Slovakia: Data Protection Laws of the World Handbook: Second Edition - Slovak Republic

E-Commerce And Privacy Alert


As a member of the European Union, Slovakia implemented the EU Data Protection Directive 95/46/EC in September 2002 with Act No. 428/2002 Coll., the Data Protection Act, as amended ("DPA").


Personal data shall, for the purposes of the DPA, mean any information relating to an identified or identifiable natural person, either directly or indirectly, in particular by reference to an identifier of general application or by reference to one or more factors specific to his/her physical, physiological, psychic, mental, economic, cultural or social identity.


The DPA does not provide for a definition of sensitive personal data. However, one of the provisions of the DPA namely "Special categories of data" refers, inter alia, to personal data related to race, ethnic origin, political opinions, religious belief, as well as data related to the breach of provisions of criminal or civil law, biometrical data, or data related to the mental status of the data subject.


The Data Protection office of the Slovak republic ("Office") is: Úrad na ochranu osobných údajov Slovenskej republiky (Official Slovak Name)

The Office is responsible for overseeing the DPA in Slovakia.


Data controllers need to register information systems with the Office under the conditions set out in the DPA.

The obligation to register applies to all information systems in which personal data is processed fully or partially by an automated means of processing unless a statutory exception applies. The information system needs to be registered before starting with the processing of the data contained therein. The Office will carry out the registration free of charge and it will assign a registration number to the pertinent information system, as well as issue a certificate confirming its registration. If it is unclear whether the particular information system is subject to registration, the Office will issue a binding decision.

Special registration applies to information systems defined in the DPA, inter alia, those that contain special categories of data or data processed without the data subject's consent, which is to be transferred to third countries that do not guarantee an adequate level of data protection. The Office will assess the submitted data, verify whether the data processing could infringe the rights and freedoms of data subjects and decide, within 60 days from the day of its receipt, whether or not it will permit the data processing. If the Office assesses the data processing in the information system as a risk, it shall prohibit the processing for the respective purpose.


The data controller is responsible for the internal supervision of protection of personal data processed pursuant to the DPA. The data controller is required to nominate in writing one or more data protection officers for supervising the observation of the DPA provisions in his/ her/its company if he/she/it employs more than five people. The Office must be notified of this fact in writing by the data controller without undue delay, but no later than 30 days from such nomination.


Under the DPA, the data controller who intends to collect personal data from the data subject must inform the data subject, no later than obtaining the data, and notify him/her in advance of the following:

  • The business name and registered office or permanent residence of the data controller;
  • The business name and registered office or permanent residence of the data processor, provided that the data processor obtains personal data on behalf of the data controller or the data controller's representative;
  • The purpose of the personal data processing; and
  • Additional information in the extent necessary for safeguarding the rights and legitimate interests of the data subject with regard to all circumstances of the processing of personal data, the particulars of which are provided in the DPA.

Personal data may be processed only by the data controller or data processor. The data processor may process personal data only to the extent and under the conditions agreed with the data controller in a written contract or by written authorisation.

The DPA lists basic obligations of the data controller mentioned below. The data controller must, inter alia:

  • determine unambiguously and specifically the purpose of data processing before starting the data processing; the purpose of data processing must be clear and it cannot be contrary to the Constitution of the Slovak Republic, constitutional laws, laws and international treaties binding for the Slovak Republic;
  • determine the means and manner of the data processing and, if appropriate, other conditions of the data processing;
  • process only accurate, complete and, where necessary, updated personal data in respect of the purpose of its processing;
  • destroy the personal data when the purpose of processing is terminated; and
  • process personal data in accordance with public morals and act in a manner not contrary to, or circumventing, the DPA or other generally binding legal regulations.

Personal data may only be processed upon the consent of the data subject, unless provided otherwise for by the DPA. Under the DPA, the processing of special categories of data (i.e. sensitive information) is allowed only upon the written consent of the data subject and following the specific conditions set forth in the DPA.


Transfer to third parties within the territory of the Slovak Republic. The personal data of the data subject may be transferred from the information system to another natural person or legal entity only upon the written confirmation on the data subject's consent obtained, if the DPA requires such consent; the person providing data in such manner may replace this written confirmation by a written declaration of the data controller stating that the data subjects gave their consent, provided that the data controller is able to prove that the written consent of the data subjects was given.

