A new Act on the Protection of Personal Data has recently been adopted by the Slovakian Parliament. It came into force on 1 July and imposes new requirements on data controllers and data processors, some of which must be implemented within 6 months. The Act brings Slovakian data protection law increasingly into line with existing EU practice.

The key changes for employers are:

  • Data processors (e.g. external payroll and benefits administrators) will only be able to process personal data on behalf of data controllers (e.g. employers) if there is a written agreement between the parties. Data processors will no longer be able to process personal data based solely on unilateral authorisation from the data controller, as has been the case up until now.
  • Data processors will now only be permitted to use third parties (referred to as “subcontractors” in the Act) to process personal data on their behalf if this has been agreed in advance in the written agreement between the data processor and the data controller.
  • If whilst processing personal data it discovers that the data controller has breached the law, the data processor must notify the data controller in writing and must then only perform those data operations which cannot be delayed. If the controller fails to remedy the situation within one month of being notified of the breach, the data processor must inform the Office for Personal Data Protection of the Slovak Republic (the DPA) of this fact. If it does not do this, it risks being held jointly liable with the controller for the breach of the data protection obligations and for any damage caused by such a breach.
  • Under the new Act it is no longer necessary for a data controller to obtain the approval of the DPA before transferring data to countries which are not deemed in advance by the EU to ensure an adequate level of protection of personal data if the controller adopts adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals as they result from the standard contractual clauses or from the controller’s binding internal rules. So far as personal data about employees is concerned, the new Act allows an obligation on employers to transfer personal data to third countries which do not have adequate protection in place only in accordance with contracts containing EU standard contractual clauses or binding internal rules. Where the data controller or processor is a US-based Safe Harbour company, the essentials of the contract for transfer of personal data are introduced by the new Act. Consent from the DPA will now only be required if the contract for the transfer of personal data contains clauses that are different from the standard EU contractual clauses or inconsistent with them.
  • Employers may find it interesting to hear that under the new Act they are allowed to make certain information about their employees public, even without the data subject’s consent. This includes the data subject’s title, name, surname and work telephone number, but only provided that this is necessary for the performance of the data subject’s work duties and does not violate the data subject’s dignity and security. This might include cases where the employee might be the subject of harassing calls because of the highly political or sensitive nature of his work, e.g. animal testing or armaments.
  • The new Act introduces changes regarding the processing of biometric data, security measures and the registration of filing systems.
  • Finally, in cases where the DPA can impose a fine for a breach of the Act it will no longer be able to exercise its discretion whether to impose a fine or not. Under the new Act, in such circumstances, the DPA will be obliged to impose a fine. The size and adverse consequences of the breach will dictate the size of that fine (together with any mitigation or aggravating features).