Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

The Data Protection Act requires controllers and processors to ensure the security of personal data by protecting it against accidental or unlawful damage or destruction, accidental loss, alteration, unauthorised access or release, or any other unauthorised forms of processing.

Controllers and processors must take technical, organisational and personal security measures in accordance with the manner of processing, while taking into account (among other things):

  • the existing technical means;
  • the extent of any risks that could endanger the security or functionality of the filing system;
  • confidentiality considerations; and
  • the importance of the processed personal data.

Security measures are specified in the Decree on the Extent of Safety Measures Documentation (164/2013 Coll) and are categorised as either:

  • security documentation; or
  • security projects.

Security projects are more detailed and are required if:

  • sensitive personal data is processed and the filing system is connected to the Internet; or
  • the filing system is used to safeguard public interests.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

There is no general obligation under Slovak law to notify data subjects of personal data security breaches, with the exception of breaches in the telecommunications sector that can affect the data subject’s privacy (pursuant to the Electronic Communications Act 2006 (275/2006 Coll); certain exceptions apply).

However, the general obligation to notify data subjects can be deduced from the Civil Code requirement to prevent damages (ie, where notification would effectively reduce the impact of the data breach). That said, this will be subject to change once the EU General Data Protection Regulation applies: the controller will be obliged to communicate the personal data breach to the data subject without undue delay if the breach is likely to pose a high risk to the data subject’s rights and freedoms.

Are data owners/processors required to notify the regulator in the event of a breach?

There is no general obligation under Slovak law to notify personal data security breaches to the Office for the Protection of Personal Data, except for breaches in the telecommunications sector.

However, this will change once the EU General Data Protection Regulation applies: the controller will be obliged to notify the supervisory authority of the personal data breach no later than 72 hours after becoming aware of the breach.

Click here to view the full article.