Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

In general, personal data may be processed (ie, collected, stored, disclosed, modified and transferred) either with the consent of the data subject or under one of the statutory exemptions allowing the controller or processor to process the data without the data subject’s consent. The data subject must also be informed of his or her rights regarding the processing of his or her personal data. The data controller must comply with the security obligations provided for in the Data Protection Act. Moreover, the data controller must notify the Office for the Protection of Personal Data of each category of processing, unless the processing falls within one of the statutory exemptions.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The leading principle in Slovak law is that the data controller may retain personal data only for as long as is necessary to fulfil the purpose for which the data is processed; the data should thereafter be deleted. The purpose must be defined by a data controller in compliance with other general legal requirements and the retention period must be adequate and reasonable in the context of the stated purpose of the processing. However, in many cases the purpose is defined by specific laws and regulations, which usually set a retention period.

The general exemption provided for in the Data Protection Act is that personal data may be retained for the purpose of state statistical services, scientific purposes and archiving. The data controller must not use the processed personal data to support measures or actions taken against the data subject or his or her interests, or to restrict the data subject’s rights and freedoms. In the course of personal data processing for the abovementioned purposes, the controller must label the data, anonymise it (if doing so still allows for the purpose of the processing to be achieved) and destroy it as soon as it becomes obsolete.

Specific laws provide for a special retention period for sectors such as:

  • tax and accounting;
  • telecommunications;
  • healthcare;
  • social security and pension systems; and
  • financial services.

Do individuals have a right to access personal information about them that is held by an organisation?

Under the Data Protection Act, the individual (data subject) has the right to access information about his or her personal data which is processed by the data controller or processor. The data controller must provide this information on the data subject’s request.

Do individuals have a right to request deletion of their data?

Data subjects may request deletion of their personal data if:

  • the data is inaccurate, incomplete or out of date (in such a case, the data subject may also request correction of the data);
  • the purpose of the processing has ceased; or
  • the law has been breached.

Consent obligations
Is consent required before processing personal data?

Consent constitutes the principal legal basis for the processing of personal data; any other legal ground is considered to be an exemption from this principle. The data subject’s ‘consent’ is defined as “any freely given specific and informed indication of his/her wishes by which the data subject knowingly signifies his/her agreement that personal data related to him may be processed”.

Common areas of malpractice relate to the lack of complete disclosure on data processing and the interpretation that, following refusal of consent, no obvious alternative is available.

If consent is not provided, are there other circumstances in which data processing is permitted?

The data controller may process data without consent only where:

  • the purpose of the processing, the relevant data subjects and the relevant personal data or its scope are stipulated in directly applicable EU law, an international treaty to which Slovakia is party or the Data Protection Act. If the personal data or its scope is not defined, the controller must process the data only to the extent and in the manner necessary to achieve the purpose of the processing;
  • the purpose of the processing, the relevant data subjects and the relevant personal data or its scope are stipulated in a special act. The controller must process the data only to the extent and in the manner set out in the special act. The processed personal data may be provided, made available or disclosed only if the special act stipulates:
    • the purpose for doing so;
    • a list of applicable personal data; and
    • the third parties to which the data can be provided, made available or disclosed;
  • processing is necessary to facilitate artistic or literary expression or in order to inform the public through mass media. In both cases, the controller may process the personal data only where such processing falls within the scope of its activities. This does not apply if, by processing personal data for such purpose, the controller violates the data subject’s personal and privacy rights, or if such processing is prohibited by another law or an international treaty to which Slovakia is party;
  • processing is necessary for the performance of a contract to which the data subject is party, or in order to establish relations or take steps at the request of the data subject before entering into a contract;
  • processing is necessary for the protection of the data subject’s life, health or property;
  • the data consists solely of the title, name, surname and address of the data subject and there is no possibility of assigning other data to him or her, and where such data is to be used solely for the controller’s correspondence with the data subject and for related record keeping. If the scope of the controller’s activities includes direct marketing, it may transmit such personal data, without making it publicly available, only if the data is to be transmitted to another controller whose scope of activity also includes direct marketing and the data subject has not filed an objection in writing;
  • the processed data has previously been made public – in such cases, personal data must be duly denoted;
  • processing is necessary to fulfil an important task carried out in the public interest; or
  • processing is necessary to protect the statutory rights and legitimate interests of the controller or a third party – in particular, personal data processed in order to protect the controller’s property, financial or other interests, or to protect the controller’s safety by means of closed-circuit television cameras or similar systems (provided that, when processing such data, the controller and third parties respect the fundamental rights and freedoms of the data subject and do not violate his or her personal and privacy rights).

Processing of sensitive data (the Data Protection Act uses the term ‘special categories of data’) may be carried out without the data subject’s consent only if at least one of the following conditions is met:

  • The processing is based on a special law, legally binding EU law or international treaty to which Slovakia is party.
  • The processing is necessary to protect the vital interests of the data subject or another natural person, and the person does not have the legal capacity or physical ability to give consent and the consent of his or her legal representative cannot be obtained.
  • The processing is carried out as part of the legitimate activities of a civil society, foundation or non-profit organisation providing generally beneficial services, a political party or movement, a trade union or a church or religious society acknowledged by the state, and such processing solely concerns the members of the relevant organisation or natural persons with whom they are in regular contact with respect to their objectives, and the personal data solely serves their internal needs and will not be provided to third parties without the data subject’s written consent.
  • The processing concerns personal data that has already been made public by the data subject or which is necessary to exercise a legal claim.
  • The processing is carried out in the course of providing medical care and affects public health insurance, provided that the data is processed by a medical care provider, health insurance company or the Office for Internal Supervision over Healthcare (or on its behalf by a professional that is bound by professional ethics or secrecy obligations).
  • The processing is carried out for health insurance or social security purposes for policemen and soldiers or in order to provide social relief or assistance in distress, or is necessary to fulfil the obligations or exercise the legitimate rights of the controller responsible for the processing with respect to labour law and employment services, and if such processing is pursuant to a special law.

