Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
The data protection laws in Slovakia are mostly part of the harmonised EU framework of privacy regulation; as such, they constitute one of the more rigorous systems on an international scale.
Are any changes to existing data protection legislation proposed or expected in the near future?
The so-called ‘European data protection revolution’ has culminated in the EU General Data Protection Regulation (2016/679), which harmonises regulations across all EU member states. The final version of the regulation was approved by the European Parliament and the European Council on April 14 and 15 2016 and was published in the Official Journal of the European Union on May 4 2016. It will enter into force May 24 2018.
Although the regulation will be directly binding on the affected subjects, corresponding amendments in Slovak legislation will have to be made in order to implement newly regulated processes. Therefore, detailed information about proposed obligations is not yet available.
What legislation governs the collection, storage and use of personal data?
The Data Protection Act (122/2013 Coll) governs the collection, storage and use of personal data. The act implements the EU Data Protection Directive (95/46/EC).
Scope and jurisdiction
Who falls within the scope of the legislation?
The Data Protection Act applies to personal data processed by state authorities, territorial self‑administration bodies, other public authorities and natural and legal persons. The act defines the main players as follows:
- A ‘data controller’ is a person that, either alone or jointly with others, determines the purposes and means of processing personal data and processes personal data on data subjects’ behalf. Where the purposes and means of processing personal data are regulated by a special act, a directly applicable legally binding act of the European Union or an international treaty to which Slovakia is party, the controller is thereby the person determined to fulfil the purpose of the processing or the person that fulfils the requirements stipulated by law.
- A ‘data processor’ is a person that processes personal data on behalf of the data controller, in accordance with conditions set out in a written agreement, as stipulated in Section 8 of the Data Protection Act.
Although only controllers and processors that are permanently established in Slovakia typically fall within the scope of the Data Protection Act, the processing of any personal data by any data controller which occurs in Slovak territory (unless the processing consists only of transiting through the European Union) falls within the scope of the Data Protection Act.
What kind of data falls within the scope of the legislation?
The Data Protection Act covers personal data relating to natural persons, but not data relating to legal persons (eg, companies). ‘Personal data’ refers to any information relating to a directly or indirectly identified or identifiable natural person, with particular reference to an identifier of general application or to one or more factors specific to his or her physical, physiological, psychic, mental, economic, cultural or social identity. This may include an individual’s name, address, photograph, telephone number and bank account number.
As well as ‘ordinary’ personal data, the Data Protection Act distinguishes ‘sensitive data’, which is defined as:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of political parties or movements or trade union membership;
- data concerning health or sex life;
- data in the form of an identifier of general application as stipulated by a special law;
- data relating to the mental identity of a natural person or his or her mental capacity to work;
- data relating to a breach of the Penal Code (Act 300/2005 Coll) or the Offences Act (372/1990 Coll); and
- biometric data.
Sensitive data is subject to stricter processing conditions.
Are data owners required to register with the relevant authority before processing data?
The data controller must notify the Office for the Protection of Personal Data before commencing processing. Exceptions to this general rule apply if the processing:
- is subject to special registration;
- is subject to the internal supervision of a data protection officer who is authorised in writing by the controller and who oversees personal data protection pursuant to the Data Protection Act. This does not apply to information systems in which personal data processing is necessary to protect the statutory rights and legitimate interests of the controller or a third party – such an information system is subject to special registration regardless of whether personal data is processed. The Office for the Protection of Personal Data may decide that the information system is subject to special registration;
- involves personal data concerning:
- individuals’ membership of a trade union and such data is processed and used by the trade union solely for internal purposes;
- religious beliefs of persons associated with a church or religious association acknowledged by the state and such data is processed and used by the church or religious association solely for internal purposes; or
- individuals’ membership of a political party or movement and such data is processed and used by the political party or movement solely for internal purposes; or
- involves personal data processed pursuant to a special law, directly binding legal act of the European Union or international treaty to which Slovakia is party.
