< Back

Share |

The legal data protection framework in the Slovak Republic

April 2014

On 1 July 2013, the new Act No. 122/2013 Coll. on protection of personal data and on changing and amending of other acts (New Act), fully replaced the old Act No. 428/2002 Coll. on protection of personal data (Old Act). It implements the EU Data Protection Directive (95/46/EC).  The new legislation was intended to increase confidence in the data protection framework and reduce bureaucracy but the fact is, it introduces several new and rather onerous obligations, resulting in additional paperwork and increased costs for almost all businesses concerned.

Main new changes and obligations

The most significant changes and new obligations introduced by the New Act are:

  • mandatory requirements for agreements between data controllers and data processors;
  • changes concerning the data protection officers (DPO) and the obligation of the controller/processor to register information systems;
  • changes concerning compulsory security documentation; and
  • increased fines for non-compliance.
written agreement

Agreements on processing of personal data

Under the Old Act, there were minimal requirements for written contracts between data controllers and processors. The New Act stipulates that the processor may process personal data on behalf of the controller only on the basis of a written agreement that must fulfil the statutory requirements (e.g. set out: the purpose of the processing; identify the relevant information system; the scope of personal data to be processed; the circle of data subjects affected; the conditions for processing of personal data including the list of permitted processing operations; the term of the agreement; and a declaration by the controller that due consideration was given when selecting the processor to their professional, technological, organisational and personal skills and competence to ensure security of the processing). The processor may process personal data itself or, if agreed with the data controller, through a third party sub-processor.

Where there is a proper agreement between the data controller and processor, there is no need for the data controller to get the data subject's consent to their data being processed by a third party.

Data Protection Officers

The Data Protection Officer (DPO) is a person officially entrusted by the controller/processor with supervising compliance with statutory provisions in the course of personal data processing. DPOs have access rights to the filing system of the controller/processor to the extent necessary for the fulfilment of their duties.

Under the Old Act, the requirement to appoint a DPO was linked to the number of employees of an organisation.  The New Act requires the appointment of a DPO where there are more than twenty people who come or may come into contact with personal data and who must be instructed on how to handle the data (written records of this must be signed by the relevant person and kept by the controller/processor).  All information systems in which personal data are processed by fully or partially automated means, except those that are subject to the supervision of the Data Protection Officer, must be registered with the Data Protection Office of the Slovak Republic (Regulator) and an administrative charge paid.  This affects mainly SMEs which do not process sufficient personal data to require a DPO. 

Security documentationsecurity measures

The controller/processor is obliged to protect processed personal data against any unauthorised forms of processing and is required to take adequate security measures. A record of the security measures must be kept. In addition, the scope and documentation of such security measures is now regulated in a Notice from the Regulator, the annex of which contains a list of basic security measures that should be applied in relation to various types of processing operations.

Imposition of fines

Under the previous regime, fines for breach were at the discretion of the Regulator.  Now, the Regulator is required to impose a fine for breach of the New Act on a sliding scale (from between EUR 300.00 and EUR 300,000.00).  The maximum fine has increased dramatically under the New Act.

Positive changes

There are some positive changes introduced by the New Act.  For example:

  • the option for employers (acting as data controllers) to publish certain personal data of its employees (data subjects) without their consent;
  • new rules concerning the transfer of personal data to third party countries that decrease the administrative burden on the controller/processor;
  • improved definitions; and
  • detailed provisions relating to the processing of biometric data.

Implementation of the New Act

The obligations under the New Act come into force in stages.  Some have been in force since 1 January 2014 others were introduced on 1 April, 2014, and some will be introduced on 1 July, 2014 as follows:

Actions to be taken

Transition Deadline

Written records concerning information systems

1 January 2014

Instruction of the entitled person, obtaining of consents of the data subject and providing information to the data subject.

1 January 2014

Security measures/directive/project

1 April 2014

Conclusion of the agreement on personal data processing

1 July 2014

Appointment of the Data Protection Officer and notification thereof to the Regulator

1 July 2014


Despite the fact that the Slovak Republic has brand new data protection regulation, it is likely that if and when the new EU data protection Regulation comes into force, the legal framework for data processing in the Slovak Republic will have to be further revised.

For further information, contact Radovan Pala or Vinod Bange.

Radovan Pala

Radovan Pala      

Radovan sets out the requirements under the Slovak Republic's new data protection law.

"The new legislation was intended to increase confidence and reduce bureaucracy but the fact is, it introduces several new and rather onerous obligations."