DLA Piper Intelligence

Data Protection
Laws of the World

Law

Slovak Republic
Slovak Republic

As a member of the European Union, Slovakia implemented the EU Data Protection Directive 95/46/EC in September 2002 with Act No. 428/2002 Coll., the Data Protection Act, as amended. In order to solve some application problems of Act No. 428/2002 Coll. resulting from the non-uniform interpretation of the definitions under this Act, the new Act No. 122/2013 Coll., the Data Protection Act ('DPA'), substituting Act No. 428/2002 Coll., has been adopted and is effective as of 1 July 2013 which has been further amended by the Act No. 84/2014 Coll. that is effective as of 15 April 2014.

Last modified 26 Jan 2017
Law
Slovak Republic

As a member of the European Union, Slovakia implemented the EU Data Protection Directive 95/46/EC in September 2002 with Act No. 428/2002 Coll., the Data Protection Act, as amended. In order to solve some application problems of Act No. 428/2002 Coll. resulting from the non-uniform interpretation of the definitions under this Act, the new Act No. 122/2013 Coll., the Data Protection Act ('DPA'), substituting Act No. 428/2002 Coll., has been adopted and is effective as of 1 July 2013 which has been further amended by the Act No. 84/2014 Coll. that is effective as of 15 April 2014.

Last modified 26 Jan 2017
Definitions

Definition of personal data

Personal data shall, for the purposes of the DPA, mean any information relating to an identified or identifiable natural person, either directly or indirectly, in particular by reference to an identifier of general application or by reference to one or more factors specific to his/her physical, physiological, psychic, mental, economic, cultural or social identity.

Definition of sensitive personal data

The DPA does not provide for a definition of sensitive personal data. However, one of the provisions of the DPA namely ‘Special categories of data’ refers, inter alia, to personal data related to race, ethnic origin, political opinions, religious belief, as well as data related to the breach of provisions of criminal or administrative law, biometrical data, or data related to the mental status of the data subject.

Last modified 26 Jan 2017
Authority

The Data Protection Office of the Slovak Republic (‘Office’) is: Úrad na ochranu osobných údajov Slovenskej republiky (Official Slovak Name)

Hraničná 12
820 07, Bratislava 27
Slovak Republic

The Office is responsible for overseeing the DPA in Slovakia.

Last modified 26 Jan 2017
Registration

The obligation to register the information system with the Office was replaced with the obligation of the data controller to notify the information systems under the conditions set out in DPA to the Office.

The obligation to notify shall apply to all information systems, in which personal data are processed by fully or partially automated means of processing.

The information system needs to be notified before starting with the processing of the data contained therein. Notification may be carried out electronically as well as in the written form, whereas such notification is free of charge. The Office will assign an identification number to the pertinent information system, as well as issue a certificate of the fulfilment of the notification obligation to notify on the controller’s request.

Despite the above, special registration shall remain applicable to the information systems that are stipulated in the DPA, inter alia, those that contain special categories of data or data processed without the data subject's consent, which is to be transferred to third countries that do not guarantee an adequate level of data protection. The Office will verify whether the data processing could infringe the rights and freedoms of data subjects and decide, within 60 days from the day of its receipt, whether or not it will permit the data processing. The said period may be prolonged by the Office, however in any case for a maximum duration of 6 months. If the Office assesses the data processing in the information system as a risk, it shall not carry out the special registration of the processing for the respective purpose. The Office will carry out the special registration for a fee of EUR 50.

Last modified 26 Jan 2017
Data Protection Officers

The data controller is responsible for the internal supervision of protection of personal data processed pursuant to the DPA. The data controller may nominate in writing one or more data protection officers for supervising the observation of the DPA provisions in his/her/its company if he/she/it processes the personal data through authorised persons. The Office must be notified of this fact in writing by the data controller without undue delay, but no later than 30 days from such nomination.

Data protection officers may supervise the observation of the DPA provisions on the basis of his/her nomination only following the successful completion of the professional examination at the Office. The particularities of this examination are stipulated in Decree of the Office No. 165/2013 Coll.