The data controller must seek special registration at the Office for the Protection of Personal Data before processing any of the following types of data:
- personal data necessary to protect the statutory rights and legitimate interests of the controller or a third party (where the Office for the Protection of Personal Data has decided that special registration is required);
- personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of political parties or movements, trade union membership, health or sexual life, where such data is transferred to a third country that cannot ensure an adequate level of protection or an exception for the transfer applies; or
- biometric data, unless processing stems from the Data Protection Act.
Processing of data subject to special registration may commence only after the Office for the Protection of Personal Data has issued confirmation of special registration to the controller.
Is information regarding registered data owners publicly available?
The Office for the Protection of Personal Data administers the Public Register of the Processing of Personal Data.
The register of notifications is available at dataprotection.gov.sk/uoou/sk/content/zverejnenie-stavu-oznameni.
The register of special registrations is available at dataprotection.gov.sk/uoou/sk/content/zverejnenie-stavu-osobitnych-registracii.
Is there a requirement to appoint a data protection officer?
The position of data protection officer is recognised by the Data Protection Act; however, data controllers are not required to appoint one. The data protection officer must pass an exam on data protection law at the Office for the Protection of Personal Data. However, this will be subject to change once the EU General Data Protection Regulation applies.
Which body is responsible for enforcing data protection legislation and what are its powers?
The Office for the Protection of Personal Data is responsible for enforcing data protection legislation. It may carry out targeted inspections on its own initiative or investigate complaints that it receives. The office may carry out on-site investigations. In the course of the investigation, the data controller must provide all necessary information on request and cooperate with the office.
If the office identifies any breach of the Data Protection Act, it may impose remedial measures, including orders to delete data or cease processing. The data controller may appeal to the president of the office (and subsequently to the court).
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
In general, personal data may be processed (ie, collected, stored, disclosed, modified and transferred) either with the consent of the data subject or under one of the statutory exemptions allowing the controller or processor to process the data without the data subject’s consent. The data subject must also be informed of his or her rights regarding the processing of his or her personal data. The data controller must comply with the security obligations provided for in the Data Protection Act. Moreover, the data controller must notify the Office for the Protection of Personal Data of each category of processing, unless the processing falls within one of the statutory exemptions.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
The leading principle in Slovak law is that the data controller may retain personal data only for as long as is necessary to fulfil the purpose for which the data is processed; the data should thereafter be deleted. The purpose must be defined by a data controller in compliance with other general legal requirements and the retention period must be adequate and reasonable in the context of the stated purpose of the processing. However, in many cases the purpose is defined by specific laws and regulations, which usually set a retention period.
The general exemption provided for in the Data Protection Act is that personal data may be retained for the purpose of state statistical services, scientific purposes and archiving. The data controller must not use the processed personal data to support measures or actions taken against the data subject or his or her interests, or to restrict the data subject’s rights and freedoms. In the course of personal data processing for the abovementioned purposes, the controller must label the data, anonymise it (if doing so still allows for the purpose of the processing to be achieved) and destroy it as soon as it becomes obsolete.
Specific laws provide for a special retention period for sectors such as:
- tax and accounting;
- social security and pension systems; and
- financial services.
Do individuals have a right to access personal information about them that is held by an organisation?
Under the Data Protection Act, the individual (data subject) has the right to access information about his or her personal data which is processed by the data controller or processor. The data controller must provide this information on the data subject’s request.
Do individuals have a right to request deletion of their data?
Data subjects may request deletion of their personal data if:
- the data is inaccurate, incomplete or out of date (in such a case, the data subject may also request correction of the data);
- the purpose of the processing has ceased; or
- the law has been breached.
Is consent required before processing personal data?
Consent constitutes the principal legal basis for the processing of personal data; any other legal ground is considered to be an exemption from this principle. The data subject’s ‘consent’ is defined as “any freely given specific and informed indication of his/her wishes by which the data subject knowingly signifies his/her agreement that personal data related to him may be processed”.