Transfer to non-EU member states that offer an adequate level of data protection. If the third country guarantees an adequate level of data protection, the data may be transferred to this country if the data controller informed the data subject about the facts required to obtain the data subject's data (i.e. the information mentioned above in relation to data collecting by the data controller). Under the DPA, the data transfer to a country that guarantees an adequate level of protection is also allowed in cases when a notification/information to the data subject is not required.

Transfer to third countries (excluding the US) that do not offer an adequate level of data protection. If the third country does not guarantee an adequate level of protection, the transfer of data is possible only on the basis of a decision of the European Commission or if any of the conditions mentioned below is fulfilled:

  • The data subject gave a written consent to the transfer, while knowing that the country of final destination does not ensure an adequate level of protection;
  • The transfer is necessary for the execution of a contract between the data subject and the data controller or for pre contractual measures, upon the request of the data subject;
  • It is necessary for entering into, or the execution of, a contract concluded by the data controller in the interest of the data subject with another entity,
  • It is necessary for the execution of an international treaty binding for the Slovak Republic or resulting from the laws due to an important public interest or for proving, filing or defending a legal claim;
  • It is necessary for the protection of vital interests of the data subject; or
  • It concerns the personal data, which constitutes a part of the lists, registers or files and are kept and publicly accessible pursuant to special legislation or is available, under this legislation, to persons who prove that they are legally entitled and fulfil the conditions prescribed by law for making the data available.

If the data controller decides to transfer personal data to a third country, which does not guarantee an adequate level of protection, after obtaining the personal data, it must inform the data subject before the transfer of the personal data about the reason of its decision and advise the data subject about his/her right to refuse consent with such transfer, if this consent is required; the data controller shall be entitled to execute the proposed transfer of the personal data only after obtaining the written consent of the data subject.

If the data controller authorises an entity residing abroad for the data processing on the data controller's behalf, this entity shall be entitled to process the personal data only to the extent and under the conditions agreed with the data controller in a written contract. The scope of the contract must be elaborated in accordance with the standard contractual terms set by Decision of the European Commission L39/5 from February 5, 2010, notified under Document C (2010) 593 stipulated for the transfer of personal data by an entity residing abroad processing data on the data controller's behalf. The consent of the Office is required for this transfer of personal data.

Transfer to the US. For the transfer of data to the United States, compliance with the US/EU Safe Harbor principles satisfies the requirements of the DPA provisions on data transfer. The Office will ascertain whether or not the US company, which will be the data importer, did sign up for the Safe Harbor principles. This US company must file an application for approval of the data transfer to the US with the Office. Provided that this company is a member of the Safe Harbor principles and the application is correct and complete, the Office will grant its approval.


The data controller and the data processor are responsible for the security of personal data by protecting it against accidental or unlawful damage or destruction, accidental loss, alteration, unauthorised access and making available, as well as against any other unauthorised forms of processing. For this purpose, the data controller must take reasonable technical, organisational and personal measures which correspond to the manner of processing data.

The data controller is required to prepare a so called security project of the information system where the information system contains certain special categories of data. The data controller is required to nominate in writing one or more data protection officers for supervising the observation of the DPA provisions in his company if he employs more than five people. The data controller is required to instruct the entitled persons about the rights and obligations stipulated in the DPA and about the liability for their violation. The data controller must establish and maintain confidentiality of the processed data even after the conclusion of its processing.


Under the DPA, there is no mandatory requirement to report data security breaches or losses to the Office. However, this does not affect the possibility of other public authorities to report data security infringements or losses to the Office if they suspect that such an event might have occurred.


The Office is responsible for the enforcement of the DPA. Upon a complaint from a data subject or another person or a report from public authorities, the Office shall commence administrative proceedings to ascertain possible breaches of obligations or conditions stipulated by the DPA and eventually can impose a fine for these breaches. The Office may issue decisions to provide temporary relief for the data subject or to ensure due rectification depending on the nature of the breach.

The Office may impose fines for breaches of the DPA between EUR 330 to EUR 332.000. The Head of the Office or the Chief Inspector may publish a notice containing the identity of the data controller or data processor that breached or circumvented the provisions of the DPA and the final decision of the Office regarding such breach, including its descriptions, and merits of the case. The Office may also impose disciplinary fines on the data controller or the data processor in instances stipulated by the DPA.


