as a registered letter, which would ensure a higher level of personal data protection. This practice was classified by the DPA as the non-adoption of appropriate measures to ensure a level of security appropriate to the risk to data subjects’ rights considering the scope of personal data processed and the nature of its processing.

The second highest fine issued was imposed on a private company (a provider of internet and phone service) in the amount of €40,000 for the infringements relating to its systematic and extensive assessment of personal aspects of data subjects (psychodiagnostics/psychometry), based also on automated individual decision making, including profiling.

Notwithstanding these two fines, no other fine imposed by the DPA exceeded the €10,000 threshold, indicating the DPA’s restraint in issuing higher fines available under GDPR. This is in contrast to the practices of other Member States’ national authorities (eg, Ireland, Luxembourg, Italy, or France), that have imposed substantially higher fines.47 In this regard, it is also interesting to note that the number of fines issued by the Slovak DPA since the application of GDPR is comparable to Germany (160) or Romania (149).48 Nonetheless, the summary amount of fines imposed by these countries (more than 55 million € for Germany and €803,250 for Romania) significantly surpasses the fine imposition practice of the Slovak DPA (in the time period analysed, the DPA issued fines in the summary amount of €295,200).

Differences in fine imposition practices can be also identified with regard to different categories of controllers sanctioned by the DPA. As regards public institutions (including, eg, ministries, a state university, or the Slovak National Museum), the highest average amount of fine imposed could indicate a DPA’s stricter assessment of their personal data protection obligations. It must be noted, however, that the results are skewed by the €50,000 fine issued to the national social insurance company, without which the average amount of fine issued to public institutions would fall to the amount of €1125. Considering this, it is not surprising that the highest fines would then be imposed on private companies, with the average being €1967.

The lowest fines imposed are, on the other hand, reserved for natural persons. As regards controllers that are not an undertaking, Recital 150 GDPR states that the DPA considers the general level of income in the Member State as well as the economic situation of the person in determining the appropriate amount of the fine. This consideration may justify the symbolic fines imposed on natural persons (ranging from €100 to 400) for different infringements concerning the use of camera monitoring systems by these controllers.

Similarly minor fines are also imposed on regional self-governmental units, whose infringements are usually limited to single infractions of personal data protection legislation. These infringements often relate to the unlawful publication of personal data of their residents on their websites or newspapers without legal basis, therefore infringing the principle of lawfulness.

To consider further the effect of fines in practice and their ability to deter and prevent future infringements, we can look at their impact on the sanctioned controllers. To illustrate, Slovak Telekom, a. s.—a joint stock company with €143.5 million profit in 2020 and annual sales reaching more than €730 million in 2021,49 was sanctioned with a €40,000 fine (representing only 0.03 per cent of its annual sales). Similarly, the €10,000 fine issued to the Dopravný podnik Bratislava (a joint stock company with €4.6 million profit and sales reaching €30.5 million in 2020)50 or the €10,000 fine imposed on the TESCO Stores, a. s. (a joint stock company with €73 million profit and sales reaching €1.4 million in 2019)51 can only have a marginal impact on these companies. Considering the fact that GDPR enables the imposition of fines reaching €10 or 20 million (or 2 or 4 per cent of the controller’s total worldwide annual turnover of the preceding financial year), the fines imposed by the DPA cannot be deemed adequate, as the highest fines imposed reached at most 0.03 per cent of the controller’s annual turnover. Undoubtedly, when determining the amount of fines issued, the DPA must consider other factors including the nature of the infringement and the aggravating and mitigating circumstances applicable. Nonetheless, the low amount of fines issued in Slovakia cannot ensure the deterrent effect expected in this regard, as they do not motivate the controllers to adopt the necessary security measures that would prevent future infringements. Similarly, any risk and impact analyses carried out by controllers identifying the DPA’s practice of imposing low amount of penalties for personal data protection infringements will not be able to compel the controllers to invest in the adoption of appropriate preventive measures.

In this regard, the costs associated with the DPA’s supervisory activity should also be considered. The budget for this organization’s activities in the examined time period was approximately €1.9 million per year. In contrast, the sanctions imposed at this time reached the summary amount of €295,200. This clearly demonstrates that the amount of sanctions issued does not cover the costs associated with the functioning of the supervisory authority. Undoubtedly, the DPA performs other activities, for example, of a preventive nature (issuance of methodological guidelines, etc). Moreover, personal data protection cannot be viewed only in terms of recovering the costs incurred by DPA when investigating possible infringements. Nonetheless, future considerations should focus on setting a minimum amount of fine covering at least the costs associated with the DPA’s proceeding on personal data infringements considered in the individual case.