Common areas of malpractice relate to the lack of complete disclosure on data processing and the interpretation that, following refusal of consent, no obvious alternative is available.
If consent is not provided, are there other circumstances in which data processing is permitted?
The data controller may process data without consent only where:
- the purpose of the processing, the relevant data subjects and the relevant personal data or its scope are stipulated in directly applicable EU law, an international treaty to which Slovakia is party or the Data Protection Act. If the personal data or its scope is not defined, the controller must process the data only to the extent and in the manner necessary to achieve the purpose of the processing;
- the purpose of the processing, the relevant data subjects and the relevant personal data or its scope are stipulated in a special act. The controller must process the data only to the extent and in the manner set out in the special act. The processed personal data may be provided, made available or disclosed only if the special act stipulates:
- the purpose for doing so;
- a list of applicable personal data; and
- the third parties to which the data can be provided, made available or disclosed;
- processing is necessary to facilitate artistic or literary expression or in order to inform the public through mass media. In both cases, the controller may process the personal data only where such processing falls within the scope of its activities. This does not apply if, by processing personal data for such purpose, the controller violates the data subject’s personal and privacy rights, or if such processing is prohibited by another law or an international treaty to which Slovakia is party;
- processing is necessary for the performance of a contract to which the data subject is party, or in order to establish relations or take steps at the request of the data subject before entering into a contract;
- processing is necessary for the protection of the data subject’s life, health or property;
- the data consists solely of the title, name, surname and address of the data subject and there is no possibility of assigning other data to him or her, and where such data is to be used solely for the controller’s correspondence with the data subject and for related record keeping. If the scope of the controller’s activities includes direct marketing, it may transmit such personal data, without making it publicly available, only if the data is to be transmitted to another controller whose scope of activity also includes direct marketing and the data subject has not filed an objection in writing;
- the processed data has previously been made public – in such cases, personal data must be duly denoted;
- processing is necessary to fulfil an important task carried out in the public interest; or
- processing is necessary to protect the statutory rights and legitimate interests of the controller or a third party – in particular, personal data processed in order to protect the controller’s property, financial or other interests, or to protect the controller’s safety by means of closed-circuit television cameras or similar systems (provided that, when processing such data, the controller and third parties respect the fundamental rights and freedoms of the data subject and do not violate his or her personal and privacy rights).
Processing of sensitive data (the Data Protection Act uses the term ‘special categories of data’) may be carried out without the data subject’s consent only if at least one of the following conditions is met:
- The processing is based on a special law, legally binding EU law or international treaty to which Slovakia is party.
- The processing is necessary to protect the vital interests of the data subject or another natural person, and the person does not have the legal capacity or physical ability to give consent and the consent of his or her legal representative cannot be obtained.
- The processing is carried out as part of the legitimate activities of a civil society, foundation or non-profit organisation providing generally beneficial services, a political party or movement, a trade union or a church or religious society acknowledged by the state, and such processing solely concerns the members of the relevant organisation or natural persons with whom they are in regular contact with respect to their objectives, and the personal data solely serves their internal needs and will not be provided to third parties without the data subject’s written consent.
- The processing concerns personal data that has already been made public by the data subject or which is necessary to exercise a legal claim.
- The processing is carried out in the course of providing medical care and affects public health insurance, provided that the data is processed by a medical care provider, health insurance company or the Office for Internal Supervision over Healthcare (or on its behalf by a professional that is bound by professional ethics or secrecy obligations).
- The processing is carried out for health insurance or social security purposes for policemen and soldiers or in order to provide social relief or assistance in distress, or is necessary to fulfil the obligations or exercise the legitimate rights of the controller responsible for the processing with respect to labour law and employment services, and if such processing is pursuant to a special law.
Biometric data included in sensitive data may be processed only if at least one of the following conditions is met:
- The processing is based on the law.
- The data subject has given written consent to the processing or other credibly proven consent.