Last modified 26 Jan 2017
Collection & Processing

Under the DPA, the data controller who intends to process personal data of the data subject must inform the data subject before obtaining the data, and notify him/her in advance of the following:

  • identification data of the data controller and his/her/its representative (if appointed)
     
  • identification data of the data processor, provided that the data controller processes personal data from the data subject through the data processor
     
  • the purpose of the personal data processing
     
  • list (or extent) of personal data, and
     
  • additional information in the extent necessary for safeguarding the rights and legitimate interests of the data subject with regard to all circumstances of the processing of personal data, the particulars of which are provided in the DPA.

Personal data may be processed only by the data controller or data processor. The data processor may process personal data only to the extent and under the conditions agreed with the data controller in a written contract.

The DPA lists basic obligations of the data controller mentioned below. The data controller must, inter alia:

  • determine unambiguously and specifically the purpose of data processing before starting the data processing; the purpose of data processing must be clear and it cannot be contrary to the Constitution of the Slovak Republic, constitutional laws, laws and international treaties binding for the Slovak Republic
     
  • determine the conditions of the data processing in a manner so that the rights of the data subject under the DPA are not restricted
     
  • process only accurate, complete and, where necessary, updated personal data in respect of the purpose of its processing
     
  • destroy the personal data when the purpose of processing is terminated, and
     
  • process personal data in accordance with public morals and act in a manner not contrary to the DPA.

Personal data may only be processed upon the consent of the data subject, unless provided otherwise for by the DPA. The consent of the data subject is not required for instance in cases when the purpose of the data processing, data subjects and the list (or extent) of the personal data is stipulated by a directly enforceable legally binding Act of the EU, an international treaty binding for the Slovak Republic, the DPA or other particular Acts. Under the DPA, the processing of special categories of data (ie sensitive information) is allowed only upon the written or other reliably verifiable consent of the data subject and following the specific conditions set forth in the DPA.

Last modified 26 Jan 2017
Transfer

Transfer to third parties within the territory of the Slovak Republic

The personal data of the data subject may be transferred from the information system to another natural person or legal entity only upon obtaining the written confirmation of the data subject's consent, if the DPA requires such consent; the person providing data in such manner may replace this written confirmation by a written declaration of the data controller stating that the data subjects gave their consent, provided that the data controller is able to prove that the written consent of the data subjects was given.

Transfer to non‑EU member states (ie third countries) that offer an adequate level of data protection

If the third country guarantees an adequate level of data protection, the data may be transferred to this country if the data controller informed the data subject about the facts required to obtain the data subject's data (ie the information mentioned above in relation to data collecting by the data controller). Under the DPA, the data transfer to a country that guarantees an adequate level of protection is also allowed in cases when a notification/information to the data subject is not required.

Transfer to third countries that do not offer an adequate level of data protection

If the third country does not guarantee an adequate level of protection, the transfer of data is possible if the data controller adopts appropriate guarantees to protect:

  • the privacy and fundamental rights and freedoms of natural persons (data subjects), and
  • the enforcement of such rights. Such guarantees result either from standard contractual clauses under special regulations1 or from binding internal rules of the data controller, which were approved by the supervisory authority in the field of data protection with its seat in an EU or EEA Member State.

If, in the contract on transfer of personal data to the third country which does not offer an adequate level of protection, the data controller uses the contractual clauses which are different from the contractual clauses referred to above and/or are obviously non-compliant with them, the data controller is obliged to obtain the consent of the Office for such transfer in advance.

Otherwise, the transfer of data to a third country that does not offer an adequate level of protection is possible only if the conditions mentioned below are fulfilled:

  • before the actual transfer, the data subject gave a written or other reliably verifiable consent to the transfer, while knowing that the country of final destination does not ensure an adequate level of protection
  • the transfer is necessary for the execution of a contract between the data subject and the data controller or for pre contractual measures or in negotiations regarding the amendments to the contract which are initiated upon the request of the data subject
  • it is necessary for entering into, or the execution of, a contract concluded by the data controller in the interest of the data subject with another entity
  • it is necessary or desired under the respective law for securing an important public interest or for proving, filing or defending a legal claim resulting from an international treaty binding for the Slovak Republic or resulting from the laws
  • it is necessary for the protection of vital interests of the data subject, or
  • it concerns the personal data, which constitutes a part of the lists, registers or files and are kept and publicly accessible pursuant to special legislation or is available, under this legislation, to persons who prove that they are legally entitled and fulfil the conditions prescribed by law for making the data available.