Groups of decisions and detected anomalies

Another aspect to be considered with regard to the DPA’s decision-making process is the possibility to categorize individual decisions into specific groups. To achieve this objective, we employ clustering methods, specifically the KModes method given the prevalent use of categorical variables. The determination of decisions groups is preceded by the definition of decisions that may distort the results of clustering. In this regard, we apply nine methods for anomaly detection. Specific parameters for model learning are provided in this section. The methods applied are described in the Methodology section.

To detect anomaly decisions, we employed nine methods to teach 82 different models based on the DPA’s decisions. Following this, we identified how many models considered individual decisions as anomalies. In summary, 47 decisions were identified as anomalies by at least 1 model. The most commonly detected anomalies included the following decisions:

  • Decision no. 00050/2019-Os-16 [detected as an anomaly most often, namely 24x (24 out of 82 models)] that concerned the national social insurance company fined for the non-adoption of appropriate technical and organizational measures that would ensure the protection of disability pension applicants’ personal data sent as mail—this was the only decision that included the attribute ‘Non-adoption_of_appropriate_technical_and_organisational_measures‘with 6 aggravating and 1 mitigating circumstances identified;52

  • Decision no. 0101/2021-Os-7 [18x] where the controller (a national museum) was sanctioned for the use of its video surveillance for other than previously declared purposes, including to control the fulfilment of work obligations of its employees—the decision contained the attribute ‘Severely_negative_impact_of_infringement‘detected only in one other decision and included three aggravating and five mitigating circumstances that led to the imposition of a fine in the amount of €700;

  • Decision no. 00056/2019-Os-10 [14x] that regarded a small municipality sanctioned for the publishing of personal data of concerned persons on its website without legal basis and for infringements regarding DPO appointment (failure to notify the DPA and non-publication of DPO contact details)—this decision differs from the analysed decisions by its failure to specify any aggravating or mitigating circumstances, including the ‘Breach_nature_and_severity’ included in the majority of decisions, and by the presence of the ‘DPO_obligations_infringement’ provided in only six decisions;

  • Decision no. 00258/2022-Os-4 [12x] concerning the use of a video surveillance system installed on a family home monitoring not only its immediate surroundings but also the private property of the concerned party and a part of a public road—this decision only sanctioned a single infringement (data minimization principle), referred to no aggravating circumstances and five mitigating circumstances and led to the imposition of the lowest amount of fine (€100).

The above-specified methods enabled the identification of decisions deviating from the established decision-making practice of the DPA. These examples illustrate that these outliers include decisions with most personal data protection infringements, decisions without any aggravating or mitigating circumstances or decisions defined by a specific attribute or a group of attributes not represented in other decisions.

These decisions (outliers) were excluded from the further clustering analysis. Clustering was applied on all binary attributes identified, as well as on selected sets of attributes, namely on attributes representing individual infringement types, aggravating circumstances, and mitigating circumstances. To test the significance of this clustering, we used the Silhouette coefficient (score) to evaluate the suitability of cluster arrangement. In this regard, we considered the best coefficient (with a maximum of 10 clusters). The results for individual sets of attributes are as follows:

  • all binary attributes—0.195;

  • attributes representing individual infringement types—0.519;

  • attributes representing aggravating circumstances—0.420; and

  • attributes representing mitigating circumstances—0.272.

Considering the value of the Silhouette coefficient, we decided to cluster DPA’s decisions on the basis of attributes representing individual infringement types. For further analysis, we used 703 different combinations of binary attributes (combination of at least 12 attributes). The minimum limit of 12 attributes was set for the purpose of calculating the Silhouette coefficient and for the subsequent interpretation of the results. The following combination of attributes proved to be suitable (with the Silhouette coefficient of 0.824): ‘DPO_obligations’, ‘right_to_response’, ‘national_ID_publication’, ‘data_subject_rights’, ‘DPIA’, ‘record-keeping’, ‘non-adoption_of_measures’, ‘no_notification_of_data_breach’, ‘processor_obligations’, ‘processor_instruction_defficiencies’, ‘Remedial_action_imposition’, ‘Breach_nature_and _severity’.

Clustering based on attributes representing individual infringement types

For the purposes of this clustering, we use attributes representing types of infringements (18 binary attributes—‘lawfulness’, ‘transparency’, ‘fairness’, ‘purpose_limitation’, ‘data_minimization’, ‘storage_limitation’, ‘integrity_confidentiality’, ‘accountability’, ‘DPO_obligations’, ‘right_to_response’, ‘national_ID_publication’, ‘data_subject_rights’, ‘DPIA’, ‘record_keeping’, ‘non-adoption_of_measures’, ‘no_notification_of_data_breach’, ‘processor_obligations’, ‘processor_instruction_defficiencies’). Based on the Elbow method and the Silhouette coefficient, the appropriate number of clusters was 6.

Below we provide a list of all clusters with the number of components (decisions) and their attribute or set of attributes that represent a given cluster (centroid):

  • Cluster 1–42 – ‘integrity_confidentiality’;

  • Cluster 2–28 – ‘right_to_response’;

  • Cluster 3–15 – ‘transparency’, ‘data_minimization’, ‘storage_limitation’;

  • Cluster 4–21 – ‘lawfulness’, ‘transparency’;

  • Cluster 5–37 – ‘lawfulness’; and

  • Cluster 6–12 – ‘transparency’.

As explained above, 87 decisions sanctioned only a single infringement and 72 included a combination of multiple infringements. Due to this, the centroids of four clusters contain only one attribute. Below we provide a short description of individual clusters.

The first group of decisions (Cluster 1) is represented by the ‘integrity_confidentiality’ attribute, as these decisions sanctioned the infringement of the integrity and confidentiality principle. The infringements concerned, primarily, the infringement of personal data confidentiality, for example, by publishing personal data without legal basis, failing to secure personal data sent (by email encryption), or by sending personal data to unauthorized recipients. The integrity infringement was not identified in this regard but was mentioned in connection with the controller’s obligation to adopt necessary security measures. This cluster also included a decision sanctioning personal data infringement that resulted from a cyberattack, with the help of which the attacker acquired personal data of the controller’s employees (identification and contact information such as name, surname, email, phone number, and work position) and used it to send a fraudulent phishing email to 4500 email addresses of the controller’s employees. Cluster 1 shows that the breach of principle of integrity and confidentiality is certainly connected to a breach of principle of lawfulness in terms of selecting legal ground according to the Article 6 GDPR or processing without any legal basis. It is of the essence to note that cases of publishing personal data without legal basis shall be considered as the most severe breach of GDPR. Nevertheless, the connection between such processing and breach of confidentiality reflects an unexpected relationship.

The second group of decisions (Cluster 2) is defined by the attribute ‘right_to_response’. It included decisions, in which the controller did not respond to data subjects’ requests within the time period of 1 month from their delivery. These instances included requests to delete personal data, to allow access to personal data processed or to provide data subjects with a copy of personal data processed by the controller in a commonly used electronic form. As transparency requirements and data subjects’ rights management lie at the core of GDPR, it is still surprising how many controllers in Slovakia do not follow precisely set time periods in the regulation.

The third group of decisions (Cluster 3) contains decisions defined by the following attributes: ‘transparency’, ‘data_minimization’ and ‘storage_limitation’. This cluster contains decisions concerning the use of a video surveillance system that sanctions a combination of infringements, particularly the failure to provide information to data subjects concerned when they enter the area under surveillance (Article 13 GDPR), monitoring areas beyond what is necessary (public communications or private properties) and storing data for longer time than necessary. Decisions concerning the use of video surveillance form a significant part of the cluster. This is mainly stemming from the fact that video surveillance was regulated in the former Slovak data protection act in much more detail, and controllers are not able to follow general provisions of GDPR now. This fact is surprising despite detailed guidelines of video surveillance provided by the EDPB that are translated into the Slovak language.53

Further 3 clusters are formed by a combination of two attributes, namely ‘lawfulness’ and ‘transparency’. Both attributes are present in the clusters’ centroid 4 (Cluster 4). In these decisions, the controller jointly infringed the lawfulness and transparency principle by failing to provide the legal basis for personal data processing (eg, when processing data subjects’ fingerprints) and concurrently by failing to provide information to data subject in a transparent, concise, and easily accessible way. Connecting lawfulness and transparency seems natural as both aspects are part of the principle of lawfulness as provisioned in Article 5(1)(a) GDPR. Concerning specific guidelines, EDPB (or WP29) has never issued a comprehensive guideline on lawfulness of processing. The principle was always deliberated only in specific use cases. Recommendations on the correct use of legal basis may bring clarity towards controllers and mitigate cases of processing personal data without legal ground.

The fifth cluster (Cluster 5) is defined by the ‘lawfulness’ attribute. This cluster contains primarily decisions where the controller published personal data (date of birth, national identification number, etc) of data subjects in obligatorily published contracts without legal basis to do so. Other examples include the use of the data subject’s email box after the termination of its employee status in the controller’s organization without legal basis. This is the third cluster evaluating the dimension of lawfulness. However, specific cases shall be more reflected in the realm of data minimization principle, especially when more personal data are published than necessary according to the discussed principle.