- The processing is necessary to perform a contract.
- The processing is necessary to protect the statutory rights and legitimate interests of the controller or a third party.
What information must be provided to individuals when personal data is collected?
A controller intending to obtain personal data from an individual must inform the individual before collecting the data and notify him or her of the following:
- its identity – if the controller has its registered office or permanent residence in a third country and a representative acts on its behalf in Slovakia, the representative must also be identified;
- the processor’s identity, if the processor processes personal data on behalf of the controller or the controller’s representative;
- the purpose of the personal data processing;
- a list of the personal data to be collected (in certain cases, stating the scope of the personal data is satisfactory); and
- additional information to the extent necessary to safeguard the rights and legitimate interests of the data subject with regard to all circumstances of the processing of the data, including:
- the identity of the person obtaining the data;
- information on the obligation to provide the requested personal data. If the provision of the data is based on the data subject’s consent, the controller must notify the data subject of the validity term of the consent. If the data subject’s obligation to provide personal data arises from a special law, the controller must specify this law and warn the data subject of the consequences of refusing to provide the data;
- any third parties involved or recipients of the data, provided that it is expected or clear that the data will be provided to them;
- if the data is to be made public, the manner in which this will be done;
- any third countries to which the data will be transmitted, provided that it is expected or clear that the personal data will be transmitted to these countries; and
- information on the data subject’s rights.
The controller is exempt from providing the above information if the data subject is already aware of it or if the legal grounds for processing are based not on consent, but rather on directly applicable EU legislation, an international treaty to which Slovakia is party, a special act or the Data Protection Act.
Data security and breach notification
Are there specific security obligations that must be complied with?
The Data Protection Act requires controllers and processors to ensure the security of personal data by protecting it against accidental or unlawful damage or destruction, accidental loss, alteration, unauthorised access or release, or any other unauthorised forms of processing.
Controllers and processors must take technical, organisational and personal security measures in accordance with the manner of processing, while taking into account (among other things):
- the existing technical means;
- the extent of any risks that could endanger the security or functionality of the filing system;
- confidentiality considerations; and
- the importance of the processed personal data.
Security measures are specified in the Decree on the Extent of Safety Measures Documentation (164/2013 Coll) and are categorised as either:
- security documentation; or
- security projects.
Security projects are more detailed and are required if:
- sensitive personal data is processed and the filing system is connected to the Internet; or
- the filing system is used to safeguard public interests.
Are data owners/processors required to notify individuals in the event of a breach?
There is no general obligation under Slovak law to notify data subjects of personal data security breaches, with the exception of breaches in the telecommunications sector that can affect the data subject’s privacy (pursuant to the Electronic Communications Act 2006 (275/2006 Coll); certain exceptions apply).
However, the general obligation to notify data subjects can be deduced from the Civil Code requirement to prevent damages (ie, where notification would effectively reduce the impact of the data breach). That said, this will be subject to change once the EU General Data Protection Regulation applies: the controller will be obliged to communicate the personal data breach to the data subject without undue delay if the breach is likely to pose a high risk to the data subject’s rights and freedoms.
Are data owners/processors required to notify the regulator in the event of a breach?
There is no general obligation under Slovak law to notify personal data security breaches to the Office for the Protection of Personal Data, except for breaches in the telecommunications sector.
However, this will change once the EU General Data Protection Regulation applies: the controller will be obliged to notify the supervisory authority of the personal data breach no later than 72 hours after becoming aware of the breach.
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
In general, the opt-out principle concerning direct marketing applies. Under the Data Protection Act, if the controller or processor carries out personal data processing for the purpose of offering business opportunities or services to the data subject, the data subject's title, name, surname and address may be used without his or her consent, provided that the data was acquired from a public list or in relation to the activities of the controller or processor, and as long as the data subject has not expressed his or her disagreement thereto.