Transfer to the US

For the transfer of data to the United States, compliance with the US/EU Safe Harbor principles no longer satisfies the requirements of the DPA provisions on data transfer. Therefore, on 12 July 2016, the EU Commission adopted the decision on the EU-US Privacy Shield. This new arrangement complies with the requirements stipulated by the European Court of Justice in its judgement issued on 6 October 2015 in the case of Schrems (C-362/14).

The Privacy Shield allows for the personal data to be transferred from the EU to a US company, if such a US company signs up to the Privacy Shield framework with the US Department of Commerce. The obligations applying to the US companies under the Privacy Shield are contained in the Privacy Principles. The details of all the companies taking part in the Privacy Shield may be found in the Privacy Shield List, which is available on the website of the US Department of Commerce (https://www.privacyshield.gov/welcome).

If the US company is not a member of the Privacy Shield, the mechanisms enabling the data transfer to the countries which do not guarantee an adequate level of data protection, which are described above, may be used.

Last modified 26 Jan 2017
Security

The data controller is responsible for the security of personal data by protecting it against damage, destruction, loss, alteration, unauthorised access and making available, providing or publishing, as well as against any other unauthorised forms of processing. For this purpose, the data controller must take reasonable technical, organisational and personal measures which correspond to the manner of processing data.

The data controller is required to prepare a security project, for certain information systems under the conditions stipulated in the DPA . Particularities of the security requirements are in detail stipulated by Decree of the Office No. 164/2013 Coll.

The data controller may nominate in writing one or more data protection officers for supervising the observation of the DPA provisions in his company if he/she/it processes the personal data through authorised persons. The data controller is required to instruct the authorised persons about the rights and obligations stipulated in the DPA before the first operation with the personal data is carried out. The data controller must establish and maintain confidentiality of the processed data even after the termination of its processing.

Last modified 26 Jan 2017
Breach Notification

Under the DPA, there is no mandatory requirement to report data security breaches or losses to the Office. However, this does not affect the ability of other public authorities to report data security infringements or losses to the Office if they suspect that such an event might have occurred.

Last modified 26 Jan 2017
Enforcement

The Office is responsible for the enforcement of the DPA. Upon a complaint from a data subject or another person or a report from public authorities, the Office shall commence administrative proceedings to ascertain possible breaches of obligations or conditions stipulated by the DPA and eventually shall impose a fine for these breaches. The Office may issue decisions to provide temporary relief for the data subject or to ensure due rectification depending on the nature of the breach.

The Office shall impose fines for breaches of the DPA between EUR 150 to EUR 200.000. The Office may publish a notice containing the identity of the data controller or data processor that breached the provisions of the DPA and the final decision of the Office regarding such breach, including its descriptions, and merits of the case. The Office shall also impose disciplinary fines on the data controller or the data processor in instances stipulated by the DPA.

Last modified 26 Jan 2017
Electronic Marketing

Electronic marketing shall be governed by Act No. 351/2011 Coll. on Electronic Communications, as amended ('ECA').

Under the ECA, processing of the traffic data of a subscriber or user for the purposes of marketing services or purposes of ensuring the value added services by any public network or service providers is possible solely with the prior consent of the subscriber or the user.

Prior to obtaining the consent, the public network or service providers are obliged to inform the subscriber or user on:

  • the type of the traffic data processed
  • the purpose of the traffic data processing, and
  • the duration of the data processing.

For the purposes of direct marketing, the call or use of automatic calls and communications systems without human intervention, facsimile machines, e-mail, including SMS messages to the subscriber or user, who is a natural person, is allowed solely with his/her prior consent. Such consent shall be proved. Users or subscribers are entitled to withdraw such consent at any time.

The prior consent of the recipient of a marketing e-mail shall not be required in the case of direct marketing of own similar products and services of a person, that has obtained electronic contact information of the recipient from the previous sale of its own product and/or service to such recipient and in line with the provisions of the ECA. The recipient of an e-mail shall be entitled to refuse at anytime, by simple means and free of charge such use of electronic contact information at the time of its collection and on the occasion of each message delivered in the case the recipient has not already refused such use.

Both,

  • sending e-mails for the purposes of direct marketing without the determination of a valid address to which the recipient may send a request that he/she is no longer willing to receive such communication, and
  • encouragement to visit a website in contradiction with a special regulation, shall be prohibited.
Last modified 26 Jan 2017
Online Privacy

As regards the protection of privacy and protection of personal data processed in the electronic communications sector, the provisions of the ECA shall apply. The ECA implemented Directive 2002/58/EC (as amended by Directive 2009/136/EC).

Under the ECA, the public network or service provider is obliged to ensure technically and organisationally the confidentiality of the communications and related traffic data, which are conveyed by means of its public network and public services. In particular recording, listening, or storage of data (or other kinds of an interception or a surveillance of communications and data related thereto) by persons other than users, or without the consent of the concerned users, shall be prohibited. However, this does not prohibit the technical storage of data, which is necessary for the conveyance of communications. However, the principle of confidentiality shall still apply.

Further to this, the network or service provider (‘undertaking company’) shall not be held liable for the protection of the conveyed information if such information can be directly listened to or obtained at the location of the broadcasting and/or reception.

However, this ban does not apply to temporary recording and storing of messages and related traffic data if it is required:

  • for the provision of value added services ordered by a subscriber or user
     
  • to prove a request to establish, change or withdraw the service, or
     
  • to prove the existence or validity of other legal acts, which the subscriber, user or undertaking company has made.

Under the ECA, each person that stores or gains access to the information stored in the terminal equipment of a user must be authorised for such processing by the concerned user whose consent must be based upon exact and complete information regarding the purpose of such processing of the data. In this regard, also the use of the respective setting of the web browser or other computer programme is considered (implied) consent.

Traffic Data

Traffic Data can only be processed for the purpose of the conveyance of a communication on an electronic communications network or for the invoicing thereof. The Traffic Data related to subscribers or users may not be stored without the consent of the person concerned and the undertaking company is required, after the end of a communication transmission, without delay, to destroy or make anonymous such Trafic Data, except as provided otherwise by the ECA.

If it is necessary for the invoicing of the subscribers and network interconnection payments, the undertaking company is required to store the Traffic Data until the expiration of the period during which the invoice may be legally challenged or the claim for the payment may be asserted. The undertaking company is required to provide the Traffic Data to the Office or the court in the case of a dispute between undertaking companies or between an undertaking company and a subscriber. The scope of the stored Traffic Data must be limited to the minimum necessary.

Location Data

The undertaking company may process the Location Data other than the Traffic Data which relates to the subscriber or the user of a public network or public service only if the data are made anonymous or the processing is done with user consent, and in the scope and time necessary for the provision of the value added service. The undertaking company must, prior to obtaining consent, inform the subscriber or user of the Location Data other than Traffic Data which will be processed, on the purpose and duration, and whether the data will be provided to a third party for the purpose of the provision of the value added service. The subscriber or user may revoke its consent for the processing of location data at any time.

Following the Judgment of the Court of Justice of the European Union on 8 April 2014 in the joined cases of Digital Rights Ireland (C-293/12) and Kärtner Landesregierung (C-594/12) which cancelled so called "data retention" Directive 2006/24/EC, Constitutional Court of Slovak Republic on 29 April 2015 issued a Judgement (PL. ÚS 10/2014-78) ("Judgement") upon which the Constitutional Court proclaimed the certain provisions of the ECA to be non-compliant with the provisions of the Constitution of Slovak Republic, provisions of the Charter of Fundamental Rights and Freedoms and with the provisions of the Convention for the Protection of Human Rights and Fundamental Freedoms. Upon the Judgment, the obligation of the telecommunications operators to retain the Traffic Data and Location Data about the electronic communication of all citizens for the prescribed period (6/12 months) was abolished and removed from ECA.

Last modified 26 Jan 2017
Contacts
JUDr. Dr. Michaela Stessl
JUDr. Dr. Michaela Stessl
Country Managing Partner
T +421 2 59202 122
Eva Skottke
Eva Skottke
Senior Associate
T +421 2 59202 111
Last modified 26 Jan 2017