Slovakia: Data Protection Laws of the World Handbook: Second Edition - Slovak Republic
E-Commerce And Privacy Alert

LAW

As a member of the European Union, Slovakia implemented the EU Data Protection Directive 95/46/EC in September 2002 with Act No. 428/2002 Coll., the Data Protection Act, as amended ("DPA").

DEFINITION OF PERSONAL DATA

Personal data shall, for the purposes of the DPA, mean any information relating to an identified or identifiable natural person, either directly or indirectly, in particular by reference to an identifier of general application or by reference to one or more factors specific to his/her physical, physiological, psychic, mental, economic, cultural or social identity.

DEFINITION OF SENSITIVE PERSONAL DATA

The DPA does not provide for a definition of sensitive personal data. However, one of the provisions of the DPA namely "Special categories of data" refers, inter alia, to personal data related to race, ethnic origin, political opinions, religious belief, as well as data related to the breach of provisions of criminal or civil law, biometrical data, or data related to the mental status of the data subject.

NATIONAL DATA PROTECTION AUTHORITY

The Data Protection office of the Slovak republic ("Office") is: Úrad na ochranu osobných údajov Slovenskej republiky (Official Slovak Name)

The Office is responsible for overseeing the DPA in Slovakia.

REGISTRATION

Data controllers need to register information systems with the Office under the conditions set out in the DPA.

The obligation to register applies to all information systems in which personal data is processed fully or partially by an automated means of processing unless a statutory exception applies. The information system needs to be registered before starting with the processing of the data contained therein. The Office will carry out the registration free of charge and it will assign a registration number to the pertinent information system, as well as issue a certificate confirming its registration. If it is unclear whether the particular information system is subject to registration, the Office will issue a binding decision.

Special registration applies to information systems defined in the DPA, inter alia, those that contain special categories of data or data processed without the data subject's consent, which is to be transferred to third countries that do not guarantee an adequate level of data protection. The Office will assess the submitted data, verify whether the data processing could infringe the rights and freedoms of data subjects and decide, within 60 days from the day of its receipt, whether or not it will permit the data processing. If the Office assesses the data processing in the information system as a risk, it shall prohibit the processing for the respective purpose.

DATA PROTECTION OFFICERS

The data controller is responsible for the internal supervision of protection of personal data processed pursuant to the DPA. The data controller is required to nominate in writing one or more data protection officers for supervising the observation of the DPA provisions in his/ her/its company if he/she/it employs more than five people. The Office must be notified of this fact in writing by the data controller without undue delay, but no later than 30 days from such nomination.

COLLECTION AND PROCESSING

Under the DPA, the data controller who intends to collect personal data from the data subject must inform the data subject, no later than obtaining the data, and notify him/her in advance of the following:

• The business name and registered office or permanent residence of the data controller;
• The business name and registered office or permanent residence of the data processor, provided that the data processor obtains personal data on behalf of the data controller or the data controller's representative;
• The purpose of the personal data processing; and
• Additional information in the extent necessary for safeguarding the rights and legitimate interests of the data subject with regard to all circumstances of the processing of personal data, the particulars of which are provided in the DPA.

Personal data may be processed only by the data controller or data processor. The data processor may process personal data only to the extent and under the conditions agreed with the data controller in a written contract or by written authorisation.

The DPA lists basic obligations of the data controller mentioned below. The data controller must, inter alia:

• determine unambiguously and specifically the purpose of data processing before starting the data processing; the purpose of data processing must be clear and it cannot be contrary to the Constitution of the Slovak Republic, constitutional laws, laws and international treaties binding for the Slovak Republic;
• determine the means and manner of the data processing and, if appropriate, other conditions of the data processing;
• process only accurate, complete and, where necessary, updated personal data in respect of the purpose of its processing;
• destroy the personal data when the purpose of processing is terminated; and
• process personal data in accordance with public morals and act in a manner not contrary to, or circumventing, the DPA or other generally binding legal regulations.

Personal data may only be processed upon the consent of the data subject, unless provided otherwise for by the DPA. Under the DPA, the processing of special categories of data (i.e. sensitive information) is allowed only upon the written consent of the data subject and following the specific conditions set forth in the DPA.

