Data Privacy and Cybresecurity

GDPR Guide to National Implementation: Slovakia

A practical guide to national GDPR compliance requirements across the EEA

Article
|
25 min read

Slovakia

In this chapter:

Q1/ Applicable legislation

Q2/ Personal data of deceased persons

Q3/ Legal bases for processing

Q4/ Consent of children

Q5/ Processing of sensitive personal data

Q6/ Data relating to criminal offences or convictions

Q7/ Exemptions

Q8/ Restrictions on data subjects’ rights

Q9/ Joint controllership

Q10/ Processor

Q11/ Data protection Impact Assessments

Q12/ Prior authorisation and public interest

Q13/ DPOs

Q14/ International data transfers

Q15/ DPAs

Q16/ Claims by not-for-profit bodies

Q17/ Administrative fines, penalties and sanctions

Q18/ Freedom of expression and information

Q19/ National identification numbers

Q20/ Processing in the context of employment

Q21/ Other material derogations

Q22/ Current legal challenges

Q23/ Enforcement

Q24/ Regulatory Guidance

———

[back to top of page]

 

 

Q1/ Applicable legislation

(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?

New legislation has been passed.

———

(b) Relevant legislation includes:

  • Act No. 18/2018 Coll., on the Protection of Personal Data and on Changing and Amending of Other Acts (the “Data Protection Act”)
    • Date in force: 25 May 2018
    • Link: see here 

Two amendments to the Data Protection Act were adopted recently. The ensuing changes are, however, immaterial.

———

(c) What is the status of national pre-GDPR data protection law?

The main pre-GDPR legislation has been repealed in full. However, several laws containing provisions regarding the processing of personal data and/or governing certain aspects of personal data processing in specific sectors will continue to apply following the coming into force of the GDPR and have not been fully updated (as such, they may still contain references to pre-GDPR legislation).

———

[back to top of page]

 

 

Q2/ Personal data of deceased persons

Does national law make specific rules regarding the processing of personal data of deceased persons?

If a data subject is no longer alive and the processing of a deceased person’s personal data is subject to consent under the GDPR, such consent may be provided by a person close to the data subject (e.g., a direct relative, brother or sister or spouse); such consent cannot be validly given if even a single person close to the deceased person has expressed his/her disapproval in writing. 

Further conditions related to the processing of personal data of deceased persons may be regulated by special laws (for example, health care law, which, for instance, regulates the conditions for access to health data of a deceased person by third persons).

———

[back to top of page]

 

 

Q3/ Legal bases for processing

(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?

The Data Protection Act does not contain any specific rules governing the processing of personal data subject to GDPR in compliance with a legal obligation.

However, with regard to the processing of genetic data, biometric data and health data, the Data Protection Act (with reference to Art. 9(4) GDPR) states that the controller may process such data also “on the basis of special laws (such as insurance legislation) or an international agreement binding on the Slovak Republic”, thereby providing a separate legal basis for the processing of the above categories of personal data, including where required for the fulfilment of legal obligations under such special laws (see also Q5(c) below for more detailed comments).

It should be further noted that numerous special laws continue, even upon the applicability of the GDPR, to provide for an explicit possibility (authorisation) and/or other conditions to process personal data for the purpose of the fulfilment of legal obligations imposed on the controllers under such special laws (e.g., obligations on banks or obligations on insurance undertakings). In practice, the processing of personal data for the fulfilment of legal obligations under such special laws is generally considered to fall under the legal basis provided for in Art. 6(1)(c) GDPR. It appears that this practice has not been challenged so far.

———

(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?

The Data Protection Act does not contain any specific rules governing the processing of personal data for the performance of tasks carried out in the public interest.

However, the processing of personal data for the performance of tasks carried out in the public interest may be based on special laws, but the controller relying on such legal bases will need to prove that the processing envisaged in the law in question meets the requirements under the GDPR.

———

(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?

The Data Protection Act does not contain any specific rules governing the processing of personal data in the exercise of official authority vested in the controller.

However, numerous special laws provide the legal bases for the processing necessary for the exercise of official authority vested in the relevant controllers. Generally, such specific laws also contain additional rules regarding such personal data processing.

———

(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?