Electronic marketing shall be governed by Act No. 351/2011 Coll. on Electronic Communications, as amended ("ECA").

Under the ECA, processing of the traffic data of a subscriber or user for the purposes of marketing services or purposes of ensuring the value added services by any public network or service providers is possible solely with the prior consent of the subscriber or the user.

Prior to obtaining the consent, the public network or service providers are obliged to inform the subscriber or user on (i) the type of the traffic data processed, (ii) the purpose of the traffic data processing and (iii) the duration of the data processing.

For the purposes of direct marketing, the call or use of automatic calls and communications systems without human intervention, facsimile machines, e-mail, including SMS messages to the subscriber or user, who is a natural person, is allowed solely with his/her prior consent. Such consent shall be proved. Users or subscribers are entitled to withdraw such consent at any time.

The prior consent of the recipient of a marketing e-mail shall not be required in the case of direct marketing of own similar products and services of a person, that has obtained electronic contact information of the recipient from the previous sale of its own product and/or service to such recipient and in line with the provisions of the ECA. The recipient of an e-mail shall be entitled to refuse at any time, by simple means and free of charge such use of electronic contact information at the time of its collection and on the occasion of each message delivered in the case the recipient has not already refused such use.

Both, (i) sending e-mails for the purposes of direct marketing without the determination of a valid address to which the recipient may send a request that he/she is no longer willing to receive such communication and (ii) encouragement to visit a website in contradiction with a special regulation, shall be prohibited.


As regards the protection of privacy and protection of personal data processed in the electronic communications sector, the provisions of the ECA shall apply. The ECA implemented Directive 2002/58/EC (as amended by Directive 2009/136/EC).

Under the ECA, the public network or service providers is obliged to ensure technically and organisationally the confidentiality of the communications and related traffic data, which are conveyed by means of its public network and public services. In particular recording, listening, storage of data (or other kinds of an interception or a surveillance of communications and data related thereto) by persons other than users, or without the consent of the concerned users, shall be prohibited. However, this does not prohibit the technical storage of data, which is necessary for the conveyance of communications. However, the principle of confidentiality shall still apply.

Further to this, the network or service provider ("undertaking company") shall not be held liable for the protection of the conveyed information if such information can be directly listened to or obtained at the location of the broadcasting and/or reception.

However, this ban does not apply to temporary recording and storing of messages and related traffic data if it is required; (i) for the provision of value added services ordered by a subscriber or user; (ii) to prove a request to establish, change or withdraw the service; or (iii) to prove the existence or validity of other legal acts, which the subscriber, user or undertaking company has made.

Under the ECA, each person that stores or gains access to the information stored in the terminal equipment of a user must be authorised for such processing by the concerned user whose consent must be based upon exact and complete information regarding the purpose of such processing of the data. In this regard, also the use of the respective setting of the web browser or other computer programme is considered (implied) consent.

Traffic Data – Traffic Data can only be processed for the purpose of the conveyance of a communication on an electronic communications network or for the invoicing thereof. The Traffic Data related to subscribers or users may not be stored without the consent of the person concerned and the undertaking company is required, after the end of a communication transmission, without delay, to destroy or make anonymous, except the cases as defined by the ECA.

If it is necessary for the invoicing of the subscribers and network interconnection payments, the undertaking company is required to store the Traffic Data until the expiration of the period during which the invoice may be legally challenged or the claim for the payment may be asserted. The undertaking company is required to provide the Traffic Data to the Office or the court in case of a dispute between undertaking companies or between an undertaking company and a subscriber. The scope of the stored Traffic Data must be limited to the minimum necessary.

Location Data – The undertaking company may process the Location Data other than the Traffic Data which relates to the subscriber or the user of a public network or public service only if the data are made anonymous or the processing is done with user consent, and in the scope and time necessary for the provision of the value added service. The undertaking company must, prior to obtaining consent, inform the subscriber or user of the Location Data other than Traffic Data which will be processed, on the purpose and duration, and whether the data will be provided to a third party for the purposes of the provision of the value added service. The subscriber or user may revoke its consent for the processing of the location data at any time.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions