Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Slovakia - Data Protection Overview
Back

Slovakia - Data Protection Overview

July 2022

1. Governing Texts

The Act No. 18/2018 Coll. on Protection of Personal Data ('the Act') was adopted on 29 November 2017 and entered into force on 25 May 2018. In addition to the GDPR, the Act also implements the Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680) ('the Law Enforcement Directive').

The Act is enforced by the Office for Personal Data Protection of the Slovak Republic ('ÚOOÚ'), which among other things, acts upon data subjects' complaints, adopts guidelines, participates in the protection of fundamental rights of natural persons in relation to the processing of personal data, and executes data protection supervision.

1.1. Key acts, regulations, directives, bills

The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') was implemented into Slovak law by the Act.

The Act was adopted on 29 November 2017 and entered into force on 25 May 2018. In essence, it duplicates GDPR provisions, transposes into the Slovak law system the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680), and introduces some derogations from the GDPR.

Decree No. 158/2018 Coll. of the Office for Personal Data Protection on Personal Data Impact Assessment Procedure was adopted on 29 May 2018 and entered into force on 15 June 2018 (only available in Slovak here) ('the Decree').

In addition, the draft Decree on certification criteria, certification procedures, content of technical and security documentation and conditions for data protection audits, including requirements for professional qualities of a data protection auditor, is currently in its preparatory stage.

1.2. Guidelines

The ÚOOÚ' has provided a number of guidelines on its website (the full list available in Slovak here). Examples include:

1.3. Case law

As the ÚOOÚ does not publish its decisions and there is only limited information relating to case law. Based on the latest 2020 Annual Report (only available in Slovak here), the ÚOOÚ imposed 54 fines in the total amount of €103,300 in 2020. The lowest fine in the amount of €300 was imposed on a controller due to unauthorised disclosure of personal data and highest fine in the amount of €20,000 was imposed on a controller due to breach of principles of transparency and data minimisation.

The case law related to the previous legal framework, namely Act No. 122/2013 Coll. on the Protection of Personal Data, as amended ('the Act No. 122/2013') is also very limited and not well developed. The court decisions that are publicly available do not interpret problematic provisions of the previous legal framework.

In a number of cases, the requirement of data subject consent under the Act No. 122/2013 was used as an argument against revealing the identity of a natural person by public authorities when requested to do so under Act No. 211/2000 Coll. on Free Access to Public Information, as amended. No test has been established by courts that address such conflict and, as such, it would need to be dealt with on a case-by-case basis.

2. Scope of Application

2.1. Personal scope

The Act follows the scope of the GDPR and of the Law Enforcement Directive.

In case of deceased individuals, Section 78(7) of the Act provides that consent may be given by a close person to such deceased data subject. The consent shall not be valid if at least one close person issued a written disapproval.

2.2. Territorial scope

The Act follows the scope of the GDPR and of the Law Enforcement Directive.

There are no specificities regarding the territorial scope of the provisions of the GDPR and national regulations. National regulations apply to the entire territory of Slovakia.

2.3. Material scope

The Act follows the scope of the GDPR and of the Law Enforcement Directive.

A significant part of the Act (in particular, Section 2, 5, Chapter Two and Chapter Three of the Act) does not apply to processing which is directly regulated under the GDPR.

The Act does not apply on the processing of personal data in the following:

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The main regulator for data protection is the ÚOOÚ.

3.2. Main powers, duties and responsibilities

In addition to powers conferred by Article 58 of GDPR, the ÚOOÚ:

  • monitors the application of the Act;
  • expresses its view on the proposed legislation concerning personal data protection;
  • provides consultancy in personal data protection;
  • increases public awareness as for risks and rights relating to processing of personal data;
  • supervises personal data protection;
  • submits a report on personal data protection at least once a year; and
  • cooperates with the European Data Protection Board ('EDPB').

For the exercise of its role, the ÚOOÚ has also the following powers:

  • to enter premises of data controllers and data processors;
  • to request access to personal data and information that are necessary for fulfilling its duties;
  • to impose sanctions;
  • to order a temporary or permanent limitation on the processing of personal data; and
  • to recommend to data controllers and data processors measures to ensure personal data protection in information systems.

4. Key Definitions

Data controller: There are no national variations from the GDPR.

Data processor: There are no national variations from the GDPR.

Personal data: There are no national variations from the GDPR.

Sensitive data: There are no national variations from the GDPR.

Health data: There are no national variations from the GDPR.

Biometric data: There are no national variations from the GDPR.

Pseudonymisation: There are no national variations from the GDPR.

5. Legal Bases

5.1. Consent

There are no national variations from the GDPR.

5.2. Contract with the data subject

There are no national variations from the GDPR.

5.3. Legal obligations

There are no national variations from the GDPR.

5.4. Interests of the data subject

There are no national variations from the GDPR.

5.5. Public interest

There are no national variations from the GDPR.

5.6. Legitimate interests of the data controller

There are no national variations from the GDPR.

5.7. Legal bases in other instances

Chapter four of the Act contains specific situations of lawful processing of personal data.

The special situations include the following:

  • processing personal data for archiving, scientific, or historical research or statistical purposes;
  • processing necessary to inform the public by mass media means;
  • disclosure of personal data of employees by their employers; and
  • the personal data of data subject collected from another natural person.

For more on the specific situations of lawful processing of personal data see section below.

National implementation of Article 89 of the GDPR

When processing personal data for archiving, scientific, or historical research, or statistical purposes, the data controller and the data processor are obliged to take appropriate safeguards for the rights of the data subject. These safeguards include the introduction of adequate and effective technical and organisational measures, in particular to ensure compliance with the principle of data minimisation and pseudonymisation.

As these are privileged purposes which derogate from the purpose limitation principle, it is also possible to limit the rights of data subjects (provided appropriate safeguards were taken as mentioned above); namely, it is possible to limit the right of access, the right of rectification, the right to restriction of processing, and the right to object. Furthermore, for the purpose of archiving, the right also exists to have another recipient notified, as well as the right to portability under the GDPR.

Employment

The Act provides for the following rules relating to specific processing situations envisaged in Chapter IX of the GDPR.

Employers are entitled to provide or disclose employee personal data in the following scope: title, name, surname, job classification, professional classification, functional classification, employee's personal or employee number, business area, place of work, telephone number, fax number, electronic mail address to workplace, and employer identification data, if necessary in connection with the performance of a job, or professional or functional duties of a data subject. Provision or disclosure of personal data cannot infringe on esteem, dignity, and security of the data subject.

Other purposes of processing

Unless the data processing infringes on the right of the data subject for protection of their personality or the right to privacy, or unless it is explicitly forbidden by law, the data controller is not obliged to obtain the consent of data subjects where data processing is required for:

  • academic, artistic, or literary expression; and
  • informing the public through mass media, provided that personal data is processed by a data controller entitled to conduct such business activity of mass media information.

Publication of a birth number as a national identification number is forbidden, unless the data subjects concerned published it themselves. Processing of a birth number is allowed only with explicit consent.

The Act limits the opportunities of data controllers to collect data about a natural person from another natural person without the consent of the former. This prohibition does not apply if such data collection and data processing is required to protect the latter person's legitimately protected interests, or if the latter person notifies facts justifying the legal liability of the data subject, or if personal data is processed under a special law subject to specific provisions of the GDPR.

6. Principles

There are no national variations; the principles of data processing provided in the GDPR apply.

7. Controller and Processor Obligations

7.1. Data processing notification

Registration and notification schemes required by the Act No. 122/2013 were removed as of 25 May 2018. There are no longer any national notification or registration requirements.

7.2. Data transfers

There are no national restrictions.

7.3. Data processing records

There are no national restrictions.

7.4. Data protection impact assessment

The Decree provides certain rules on how the data controllers should carry out a Data Protection Impact Assessment (only available in Slovak here) ('DPIA'). In addition, the DPIA List provides for which processing operations will be subject to a DPIA, as envisaged in Article 35(4) of the GDPR.

7.5. Data protection officer appointment

The Act does not set out any additional requirements related to DPOs from the one included in the GDPR.

7.6. Data breach notification

That Act does not contain any variations and/or exemptions on data breach notification obligations from the GDPR. The ÚOOÚ has created an online platform for notification of data breaches (only available in Slovak here).

7.7. Data retention

The Act does not contain any variations on data retention.

7.8. Children's data

With regard to children's consent in relation to information society services, the Act does not set a lower age level, and therefore the age of 16 years applies. The Act does not set out any additional rules on the age of consent for other purposes (other than information society services), and so the civil rules on legal capacity apply. Under Act No. 40/1964 Coll. Civil Code of 26 February 1964 (only available in Slovak here) ('the Slovak Civil Code'), minors have a limited legal capacity and possess the capacity to undertake acts that, by their nature, fit to the intellectual and volitional maturity that corresponds to their age.

7.9. Special categories of personal data

Under the Act, processing of certain special categories of personal data (genetic, biometric data, and data relating to health) is lawful when it is envisaged by specific law or an international treaty. This exemption from a general prohibition on processing of special categories of personal data, as introduced in Article 9(1) of GDPR, will be relied upon, for instance, by insurance companies in connection with life insurance.

The Act does not set out specific regulations that relate to processing of data on criminal convictions.

7.10. Controller and processor contracts

There are no additional requirements for a contract between a controller and processor in the Act.

8. Data Subject Rights

The Act contains the same rights as included in the GDPR.

Data subjects' rights may be limited where personal data is processed for archiving purposes, scientific or historical research purposes, or statistical purposes. The Act contains no further variations from the GDPR as to rights of data subjects.

8.1. Right to be informed

There is no variation in the Act for the right of information provided in the GDPR.

8.2. Right to access

There is no variation in the Act in relation to the right to access.

8.3. Right to rectification

There is no variation in the Act in relation to the right to rectification.

8.4. Right to erasure

There is no variation in the Act for the right to erasure in the GDPR.

8.5. Right to object/opt-out

There is no variation in the Act in relation to the right to object.

8.6. Right to data portability

There is no variation in the Act for the right to data portability provided in the GDPR.

8.7. Right not to be subject to automated decision-making

There is no variation in the Act on automated individual decision-making, including profiling in the GDPR.

8.8. Other rights

There is no variation in the Act for the right to restriction of processing provided in the GDPR.

9. Penalties

The ÚOOÚ may impose:

  • a penalty of up to €10 million for non-performance or breach of an obligation under the Act or the GDPR;
  • a penalty of up to €20 million for non-performance or breach of any principle relating to processing of personal data, non-performance or breach of any right of data subject, non-performance or breach of any obligations related to transfer of personal data to third countries or international organisations, etc;
  • a penalty of up to €2,000 for the failure to provide the required cooperation to the ÚOOÚ during supervision where the person concerned is neither a data controller nor a data processor; and
  • a penalty of up to €2,000 imposed on a data controller or a processor if it fails to provide adequate conditions for the control, and a penalty of up to €10,000 if it obstructs the control process.

Act No. 300/2005 Coll. Criminal Code (only available in Slovak here) ('the Slovak Criminal Code') establishes a criminal offence for unauthorised manipulation of personal data. The sanctions for this offence include imprisonment of one year or two years, or fines. In practice, this offence seldom (if ever) occurs alone without being connected to other offences, such as fraud. According to the statistics (only available in Slovak here) kept by the General Prosecution Authority of the Slovak Republic, six offenders were prosecuted in 2020 in connection with the crime of unauthorised handling of personal data under the Slovak Criminal Code.

Individuals can seek civil law remedies before Slovak courts.

Data subjects have a right to compensation, namely a claim for damages under general civil law, if they suffer damage as a result of a breach of statutory obligations set out in the Act. However, this does not prevent them from seeking protection of their personal integrity and privacy under the Slovak Civil Code.

9.1 Enforcement decisions

As mentioned above, the ÚOOÚ imposed nine fines in the total amount of €75,300 during the period from 25 May 2019 to 31 December 2019. The average fine was €8,367. The ÚOOÚ imposed the lowest fine of €500 on the controller for failure to cooperate. The highest fine was imposed by the ÚOOÚ in the amount of €50,000 on the controller for breaching the security of personal data processing.