TRANSFER

Transfer to third parties within the territory of the Slovak Republic. The personal data of the data subject may be transferred from the information system to another natural person or legal entity only upon the written confirmation on the data subject's consent obtained, if the DPA requires such consent; the person providing data in such manner may replace this written confirmation by a written declaration of the data controller stating that the data subjects gave their consent, provided that the data controller is able to prove that the written consent of the data subjects was given.

Transfer to non-EU member states that offer an adequate level of data protection. If the third country guarantees an adequate level of data protection, the data may be transferred to this country if the data controller informed the data subject about the facts required to obtain the data subject's data (i.e. the information mentioned above in relation to data collecting by the data controller). Under the DPA, the data transfer to a country that guarantees an adequate level of protection is also allowed in cases when a notification/information to the data subject is not required.

Transfer to third countries (excluding the US) that do not offer an adequate level of data protection. If the third country does not guarantee an adequate level of protection, the transfer of data is possible only on the basis of a decision of the European Commission or if any of the conditions mentioned below is fulfilled:

• The data subject gave a written consent to the transfer, while knowing that the country of final destination does not ensure an adequate level of protection;
• The transfer is necessary for the execution of a contract between the data subject and the data controller or for pre contractual measures, upon the request of the data subject;
• It is necessary for entering into, or the execution of, a contract concluded by the data controller in the interest of the data subject with another entity,
• It is necessary for the execution of an international treaty binding for the Slovak Republic or resulting from the laws due to an important public interest or for proving, filing or defending a legal claim;
• It is necessary for the protection of vital interests of the data subject; or
• It concerns the personal data, which constitutes a part of the lists, registers or files and are kept and publicly accessible pursuant to special legislation or is available, under this legislation, to persons who prove that they are legally entitled and fulfil the conditions prescribed by law for making the data available.

If the data controller decides to transfer personal data to a third country, which does not guarantee an adequate level of protection, after obtaining the personal data, it must inform the data subject before the transfer of the personal data about the reason of its decision and advise the data subject about his/her right to refuse consent with such transfer, if this consent is required; the data controller shall be entitled to execute the proposed transfer of the personal data only after obtaining the written consent of the data subject.

If the data controller authorises an entity residing abroad for the data processing on the data controller's behalf, this entity shall be entitled to process the personal data only to the extent and under the conditions agreed with the data controller in a written contract. The scope of the contract must be elaborated in accordance with the standard contractual terms set by Decision of the European Commission L39/5 from February 5, 2010, notified under Document C (2010) 593 stipulated for the transfer of personal data by an entity residing abroad processing data on the data controller's behalf. The consent of the Office is required for this transfer of personal data.

Transfer to the US. For the transfer of data to the United States, compliance with the US/EU Safe Harbor principles satisfies the requirements of the DPA provisions on data transfer. The Office will ascertain whether or not the US company, which will be the data importer, did sign up for the Safe Harbor principles. This US company must file an application for approval of the data transfer to the US with the Office. Provided that this company is a member of the Safe Harbor principles and the application is correct and complete, the Office will grant its approval.

SECURITY

The data controller and the data processor are responsible for the security of personal data by protecting it against accidental or unlawful damage or destruction, accidental loss, alteration, unauthorised access and making available, as well as against any other unauthorised forms of processing. For this purpose, the data controller must take reasonable technical, organisational and personal measures which correspond to the manner of processing data.

The data controller is required to prepare a so called security project of the information system where the information system contains certain special categories of data. The data controller is required to nominate in writing one or more data protection officers for supervising the observation of the DPA provisions in his company if he employs more than five people. The data controller is required to instruct the entitled persons about the rights and obligations stipulated in the DPA and about the liability for their violation. The data controller must establish and maintain confidentiality of the processed data even after the conclusion of its processing.

BREACH NOTIFICATION

Under the DPA, there is no mandatory requirement to report data security breaches or losses to the Office. However, this does not affect the possibility of other public authorities to report data security infringements or losses to the Office if they suspect that such an event might have occurred.

ENFORCEMENT

The Office is responsible for the enforcement of the DPA. Upon a complaint from a data subject or another person or a report from public authorities, the Office shall commence administrative proceedings to ascertain possible breaches of obligations or conditions stipulated by the DPA and eventually can impose a fine for these breaches. The Office may issue decisions to provide temporary relief for the data subject or to ensure due rectification depending on the nature of the breach.