Lastly, the sixth cluster identified (Cluster 6) is represented by the ‘transparency’ attribute and includes decisions sanctioning the failure to provide information to data subjects before the processing of their personal data as foreseen by Articles 12, 13, and 14 GDPR.

To visualize individual clusters in a two-dimensional space, we apply the PCA method described in the Methodology section. Figure 4 provides a visualization of individual decision clusters on the basis of attributes representing individual infringement types. Each point in the picture represents decisions adopted by the Slovak DPA. The distance between the points expresses their similarity or difference depending on the selected attributes.

Visualization of individual clusters based on attributes representing individual infringement types.
Figure 4.

Visualization of individual clusters based on attributes representing individual infringement types.

Clustering based on selected attributes

For the purposes of this clustering, we use selected binary attributes representing the individual infringement types ('DPO_obligations', ‘right_to_response’, ‘national_ID_publication’, ‘data_subject_rights’, ‘DPIA’, ‘record-keeping’, ‘non-adoption_of_measures’, ‘no_notification_of_data_breach’, ‘processor_obligations’, ‘processor_instruction_ defficiencies’, ‘Remedial_action_imposition’, ‘Breach_nature_and_severity’). Based on the Elbow method and the Silhouette coefficient, the appropriate number of clusters was 4.

Below we provide a list of all clusters with the number of components (decisions) in a given cluster, and their attribute or set of attributes that represent a given cluster (centroid):

  • Cluster 1–9: ‘national_ID_publication’, ‘Breach_nature_and_severity’;

  • Cluster 2–31: ‘right_to_response’, ‘Remedial_action_imposition’, ‘Breach_nature_and_severity’;

  • Cluster 3–52: ‘Breach_nature_and_severity’; and

  • Cluster 4–63: ‘Remedial_action_imposition’, ‘Breach_nature_and_severity’.

The first group of decisions (Cluster 1) contains decisions specified by the ‘national_ID_publication’ and ‘Breach_nature_and_severity’ attributes. These include cases where the controller unlawfully published national identification number of data subjects in the contracts that are obligatorily published on the controller’s website. Despite a specific opening clause in the GDPR related to the processing of national IDs,54 and subsequent implementation of the clause in the Slovak data protection legislation, processing operations containing national IDs remain problematic for controllers. This might stem from the more specific regime for processing such data in the former data protection act. In any case, processing of national IDs remains sensitive processing operation and especially publication of such data shall be conducted in strictly necessary cases.

The second group of decisions (Cluster 2) is represented by the decisions including the following attributes: ‘right_to_response’, ‘Remedial_action_imposition’, and ‘Breach_nature_and_severity’. The decisions concerned sanction the infringement of data subjects’ rights, specifically regarding the right to provide copies of personal data processed. This cluster is similar to the Cluster 2 defined in the previous section of this article and same conclusions apply.

The third cluster (Cluster 3) is characterized by the ‘Breach_nature_and_severity’ attribute. As this attribute presents the most common aggravating circumstance defined in the analysed decisions (present in 151 from 159 decisions), this cluster also contains decisions not included in other clusters described in this article. This shows that the DPA systematically evaluates use of aggravating circumstances when imposing sanctions.

The last cluster (Cluster 4) is defined by the attributes ‘Remedial_action_imposition’ and ‘Breach_nature_and_severity’. This cluster focuses on the infringement of the transparency principle, as it includes decisions sanctioning the failure to provide the required information to data subjects. It also includes cases where the controller lost documents (employment contracts) containing personal data. This cluster is similar to the Cluster 6 defined in the previous sub-chapter of this article and similarly shows that compliance with information obligations remains an issue for controllers in Slovakia despite precise language of GDPR on the content of the information provided and accompanying guidelines on transparency issued by EDPB.

To visualize individual clusters in a two-dimensional space, we apply the PCA method described in the Methodology section. Figure 5 provides a visualization of individual decision clusters on the basis of attributes representing individual infringement types. Each point in the picture represents decisions adopted by the Slovak DPA. The distance between the points expresses their similarity or difference depending on the selected attributes.

Visualization of individual clusters based on selected attributes.
Figure 5.

Visualization of individual clusters based on selected attributes.

Clustering proves to be an effective method of analysing the results of the DPA’s decision-making process, enabling the recognition of different categories of decisions that identify personal data infringements frequently occurring in practice. Previously, we have provided two approaches for distinguishing different categories of DPA’s decisions. In both cases, we employed the K-modes method for clustering categorical/binary values. These approaches differ in the set of attributes that encode the decisions analysed. In the first instance, we coded decisions using only attributes representing individual infringements. In the second case, we used the combination of attributes that were deemed the best according to the Silhouette coefficient. The first clustering based on the infringement attributes showcases groups of violations based on ‘integrity_confidentiality’, ‘right_to_response’, and ‘transparency’ attributes. It reflects the effect of a fewer infringements sanctioned in the decisions that include 1 or 2 infringements. The second clustering uses other attributes, expressing decisions including attributes such as ‘Breach_nature_and_severity’ or ‘national_ID_publication’.

