The new Slovak Personal Data Protection Act
The Slovak Parliament passed the new Personal Data Protection Act (PDPA) in November 2017. Following the President's approval, the PDPA was published in January 2018 under the official number 18/2018 and will come into force on 25 May 2018.
The PDPA is divided into six parts. Part II reproduces most of the provisions of GDPR and should apply to processing activities that are outside the scope of the European Union legislation. Part III implements the provisions of the Law Enforcement Directive. Part IV stipulates local derogations and exceptions to the GDPR. Parts V and VI govern competence, tasks and powers of the Slovak supervisory authority and other miscellaneous provisions.
Part IV of the PDPA sets out very limited permitted derogations and exemptions to the GDPR. These include permitting the processing of personal data without the data subject's consent if the processing is necessary for journalistic purposes or the purposes of academic, artistic or literary expression. This does not apply if the controller infringes the personal rights of a data subject or their right to privacy.
Pursuant to Art. 86 of GDPR, the PDPA prescribes a stricter regime for processing the national identification number, the so-called "birth number", which is a unique identification number of each natural person born in the Slovak Republic. Under current law, this identifier is considered to be sensitive personal data. According to the PDPA, the birth number may be only processed if it is necessary for the purposes of the processing. If the processing is based on consent, the consent of the data subject to the processing of their national identification number must be explicit.
Based on Art. 9 (4) of GDPR, the PDPA introduces a specific legal basis for processing genetic data, biometric data or health data. The controller may also process these categories of personal data where the processing is based on a special law or international treaty.
In the context of HR data, under the PDPA the employer is entitled to disclose and publish personal data of its employees if it is necessary in connection with the performance of their job.
Furthermore, the PDPA explicitly provides that the controller and processor shall duly apply the international norms and safety standards when implementing security measures.
In our view, the legislator has failed to take advantage of permitted GDPR derogations and there are a number of issues with the PDPA, including:
- The 'copy out' of GDPR legal text in Part II.
- The implementation of the Law Enforcement Directive, which is barely comprehensible.
- The very general wording of the derogations.
Notwithstanding the fact that the PDPA includes 112 sections, for most companies operating in Slovakia, it is essential to be compliant not only with the GDPR but also with Parts IV – VI of the DPA (sections 78-112).