However, the Electronic Communications Act 2011 (351/2011 Coll) provides for an opt-in mechanism regarding the use of electronic contact details (eg, email address, telephone number, instant messaging number and Skype number). In other words, no one may use electronic contact details for automated commercial communications without the prior consent of the data subject, with one exception: the email address of an existing customer (ie, a person with whom the sender has conducted previous business) may be used for this purpose until the customer objects to the sending of further commercial communications, if they were not already rejected from the outset.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
Data transfers to countries outside the European Union that provide an adequate level of protection (on the basis of a European Commission decision) are possible if the data subject has been given the necessary information.
Personal data may be transferred to a third country that does not ensure an adequate level of protection if any of the following conditions are fulfilled:
- The controller has adopted standard model clauses or binding corporate rules.
- The data subject has given written or otherwise verifiable consent to the transfer, despite being aware that the country of final destination does not ensure an adequate level of protection.
- The transfer is necessary in order to perform a contract between the data subject and the controller or during their pre-contractual negotiations.
- The transfer is necessary to enter into or perform a contract concluded by the controller with another entity in the interest of the data subject.
- The transfer is necessary in order to:
- fulfil the obligations of an international treaty to which Slovakia is party;
- comply with a law protecting public interests; or
- prove, file or defend a legal claim.
- The transfer is necessary to protect the vital interests of the data subject.
- The transfer concerns personal data that is stored and publicly accessible pursuant to special laws or is available under these laws to persons that can prove a legal claim and fulfil the prescribed conditions for accessing the data.
- The consent of the Office for the Protection of Personal Data has been obtained. Such consent is required if personal data is transferred to a processor residing in a third country that does not provide an adequate level of protection and if the data transfer agreement does not contain standard model clauses or binding corporate rules. However, the transfer of data to third countries in a controller-to-controller scenario does not require the office’s approval.
When transferring employees’ personal data to third countries that do not provide an adequate level of protection, the controller must adopt adequate safeguards (ie, standard model clauses or binding corporate rules).
Sensitive data may be transferred to a third party residing in a third country only after the data subject has given written consent, unless a special act provides otherwise.
Are there restrictions on the geographic transfer of data?
No restrictions apply to data transfers to:
- EU and European Economic Area member states; and
- countries with an adequate level of protection, as officially recognised by the European Commission.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
If the controller wishes to outsource processing operations, it must conclude a written contract with the processor. The contract must include clauses stipulating the following points:
- the identities of the parties;
- the date of commencement of the processing;
- the purpose of the processing;
- the name of the filing system;
- a list of the relevant personal data (in some cases, merely stating the scope of the relevant personal data is satisfactory);
- the relevant data subjects;
- the conditions of the data processing, including a list of permitted operations;
- the controller’s declaration that in selecting the processor, it considered the processor’s professional, technological, organisational and personal skills and competence to ensure the security of the data processing through use of safety measures prescribed by the Data Protection Act;
- the controller’s consent to data processing by a sub-processor, if applicable (in such case, the processor is liable for the security of the data that is processes);
- the duration of the contract; and
- the date of the contract and the signatures of the parties.
When outsourcing data processing activities to processors, the controller must be mindful of guarantees regarding technological, organisational and personal security measures. The controller may not entrust personal data processing to a processor if doing so could present a risk to the rights and statutorily protected interests of the data subjects.
Under the Data Protection Act, the data controller must inform the data subject of the parties that will be processing the personal data and parties to which the personal data may be disclosed. If the controller outsources to the processor after acquiring personal data, it should inform the data subjects of this during their next contact or no later than three months from the day of outsourcing. This also applies when data processing is taken over by another controller.
Penalties and compensation
What are the potential penalties for non-compliance with data protection provisions?
Processing personal data in breach of the Data Protection Act may constitute an administrative offence, subject to fines of up to €200,000. The penalties vary depending on the obligations breached.
In addition, criminal penalties may apply, including up to 10 years’ imprisonment in extreme cases.