Conclusion

The state of the administrative enforcement of personal data protection regulation in Slovakia is determined, primarily, by the decisions adopted by the Slovak Office for Personal Data Protection (DPA). The systematic content analysis (SCA) of its decisions allowed us to examine the DPA’s decision-making process and to determine the DPA’s approach to GDPR application in practice. The first step of this analysis focused on the determination of the most common types of infringements identified and sanctioned by the DPA. These included, primarily, the infringement of the lawfulness and transparency principle, confirming the fact that most controllers have yet to adjust their processes to their obligations stemming from the personal data protection legislation, including the determination of the applicable legal basis for personal data processing and the obligation to inform data subjects about their rights in this regard. In general, controllers have issues with correct understanding and application of principles of personal data processing as foreseen by Article 5 GDPR. The role of these principles is to provide interpretative guidance and represent the spirit of the EU data protection law. However, further guidance and interpretation from the DPA may be helpful for controllers to better understand the role of principles and their application to personal data processing.

The recurring cases of infringements with similar or identical merits of the case (eg, the recurrent failure to correctly anonymize obligatorily published contracts by small municipalities) can indicate the inefficiency of DPA’s enforcement practices, especially considering their objective to achieve a deterrent effect preventing future infringements. This may be supported by the DPA’s failure to provide corresponding issue-oriented guidelines to the relevant controllers, for example, in its annual reports. Furthermore, publication of decisions together with user-friendly search interfaces may provide additional value for controllers and processors seeking aid with specific issues. A combination of national guidelines of the DPA on the most commonly occurring types of infringements and a publicly available database of decisions adopted by the DPA could have the deterring effect sought by the personal data protection legislation. The creation of such a database would require the extension of the DPA’s obligations in the national legislation or could be required on the basis of the EU law to ensure transparency of personal data protection enforcement practices.

An interesting finding in this regard presents also the frequent cumulation of multiple infringements in a single decision, indicating a more comprehensive evaluation of the controller’s obligations by the DPA. On the other hand, in case of more infringements, the penalty imposed does not reflect multiple infringements of the law. This is especially striking in case of breaching principle of lawfulness as one of the pillars of data protection regulation. Such an approach may require uniform and consistent rules stemming from the EU level for national DPAs. The data also illustrate the prevailing trend to examine the personal data processing operations of controllers that are private companies, which may be explained by the presumed higher impact of such processing on data subjects concerned. The active approach of the DPA to personal data proceedings is also evident from the number of proceedings launched by the DPA (comparable to those initiated by the third party), as well as from the number of decisions adopted in the examined time period.

Further analysis consisted of the examination of the DPA’s practice in determining the applicable aggravating and mitigating circumstances in the decisions analysed. The results achieved in this regard, however, led to contradictory outcomes. On the one hand, the DPA classified the nature and gravity of the detected infringements as more severe in the majority of the examined decisions, which was evaluated as an aggravating circumstance. Nonetheless, this classification did not lead to the imposition of higher administrative fines, as could be presumed in this regard. The DPA was also more inclined to enumerate all applicable mitigating circumstances, not giving the same attention to the relevant aggravating circumstances. As explained above, the reason for this practice may be the DPA’s effort to justify the insignificant amount of administrative fines imposed on controllers that often present only symbolic fines in practice. However, such approach does not fully reflect consistent application of the GDPR and may be mitigated by binding rules for national DPA’s enforcement actions.

Further discrepancies in fine imposition practices were also identified with regard to the impact of data infringement notification on sanctions issued by the DPA. Whereas the fulfilment of the controller’s obligation to notify personal data infringements to the DPA was, in most cases, considered by the DPA as a mitigating circumstance, the controller’s failure to fulfil this obligation was not concurrently deemed as an aggravating circumstance in practice, diminishing the practical effect of conforming to this obligation on the amount of fine imposed as its result. Such practice does not properly balance the practical application of principles of security and accountability and fails to proportionally balance them. This shall be mitigated in the decision making of DPAs by binding recommendations on the application of aggravating and mitigating circumstances explicitly by law. Similarly, no differences in fine imposition practices could be determined on the basis of different ways in which personal data protection proceedings were initiated.