There are no specific additional criteria governing this issue.

———

[back to top of page]

 

 

Q4/ Consent of children

At what age can a child give their consent to processing in relation to ISS?

16 years of age.

———

[back to top of page]

 

 

Q5/ Processing of sensitive personal data

(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?

All sensitive personal data can be processed if the data subject’s valid consent has been obtained. However, certain legislation, such as the labour code, may limit the ability of controllers to process such data, even if consent has been obtained. For example, even if consent has been obtained, employers are prohibited from processing certain sensitive personal data in an employment context.

———

b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:

(i) Employment, social security and/or social protection law

Under the Slovak Labour Code, employers may only collect personal data about an employee regarding such employee’s qualifications and work experience and other personal data (including the results of medical or psychological examinations proving the employee’s capability to perform certain types of work) that may be relevant in relation to the work performed and/or to be performed by the employee in question. Employers may not process information on pregnancy, family circumstances and the political, trade union and religious affiliations of candidates in the precontractual stage.

In addition, the Slovak Labour Code contains provisions regulating the monitoring of employees, pursuant to which in the absence of serious reasons due to the special nature of the employer’s operations, the employer may not monitor employees, record phone calls made via the employer’s communication means, or check e-mails sent from or delivered to the employees’ work e-mail account, unless the employees were notified beforehand. If an employer intends to implement monitoring mechanisms, it must discuss the scope of monitoring, the manner in which it is being carried out, and the duration with the employee representatives, and inform the employees of the scope, manner and duration of monitoring.

Health data (as well as genetic and biometric data) may also be processed based on the provisions of special laws, and, in particular, when necessary for the fulfilment of legal obligations under such special laws, including those in connection with the reporting obligations of the employer vis-à-vis the Slovak Social Insurance Company.

(ii) Substantial public interest

Although the Data Protection Act does not contain any specific rules on the processing of sensitive personal data for substantial public interest, such rules may be stipulated in special laws regulating the processing of sensitive personal data for such purposes (e.g., use of biometric data to ensure security of nuclear power plants under applicable legislation).

(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services

The Data Protection Act does not contain any specific rules on the processing of sensitive personal data for these purposes. Legal bases and further conditions for processing are usually governed by special laws.

Under the Slovak Labour Code, employers may only process the results of a medical or psychological examination proving an employee’s capability to perform certain types of work if such capability is required under relevant special laws.

Sector-specific laws provide the legal basis for the processing of personal data by public health authorities for the purposes stated therein, including specific conditions for such processing.

Health care legislation specifies the contents of health documentation to be maintained by providers of health care services as well as the required security measures and the regulation of access to such personal data by third parties.

The processing of personal data within the national health registers (including the processing of data in electronic health documentation) is further governed by legislation relating to the national health system, which regulates the scope of data processed as well as access to the processed personal data by third persons and/or for statistical purposes.

For the specifics related to the processing of sensitive personal data in the field of social security, see Q5(b)(ii) above. In this respect, please see also Q5(c) below.

(iv) Public interest in the area of public health

The Data Protection Act does not contain any specific rules on processing sensitive personal data for this purpose.

The processing of personal data for reasons of public interest in the area of public health is generally regulated by special laws, which provide additional rules for the processing of personal data in those sectors.

(v) Archiving purposes, scientific or historical research purposes or statistical purposes

When processing personal data (including sensitive personal data) for archiving, scientific, historical research or statistical purposes, controllers and processors must adopt adequate safeguards to protect the rights of the data subject; this includes the implementation of appropriate and sufficient technical and organisational measures and, in particular, data minimisation and pseudonymisation.

If personal data (including sensitive personal data) are processed for any of the aforementioned purposes, the rights of access, rectification, restriction and objection (and, for the purposes of archiving, also the right to portability) may be restricted by special laws or by an international treaty binding on Slovakia (the restriction by international treaties does not apply to archiving), provided that the following criteria are met:

  • the adequate safeguards (mentioned above) have been adopted;
  • these rights of the data subject would otherwise substantially hamper the achievement of said purpose; and
  • such a restriction of rights of the data subject is indispensable for achieving this purpose.