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
Individuals are entitled to compensation for any loss (material or immaterial) caused as a result of a violation of the Data Protection Act. Such individuals may claim damages from the data controller (and the processor that is jointly and severally liable) on the basis of civil liability.
Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
No special legislation has been adopted. However, cybersecurity is covered to a limited extent by:
- the Data Protection Act in relation to the protection of personal data;
- the Electronic Communications Act in relation to the protection of personal data in electronic communications;
- the Information Systems in Public Administration Act (275/2006 Coll); and
- the Penal Code in relation to specific crimes.
Although there have been plans to enact a cybersecurity law since 2010, we are not aware of any such law to be enacted in the near future. However, enactment of a cybersecurity law is likely at some point in future.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?
There is much discussion about the cybersecurity-related regulatory changes to be brought by the EU Network and Information Security Directive. Most likely, the directive will be approved in mid-2016 and member states will be obliged to adjust their national legislation to comply with it by 2018. The major proposed change under the directive is the extension of the scope of affected entities to include service providers in the energy, transport, banking, financial, health and digital infrastructure (eg, Domain Name System service providers) sectors, as well as entities operating online marketplaces or search engines and providers of cloud computing services.
Which cyber activities are criminalised in your jurisdiction?
The Penal Code specifies five crimes expressly connected to cyberspace:
- unauthorised access to a computer system;
- unauthorised intervention in a computer system;
- unauthorised intervention in computer data;
- unauthorised capture of computer data; and
- procurement and possession of access devices and computer system passwords and other such data.
However, many cybercrimes (eg, phishing attacks) are still prosecuted as common crimes (eg, fraud).
Which authorities are responsible for enforcing cybersecurity rules?
Since no specific cybersecurity law exists in Slovakia, no central authority is responsible for enforcing cybersecurity rules. However, the following authorities have limited roles in the field of cybersecurity:
- The Data Protection Authority enforces security measures in relation to the protection of personal data.
- The Regulatory Authority for Electronic Communications and Postal Services enforces rules stemming from the Electronic Communications Act, including the notification obligations.
- The Ministry of Finance enforces obligations in relation to the Information Systems in Public Administration Act.
- The law enforcement authorities enforce the Penal Code.
Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
It is uncommon to obtain insurance for cybersecurity breaches; however, the first such products have appeared on the Slovak insurance market.
Are companies required to keep records of cybercrime threats, attacks and breaches?
Under the Electronic Communications Act, providers of electronic communications services must keep records of cybersecurity breaches.
Under the Data Protection Act, controllers and processors must keep records of security incidents and their resolutions.
Under the Information Systems in Public Administration Acts, required persons (enumerated public bodies) must also keep records of security incidents and their resolutions.
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?
Under the Electronic Communications Act, providers of electronic communications services must report cybersecurity breaches to the Regulatory Authority for Electronic Communications and Postal Services.
Under the Information Systems in Public Administration Act, required persons (enumerated public bodies) must keep records of security incidents and their resolutions.
Public authorities are encouraged, but not obliged, to report cybersecurity incidents to the Computer Security Incident Response Team (CSIRT).
Are companies required to report cybercrime threats, attacks and breaches publicly?
No. However, CSIRT publishes anonymous reports on the incidents. The Regulatory Authority for Electronic Communications and Postal Services provides anonymous data to the EU Agency for Network and Information Security for public reporting purposes.
Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?
The penalties for cybercrime include disqualification, forfeiture of items and imprisonment. The following maximum prison sentences may be imposed:
- eight years for unauthorised access to a computer system (in extreme cases);
- five years for procurement or possession of access devices or computer system passwords; and
- 10 years in other cases (eg, unauthorised intervention in a computer system, unauthorised intervention in computer data and unauthorised capture of computer data).
What penalties may be imposed for failure to comply with cybersecurity regulations?
Fines may reach:
- €200,000 under the Data Protection Act;
- 5% of annual turnover under the Electronic Communications Act; and
- €25,000 under the Information Systems in Public Administration Act.