The Office may impose fines for breaches of the DPA between EUR 330 to EUR 332.000. The Head of the Office or the Chief Inspector may publish a notice containing the identity of the data controller or data processor that breached or circumvented the provisions of the DPA and the final decision of the Office regarding such breach, including its descriptions, and merits of the case. The Office may also impose disciplinary fines on the data controller or the data processor in instances stipulated by the DPA.

ELECTRONIC MARKETING

Electronic marketing shall be governed by Act No. 351/2011 Coll. on Electronic Communications, as amended ("ECA").

Under the ECA, processing of the traffic data of a subscriber or user for the purposes of marketing services or purposes of ensuring the value added services by any public network or service providers is possible solely with the prior consent of the subscriber or the user.

Prior to obtaining the consent, the public network or service providers are obliged to inform the subscriber or user on (i) the type of the traffic data processed, (ii) the purpose of the traffic data processing and (iii) the duration of the data processing.

For the purposes of direct marketing, the call or use of automatic calls and communications systems without human intervention, facsimile machines, e-mail, including SMS messages to the subscriber or user, who is a natural person, is allowed solely with his/her prior consent. Such consent shall be proved. Users or subscribers are entitled to withdraw such consent at any time.

The prior consent of the recipient of a marketing e-mail shall not be required in the case of direct marketing of own similar products and services of a person, that has obtained electronic contact information of the recipient from the previous sale of its own product and/or service to such recipient and in line with the provisions of the ECA. The recipient of an e-mail shall be entitled to refuse at any time, by simple means and free of charge such use of electronic contact information at the time of its collection and on the occasion of each message delivered in the case the recipient has not already refused such use.

Both, (i) sending e-mails for the purposes of direct marketing without the determination of a valid address to which the recipient may send a request that he/she is no longer willing to receive such communication and (ii) encouragement to visit a website in contradiction with a special regulation, shall be prohibited.

ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)

As regards the protection of privacy and protection of personal data processed in the electronic communications sector, the provisions of the ECA shall apply. The ECA implemented Directive 2002/58/EC (as amended by Directive 2009/136/EC).

Under the ECA, the public network or service providers is obliged to ensure technically and organisationally the confidentiality of the communications and related traffic data, which are conveyed by means of its public network and public services. In particular recording, listening, storage of data (or other kinds of an interception or a surveillance of communications and data related thereto) by persons other than users, or without the consent of the concerned users, shall be prohibited. However, this does not prohibit the technical storage of data, which is necessary for the conveyance of communications. However, the principle of confidentiality shall still apply.

Further to this, the network or service provider ("undertaking company") shall not be held liable for the protection of the conveyed information if such information can be directly listened to or obtained at the location of the broadcasting and/or reception.

However, this ban does not apply to temporary recording and storing of messages and related traffic data if it is required; (i) for the provision of value added services ordered by a subscriber or user; (ii) to prove a request to establish, change or withdraw the service; or (iii) to prove the existence or validity of other legal acts, which the subscriber, user or undertaking company has made.

Under the ECA, each person that stores or gains access to the information stored in the terminal equipment of a user must be authorised for such processing by the concerned user whose consent must be based upon exact and complete information regarding the purpose of such processing of the data. In this regard, also the use of the respective setting of the web browser or other computer programme is considered (implied) consent.

Traffic Data – Traffic Data can only be processed for the purpose of the conveyance of a communication on an electronic communications network or for the invoicing thereof. The Traffic Data related to subscribers or users may not be stored without the consent of the person concerned and the undertaking company is required, after the end of a communication transmission, without delay, to destroy or make anonymous, except the cases as defined by the ECA.

If it is necessary for the invoicing of the subscribers and network interconnection payments, the undertaking company is required to store the Traffic Data until the expiration of the period during which the invoice may be legally challenged or the claim for the payment may be asserted. The undertaking company is required to provide the Traffic Data to the Office or the court in case of a dispute between undertaking companies or between an undertaking company and a subscriber. The scope of the stored Traffic Data must be limited to the minimum necessary.

Location Data – The undertaking company may process the Location Data other than the Traffic Data which relates to the subscriber or the user of a public network or public service only if the data are made anonymous or the processing is done with user consent, and in the scope and time necessary for the provision of the value added service. The undertaking company must, prior to obtaining consent, inform the subscriber or user of the Location Data other than Traffic Data which will be processed, on the purpose and duration, and whether the data will be provided to a third party for the purposes of the provision of the value added service. The subscriber or user may revoke its consent for the processing of the location data at any time.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com