Such limitations were introduced by, for example, legislation relating to the compilation of official statistics pursuant to which, for instance, the right to rectification cannot be exercised once the process of collection of the particular set of statistical data has already been completed or if the rectification requires an inappropriate time or effort on the side of the controller.

Further regulation on the processing of personal data for statistical purposes in certain specific sectors (such as national health) may be applicable.

———

(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?

As indicated above, controllers may process genetic, biometric and health data on the basis of special laws or an international agreement binding on the Slovak Republic which, in fact, may be regarded as the introduction of an additional legal basis for the processing of the aforementioned personal data.

It remains to be seen whether the introduction of such an additional legal basis for the processing of those categories of personal data will be supported if the processing of personal data on such legal basis is legally challenged (in particular, in light of the ambiguous scope of the delegation provision allowing for Member State legislative action under Art. 9(4) GDPR). It appears that the provision in question has not yet been challenged in court or in the practice of the DPA.

———

[back to top of page]

 

 

Q6/ Data relating to criminal offences or convictions

Under what conditions does national law permit the processing of personal data relating to criminal convictions?

Personal data relating to criminal convictions and offences may only be processed based on an authorisation stipulated in special laws or an international treaty binding on Slovakia, provided appropriate safeguards are implemented. In general, applicable special laws, such as the Slovak Labour Code, do not contain any specific or additional safeguards except for the limitation of the processing to the purpose set forth in such special laws. For example, under the Slovak Labour Code, an employer may only request proof of a clean criminal record in the event that the special laws require such proof for certain work positions, or if the character of the work position to be performed warrants such a requirement.

The Data Protection Act also regulates the processing of personal data related to criminal offences and convictions by the police and other law enforcement authorities outside of the scope of the GDPR.

———

[back to top of page]

 

 

Q7/ Exemptions

(a) Does national law specify exemptions to a data subject’s right to erasure?

There are no specific exemptions to the right to erasure.

———

(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?

The Data Protection Act does not provide for any general exemptions from the right to be informed.

However, exemptions or specifications regarding the exercise of this right may stem from special legislation or Codes of Conduct approved by the DPA.

———

(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?

There are no specific exemptions to the right to not be subject to automated individual decision-making.

———

[back to top of page]

 

 

Q8/ Restrictions on data subjects’ rights

Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?

As mentioned in Q5(b)(v) above, the Data Protection Act anticipates that special laws and/or an international treaty binding on Slovakia (restriction by international treaties does not apply to archiving) may restrict the following rights of data subjects with regard to processing for archiving purposes, scientific or historical research purposes or statistical purposes:

  • right of access;
  • right to rectification;
  • right to restriction; and
  • right to object (and, for the purposes of archiving, also the right to portability). Such restrictions may be introduced subject to the fulfilment of the following conditions:
  • adequate safeguards (the implementation of appropriate and sufficient technical and organisational measures and, in particular, data minimisation and pseudonymisation) being adopted;
  • the rights of the data subjects would otherwise substantially hamper the achievement of such purposes; and
  • such a restriction of rights of the data subject is indispensable for achieving this purpose.

Such limitations were introduced by, for example, legislation relating to the compilation of official statistics pursuant to which the right to rectification cannot be exercised once the process of collection of the particular set of statistical data has already been completed, or if the rectification requires a disproportionate time or effort on the side of the controller.

As indicated above, further restrictions or specifications of conditions for exercising the data subjects’ rights may also ensue from special laws and/or sector specific

———

[back to top of page]

 

 

Q9/ Joint controllership

Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?

There are no additional rules on apportionment of liability between joint controllers.

———

[back to top of page]

 

 

Q10/ Processor

In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?

The Data Protection Act does not contain any additional specific rules regarding the processing of personal data by a processor. However, additional regulation can be introduced by special laws.

———

[back to top of page]

 

 

Q11/ Impact Assessments

Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?

Impact Assessments are only required in accordance with the provisions of the GDPR. Pursuant to Art. 35(4) GDPR, the DPA has recently published a list of data processing activities that require an impact assessment (e.g., processing of biometric, genetic or localisation data, profiling, monitoring of employees, etc.).

———

[back to top of page]

 

 

Q12/ Prior authorisation and public interest

Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?