Biometric data included in sensitive data may be processed only if at least one of the following conditions is met:

  • The processing is based on the law.
  • The data subject has given written consent to the processing or other credibly proven consent.
  • The processing is necessary to perform a contract.
  • The processing is necessary to protect the statutory rights and legitimate interests of the controller or a third party.

What information must be provided to individuals when personal data is collected?

A controller intending to obtain personal data from an individual must inform the individual before collecting the data and notify him or her of the following:

  • its identity – if the controller has its registered office or permanent residence in a third country and a representative acts on its behalf in Slovakia, the representative must also be identified;
  • the processor’s identity, if the processor processes personal data on behalf of the controller or the controller’s representative;
  • the purpose of the personal data processing;
  • a list of the personal data to be collected (in certain cases, stating the scope of the personal data is satisfactory); and
  • additional information to the extent necessary to safeguard the rights and legitimate interests of the data subject with regard to all circumstances of the processing of the data, including:
    • the identity of the person obtaining the data;
    • information on the obligation to provide the requested personal data. If the provision of the data is based on the data subject’s consent, the controller must notify the data subject of the validity term of the consent. If the data subject’s obligation to provide personal data arises from a special law, the controller must specify this law and warn the data subject of the consequences of refusing to provide the data;
    • any third parties involved or recipients of the data, provided that it is expected or clear that the data will be provided to them;
    • if the data is to be made public, the manner in which this will be done;
    • any third countries to which the data will be transmitted, provided that it is expected or clear that the personal data will be transmitted to these countries; and
    • information on the data subject’s rights.

The controller is exempt from providing the above information if the data subject is already aware of it or if the legal grounds for processing are based not on consent, but rather on directly applicable EU legislation, an international treaty to which Slovakia is party, a special act or the Data Protection Act.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Data transfers to countries outside the European Union that provide an adequate level of protection (on the basis of a European Commission decision) are possible if the data subject has been given the necessary information.

Personal data may be transferred to a third country that does not ensure an adequate level of protection if any of the following conditions are fulfilled:

  • The controller has adopted standard model clauses or binding corporate rules.
  • The data subject has given written or otherwise verifiable consent to the transfer, despite being aware that the country of final destination does not ensure an adequate level of protection.
  • The transfer is necessary in order to perform a contract between the data subject and the controller or during their pre-contractual negotiations.
  • The transfer is necessary to enter into or perform a contract concluded by the controller with another entity in the interest of the data subject.
  • The transfer is necessary in order to:
    • fulfil the obligations of an international treaty to which Slovakia is party;
    • comply with a law protecting public interests; or
    • prove, file or defend a legal claim.
  • The transfer is necessary to protect the vital interests of the data subject.
  • The transfer concerns personal data that is stored and publicly accessible pursuant to special laws or is available under these laws to persons that can prove a legal claim and fulfil the prescribed conditions for accessing the data.
  • The consent of the Office for the Protection of Personal Data has been obtained. Such consent is required if personal data is transferred to a processor residing in a third country that does not provide an adequate level of protection and if the data transfer agreement does not contain standard model clauses or binding corporate rules. However, the transfer of data to third countries in a controller-to-controller scenario does not require the office’s approval.

When transferring employees’ personal data to third countries that do not provide an adequate level of protection, the controller must adopt adequate safeguards (ie, standard model clauses or binding corporate rules).

Sensitive data may be transferred to a third party residing in a third country only after the data subject has given written consent, unless a special act provides otherwise.

Are there restrictions on the geographic transfer of data?

No restrictions apply to data transfers to:

  • EU and European Economic Area member states; and
  • countries with an adequate level of protection, as officially recognised by the European Commission.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

If the controller wishes to outsource processing operations, it must conclude a written contract with the processor. The contract must include clauses stipulating the following points:

  • the identities of the parties;
  • the date of commencement of the processing;
  • the purpose of the processing;
  • the name of the filing system;
  • a list of the relevant personal data (in some cases, merely stating the scope of the relevant personal data is satisfactory);
  • the relevant data subjects;
  • the conditions of the data processing, including a list of permitted operations;
  • the controller’s declaration that in selecting the processor, it considered the processor’s professional, technological, organisational and personal skills and competence to ensure the security of the data processing through use of safety measures prescribed by the Data Protection Act;
  • the controller’s consent to data processing by a sub-processor, if applicable (in such case, the processor is liable for the security of the data that is processes);
  • the duration of the contract; and
  • the date of the contract and the signatures of the parties.

When outsourcing data processing activities to processors, the controller must be mindful of guarantees regarding technological, organisational and personal security measures. The controller may not entrust personal data processing to a processor if doing so could present a risk to the rights and statutorily protected interests of the data subjects.

Under the Data Protection Act, the data controller must inform the data subject of the parties that will be processing the personal data and parties to which the personal data may be disclosed. If the controller outsources to the processor after acquiring personal data, it should inform the data subjects of this during their next contact or no later than three months from the day of outsourcing. This also applies when data processing is taken over by another controller.

Click here to view the full article.