The following analysis also allowed us to determine different groups of decisions with common characteristics based on (i) attributes representing individual infringement types and (ii) selected attributes. The clustering analysis was preceded by the identification of outliers—decisions that significantly differ from other decisions in the examined sample. The clustering analysis proved to be an effective method for the analysis of the DPA’s decisions, enabling the recognition of different categories of decisions with common characteristics that identify personal data infringements frequently occurring in practice.

The number of decisions issued by the Slovak DPA is comparable to such countries as Germany or Romania—countries that are ranked among the most active national authorities in the EU. Nonetheless, the fines imposed by the DPA do not correspond to the amount of fines issued in other Member States. This may be the result of different DPA’s fine imposition practices identified in this article that include the preference in defining mitigating circumstances applicable to a given case and not providing the same attention to the application of aggravating circumstances (including non-consideration of the failure to notify the DPA about data breaches as an aggravating circumstance). These practices result in the imposition of often insignificant fines, only rarely exceeding the threshold of €10,000, not embracing the fullest potential of GDPR fines. The few outliers identified (eg, the €50,000 fine imposed on the national social insurance company) have no significant impact on the controllers sanctioned (considering their annual profits and sales) and are, therefore, not able to achieve the preventive and punitive function that the DPA expects the fines to achieve in practice, as it continually repeats in its annual reports. Moreover, the fines imposed will not usually cover the costs associated with the DPA’s proceedings on personal data infringements. This is further supported by the income expectations set by the Ministry of Finance of the Slovak Republic which sets limits for the annual income to be achieved by the DPA. To illustrate, in 2020 the binding income indicator was set in the amount of €81,778 and later decreased to €60,000 due to the pandemic situation; the DPA collected €126,432 in fines issued in the corresponding year, largely exceeding the expected income. It can be concluded that the fines imposed cannot be expected to ensure the deterring effect expected, as such sanctions can have only a very limited impact on the controllers in question that will not be motivated to adopt the necessary measures to avoid future infringements.

Due to the fact that the GDPR places a strong emphasis on consistent application, the authors suggest that the enforcement approach discussed in this paper indicates a need for more detailed guidance for DPAs regarding GDPR enforcement. This could be achieved through the consistent application of the existing enforcement guidelines by the national DPAs, for example, the EDPB Guidelines 04/2022 on the calculation of administrative fines under GDPR, or the adoption of further guidelines and recommendations, for example, on the method of determination of the impact of aggravating and mitigating circumstances on the sanction imposed on the controller. Another option would include the revision of the existing EU legislation. This could encompass the extension of the list of conditions to be obligatorily considered by the national DPAs when deciding on the imposition of administrative fines so as to take into account the costs associated with the DPA’s proceedings on personal data infringement, or the stipulation of the minimum amounts of fines to be imposed in cases of more serious infringements as defined in Article 83(5) GDPR. The calculation of the minimum amounts of fines to be imposed in these cases could reflect the controller’s income and ensure that the fine issued sufficiently impacts the controller, decreasing the likelihood of future infringements of similar nature. It is, however, questionable, whether this option would find support on the national level given the fact that the competence to ensure personal data protection enforcement is entrusted to individual Member States.

Funding

This article was funded by the Slovak Research and Development Agency on the basis of the Contract No APVV-21-0336 within the scope of the project ‘Analysis of judicial decisions using artificial intelligence’ and Contract No 17-0561 within the scope of the project ‘Human-rights and ethical aspects of cybersecurity’.

Footnotes

1

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L 281/31.

2

European Union Agency for Fundamental Rights, ‘Access to Data Protection Remedies in EU Member States’ (2014).

3

Bart Custers and others, ‘A Comparison of Data Protection Legislation and Policies across the EU’ (2017) 34 Computer Law & Security Review: The International Journal of Technology Law and Practice 234–243.

4

David Wright, ‘Enforcing Privacy’ in David Wright and Paul De Hert (eds), Enforcing Privacy. Regulatory, Legal and Technical Approaches (Springer, Cham, 2016) 13–49.

5

Jan P Albrecht, ‘Regaining Control and Sovereignty in the Digital Age’ in David Wright and Paul De Hert (eds), Enforcing Privacy. Regulatory, Legal and Technical Approaches (Springer, Cham 2016) 473-–488.

6

Sebastian J Golla, ‘Is Data Protection Law Growing Teeth? The Current Lack of Sanctions in Data Protection Law and Administrative Fines under the GDPR’ (2017) 8 Journal of Intellectual Property, Information Technology and Electronic Commerce Law 70, para 1.

7

Paul Nemitz, ‘Fines under the GDPR’ (2017) CPDP 2017 Conference Book. <https://ssrn.com/abstract=3270535> accessed 17 May 2024.

8

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). OJ 2016 L 119/1.