Prior authorisation from the DPA is only required in accordance with the provisions of the GDPR.

———

[back to top of page]

 

 

Q13/ DPOs

(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?

DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR.

———

(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?

DPOs are subject to secrecy obligations under national law in the following circumstances:

  • the Data Protection Act does not explicitly impose confidentiality obligations on DPOs. However, the controller and the processor are obliged to ensure that personnel of any such controller or processor who may come into contact with personal data (including the DPOs) must protect the confidentiality of the relevant personal data. This confidentiality obligation continues even after the termination of employment or other similar legal relationship of such person with the controller or the processor; and
  • specific confidentiality/professional secrecy obligations applicable to employees processing personal data in general also stem from special laws in specific sectors, such as health care and banking.

———

[back to top of page]

 

 

Q14/ International data transfers

(a) Does national law make specific rules about transfers of personal data from public registers?

Data transfers from public registers are not subject to specific rules.

———

(b) Does national law restrict the transfer of specific categories of personal data to third countries?

The Data Protection Act contains specific regulations, including safeguards to be observed only where law enforcement authorities (which are usually outside the regime of the GDPR) transfer personal data relating to criminal offences and convictions to third countries.

———

[back to top of page]

 

 

Q15/ DPAs

(a) Details of the DPA(s).

  • Name of DPA: The Office for Personal Data Protection of the Slovak Republic (in Slovak: Úrad na ochranu osobných údajov Slovenskej republiky)

———

(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?

Not applicable as there is only one DPA.

———

(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?

Not applicable.

———

(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?

In addition to the powers listed in Art. 58 GDPR, the DPA can order the controller or the processor to provide explanations if there is a suspected breach of obligations under the Data Protection Act, the GDPR, special laws or an international treaty binding on Slovakia.

———

(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?

Parties may challenge first instance decisions of the DPA by appeal, which will be dealt with by the Chairman of the DPA.

The decision of the Chairman of the DPA may be further subject to judicial review.

———

(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?

In general, the DPA must respect professional secrecy and abstain from requiring information subject to professional secrecy but no specific rules under Art. 90 GDPR have been adopted. However, certain special laws that regulate the scope of professional secrecy in specific sectors (for example, banking) contain specific derogations to the DPA permitting the provision of certain categories of personal data that are usually subject to professional secrecy, without such disclosure constituting a breach of professional secrecy.

———

[back to top of page]

 

 

Q16/ Claims by not-for-profit bodies

Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?

There are no not-for-profit bodies that are specifically mandated to bring such claims.

The Data Protection Act does not contain any specific provisions entitling not-for-profit bodies to bring claims on behalf of individuals without the specific mandate of those individuals.

However, under the Civil Procedure Code, not-for-profit bodies may join civil court proceedings to support a data subject that is a party to such proceedings. In a more general context, not-for-profit bodies may also challenge unfair consumer terms and/or unfair business practices that may relate to the processing of personal data in court, even without a specific mandate from the data subject within proceedings on the abstract review of consumer contracts.

———

[back to top of page]

 

 

Q17/ Administrative fines, penalties and sanctions

(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?

There are no specific rules regarding fines for public authorities.

———

(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?

In addition to the fines that can be imposed under the Data Protection Act, the Criminal Code sets out certain criminal offences in connection with the unauthorised or malicious processing of personal data and, in particular, the unauthorised disposal of personal data (covering unauthorised provision, disclosure or publication of personal data obtained in connection with the performance of a public authority, or the exercising of a data subject’s constitutional rights, or with the performance of a profession, job or function in breach of a statutory obligation). This offense is punishable by imprisonment of up to one or two years (if the criminal offense was committed publicly, in a more serious manner, e.g., exploiting a situation of distress or with respect to multiple data subjects and/or if it led to serious harm to the data subject’s rights).

———

[back to top of page]

 

 

Q18/ Freedom of expression and information

(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?

The Data Protection Act authorises providers of mass media services to process personal data necessary for the purpose of informing the public via mass media, even without the consent of the data subjects, provided that such processing does not infringe upon the data subject’s right to protection of personality, right to privacy, and such processing of personal data without the data subject’s consent is not prohibited by special laws or by an international treaty binding on Slovakia.