9

Art 29 Data Protection Working Party, ‘Guidelines on the Application and Setting of Administrative Fines for the Purpose of the Regulation 2016/679’ (WP253, 13 October 2017).

10

Such practices were left to the relevant national authorities to be developed, eg, Germany issued a guide for calculating administrative fines imposed for GDPR violations. Proposals of methods for fine calculations have also been presented in academic writing, eg, by Winston Maxwell and Christine Gateau, ‘A Point for Setting Administrative Fines under the GDPR’ (2019) <https://www.jdsupra.com/legalnews/a-point-for-setting-administrative-53715/> accessed 17 May 2024.

11

Josephine Wolff and Nicole Atallah, ‘Early GDPR Penalties, Analysis of Implementation and Fines through May 2020’ (2021) 11 Journal of Information Policy 63.

12

See eg, Wanda Presthus and Kaja F Sønslien, ‘An Analysis of Violations and Sanctions following the GDPR’ (2021) 9 International Journal of Information Systems and Project Management 38; Marlene Saemann and others, ‘Investigating GDPR Fines in the Light of Data Flows’ (2022) (4) Proceedings on Privacy Enhancing Technologies (PETS) 314; José C Dias, António Martins and Pedro Pinto, ‘An Analysis of Infractions in the Context of the GDPR’ (2023) 12 International Journal of Marketing, Communication and New Media 42–58. Special issue on cybersecurity, privacy and data protection <http://u3isjournal.isvouga.pt/index.php/ijmcnm/article/view/758> accessed 17 May 2024.

13

See Jukka Ruohonen and Kalle Hjerpee, ‘Predicting the Amount of GDPR Fines’ (Proceedings of the First International Workshop “CAiSE for Legal Documents” (COUrT 2020), Grenoble, France); Jukka Ruohonen and Kalle Hjerpee, ‘The GDPR Enforcement Fines at Glance’ (2022) 106 Information Systems 101876; Nimród Mike, ‘Data Protection has Entered the Chat: Analysis of GDPR Fines’ (2022) 16 Masaryk University Journal of Law and Technology 163.

14

Mona N Lintvedt, ‘Putting Price on Data Protection Infringement’ (2022) 12 International Data Privacy Law 1.

15

See eg, the GDPR Enforcement Tracker provided by CMS <https://www.enforcementtracker.com/> accessed 17 May 2024.

16

See eg, the GDPRxiv project <https://GDPRxiv.org> accessed 17 May 2024.

17

Hielke Hijmans, ‘Article 51’ in Christopher Kuner and others (eds), The EU General Data Protection Regulation (GDPR) A Commentary (OUP, New York, 2020) 863.

18

Datatilsynet, ‘The Danish DPA in Numbers’ <https://www.datatilsynet.dk/english/the-danish-dpa-in-numbers> accessed 17 May 2024.

19

Data Protection Commission, ‘Annual Report 2022’ <https://www.dataprotection.ie/sites/default/files/uploads/2023-03/DPC%20AR%20English_web.pdf> accessed 17 May 2024.

20

The Office for Personal Data Protection of the Slovak Republic, ‘Annual reports’ <https://dataprotection.gov.sk/uoou/sk/content/vyrocne-spravy> accessed 1 March 2024.

21

To illustrate, the Ministry of Justice of the Slovak Republic is obligated to publish anonymised decisions adopted by the Slovak courts (including the courts of the first and second instance, the Supreme Court and the Constitutional Court). Moreover, the decisions issued by national authorities with similar positions as the DPA, such as the Industrial Property Office of the Slovak Republic, the Antimonopoly Office of the Slovak Republic, etc, are made publicly available on the websites of the aforementioned offices.

22

See eg, Maria Konstantinou and others, ‘Data Security on the Ground: Investigating Technical and Legal Requirements under the GDPR’ (Proceedings on Privacy Enhancing Technologies, Lausanne, Switzerland 2023) or Chen Sun and others, ‘GDPRxiv: Establishing the State of the Art in GDPR Enforcement’ (Proceedings on Privacy Enhancing Technologies, Lausanne, Switzerland 2023).

23

Robert Weber, Basic Content Analysis (2nd edn, SAGE, Newbury Park, California 1990) vol 49.

24

Kylie Burns and Terry Hutchinson, ‘The Impact of “Empirical Facts” on Legal Scholarship and Legal Research Training’ (2009) 43 Law Teacher 153–178.

25

Maryam Salehijam, ‘The Value of Systematic Content Analysis in Legal Research’ (2018) 23 Tilburg Law Review 34.

26

The Slovak Act No 18/2018 Coll. on personal data protection as amended.

27

Benesty Jacob and others, ‘Pearson Correlation Coefficient’ in B Jacob and J Chen and Y Huang and I Cohen (eds) Noise Reduction in Speech Processing (Springer Topics in Signal Processing, Springer Berlin 2009) vol 2, 37.

28

The SciPy Community, ‘SciPy Manual v1.10.1 - stats.chisquare’ (2023) <https://docs.scipy.org/doc/scipy/reference/generated/scipy.stats.chisquare.html> accessed 17 May 2024.

29

Karin S Dorman and Ranjan Maitra, ‘An Efficient k‐Modes Algorithm for Clustering Categorical Datasets’ (2021) 15 Statistical Analysis and Data Mining: The ASA Data Science Journal 1.

30

Zhexue Huang, ‘Clustering Large Data Sets with Mixed Numeric and Categorical Values’ (Proceedings of 1st Pacific-Asia Conference on Knowledge Discovery and Data Mining, Trondheim, June 1997).

31

Edy Umargono, Jatmiko E Suseno and SK Vincensius Gunawan, ‘K-Means Clustering Optimization Using the Elbow Method and Early Centroid Determination Based on Mean and Median’ (Proceedings of the International Conferences on Information System and Technology (CONRIST 2019) Yogyakarta, Indonesia).

32

Ketan R Shahapure and Charles K Nicholas, ‘Cluster Quality Analysis Using Silhouette Score’ (2020 IEEE 7th International Conference on Data Science and Advanced Analytics (DSAA)).

33

Markus M Breunig and others, ‘LOF: Identifying Density-based Local Outliers’ (Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data, Dallas Texas, USA).

34

Zheng Li and others, ‘ECOD: Unsupervised Outlier Detection Using Empirical Cumulative Distribution Functions’ (2022) IEEE Transactions on Knowledge and Data Engineering 1–13.

35

Yahya Almardeny, Noureddine Boujnah and Frances Cleary, ‘A Novel Outlier Detection Method for Multivariate Data’ (2020) 32 IEEE Transactions on Knowledge and Data Engineering 4052.

36

Fei T Liu, Kai M Ting and Zhi-Hua Zhou, ‘Isolation Forest’ (2008 Eighth IEEE International Conference on Data Mining, Pisa, Italy, 2008).

37

Tomáš Pevný, ‘Loda: Lightweight On-line Detector of Anomalies’ (2016) 102 Machine Learning 275.

38

Tharindu R Bandaragoda and others, ‘Isolation‐based Anomaly Detection Using Nearest‐neighbor Ensembles’ (2018) 34 Computational Intelligence 968.

39

Zheng Li and others, ‘COPOD: Copula-based Outlier Detection’ (2020 IEEE International Conference on Data Mining (ICDM), Sorrento, Italy).

40

Yuh-Jye Lee, Yi-Ren Yeh and Yu-Chiang F Wang, ‘Anomaly Detection Via Online Oversampling Principal Component Analysis’ (2012) 25 IEEE Transactions on Knowledge and Data Engineering 1460.

41

Bernhard Schölkopf and others, ‘Estimating the Support of a High-dimensional Distribution’ (2001) 13 Neural Computation 1443.

42

See European Data Protection Board ‘Guidelines 3/2019 on processing of personal data through video devices’ 119 <https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_201903_videosurveillance.pdf> accessed 17 May 2024.

43

See Art 83 GDPR.

44

The imposition of fines is analysed in detail in Imposition of sanctions section of this article.

45

Art 34 GDPR.

46

Art 83(1) GDPR.

47

See statistics provided by the Privacy Affairs <https://www.privacyaffairs.com/gdpr-fines/> accessed 17 May 2024, or the Enforcement Tracker <https://www.enforcementtracker.com/?insights> accessed 17 May 2024.

48

According to the statistics provided by the GDPR Enforcement Tracker in its 5-year GDPR report. <https://www.enforcementtracker.com/?insights> accessed 17 May 2024.

49

Finstat database of Slovak companies <https://finstat.sk/35763469> accessed 17 May 2024.

50

Finstat database of Slovak companies <https://www.finstat.sk/00492736> accessed 17 May 2024.

51

Finstat database of Slovak companies <https://www.finstat.sk/31321828> accessed 17 May 2024.

52

Closer examination of this decision is provided in the ‘Imposition of sanctions’ section, as the fine imposed in this case presented the highest fine issued in the analysed time period.

53

See European Data Protection Board Guidelines 3/2019 on processing of personal data through video devices <https://www.edpb.europa.eu/our-work-tools/ourdocuments/guidelines/guidelines-32019-processing-personal-data-through-video_en> accessed 17 May 2024.

54

Art 87 GDPR.

This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic-oup-com.libproxy.ucl.ac.uk/pages/standard-publication-reuse-rights)