———

(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?

The Data Protection Act authorises the processing of personal data for the purpose of academic, artistic and literary expression, even without the consent of the data subjects, provided that such processing is indispensable for the purpose, it does not infringe upon the data subject’s right to protection of personality, right to privacy, and such processing of personal data without the data subject’s consent is not prohibited by special laws or by an international treaty binding on Slovakia.

———

[back to top of page]

 

 

Q19/ National identification numbers

Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?

Using a general identifier (i.e., in Slovakia, the birth certificate number (in Slovak: rodné číslo)) is permissible only if the purpose of the data processing in question cannot be attained without such an identifier. In the event that the processing of such an identifier is based on the data subject’s consent, such consent must be explicit, and processing on the basis of the consent must not be ruled out by special laws. Making the identifier public is prohibited, unless it is made public by the data subject.

———

[back to top of page]

 

 

Q20/ Processing in the context of employment

(a) For what purposes can employees’ personal data in the employment context be processed under national law?

Employers may only collect personal data about employees regarding their qualifications, work experience and other personal data (including the results of medical or psychological examinations proving the employee’s capability to perform certain types of work) that may be relevant in relation to the work performed and/or to be performed by the employee in question. Employers may not collect information on pregnancy, family circumstances or political, trade union and religious affiliations of candidates in the pre-contractual stage.

In addition, the Slovak Labour Code contains specific rules regarding the implementation of monitoring at the workplace. The processing of personal data of employees is also regulated in multiple special laws regulating reporting, record keeping and/or other obligations of the employers, e.g., in the field of social security.

Further, the Data Protection Act specifically authorises the employer to provide and/or make public the employee’s name, position, department, employee number, workplace address and contact details if necessary in connection with the performance of the work duties of the relevant employee and provided that it does not undermine the esteem, dignity and/or security of the employee.

———

(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?

XXX

———

[back to top of page]

 

 

Q21/ Other material derogations

Are there any other material derogations from, or additions to, the GDPR under national law?

Controllers and processors are obliged to ensure that any person who comes into contact with personal data at the entity acting as a controller or a processor (including employees) maintains the confidentiality of the personal data processed. The confidentiality obligation continues even after the termination of employment or other similar legal relationship of such a person with the controller or the processor.

The personal data of a data subject may only be obtained from another natural person (different from the data subject) and processed by the controller, using its information systems, with the prior written consent of the data subject (it remains to be clarified whether consent by electronic means would suffice). Such a requirement does not apply to situations in which, by providing such personal data to the controller’s information system, the provider of such data protects his or her rights or interests, justifies the invocation of legal liability of the data subject based on facts, or where such personal data is processed pursuant to a special law (for example, legislation relating to whistleblowing). The controller must always be able to prove to the DPA, upon its request, that the data was obtained in accordance with the above conditions.

———

[back to top of page]

 

 

Q22/ Current legal challenges

Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?

There are no current legal challenges ongoing.

———

[back to top of page]

 

 

Q23/ Enforcement

Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?

To date, the DPA has not taken any material enforcement action for breaches of the GDPR. It appears that the DPA has not yet imposed final binding decisions on any fines exceeding €10,000.

———

[back to top of page]

 

 

Q24/ Regulatory Guidance

Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?

The DPA has issued the following guidance on the application of the GDPR and/or GDPR implementation law:

  • Guidance on Personal Data Processing of Legal Persons and Natural Persons - Entrepreneurs (see here (in Slovak));
  • Guidance on Lawfulness of Personal Data Processing (see here (in Slovak));
  • Guidance on Authorized Persons Pursuant to Art. 29 GDPR: (see here (in Slovak));
  • Guidance on Appointment of DPO (see here (in Slovak));
  • Guidance on E-commerce Data Processing (see here (in Slovak));
  • Guidance on Clinical Trials Data Processing (see here (in Slovak));
  • List of Processing Operations Subject to DPIA (see here (in Slovak)).

 

———

[back to top of page]

 

 

Other chapters

———

See also:

Our Global Data, Privacy & Cybersecurity Practice »

GDPR Handbook: Unlocking the EU General Data Protection Regulation »

———

[back to top of page]

 

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP

 

Top