Slovak legislation on personal data protection implementing the EU Data Protection Directive 95/46/EC is generally very strict when compared to the regulations of other EU Member states. These different rules – often, in Slovakia, excessively bureaucratic – resulting not only from legislation itself but also from its interpretation by the country’s Personal Data Protection Authority – often cause problems for both local entrepreneurs and international business groups with subsidiaries or branches in Slovakia.
Perhaps most problematically, Slovak personal data protection legislation does not reflect the challenges of the digital world and requires the subject processing personal data to use a written form even in cases where the communication between all parties involved is only electronic, such as processing by hosting or cloud service providers. As an example, contracts between data controllers and data processors must, without exception, be physically signed by the parties concerned. Also, direct marketing communication addressed to the postal address of a data subject is allowed by law, while electronic mail with the same content requires the data subject´s consent.
On May 25, 2018, however, personal data protection will be fully harmonized, subject to minor exceptions, throughout all EU member states in the form of the directly applicable General Data Protection Regulation 2016/679/EU (the GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC).
For many EU countries, the GDPR means an extension of their obligations. In Slovakia, however, the situation is slightly different. Many of the obligations imposed by the GDPR are already present in the Slovak Act on Personal Data Protection and are duly enforced by the local Authority with potential fines of up to EUR 200,000. For example: the obligation of the data controller to be able to demonstrate that the data subject´s consent was given, the obligation of the data controllers to ensure that the data subject’s consent is not required as a pre-condition for entering into a contract, or the existence of direct obligations of the data processors.
Slovak data controllers and data processors are obliged to make and keep written documentation on the security measures they have adopted to protect personal data, including written records on instructions to all individuals – mostly their employees – processing personal data on their behalf and records of security incidents. If sensitive data is processed on computers connected to the Internet, such documentation needs to have the form of a “data security project,” which is mainly an analysis and description of the risks for personal data during its processing, the security aims, measures taken to prevent the risks (physical, organizational, personal, and technical), a review of the security status of the information system and its vulnerability, and – as a conclusion of such analysis – a determination of the necessary security measures and guidelines on processing activities, monitoring, and emergency situations.
Also, similarly to the GDPR, Slovak law regulates the position of a Data Protection Officer, who must have sufficient expert knowledge. In particular, Slovak companies processing personal data were obliged (later this obligation was amended to a right) to appoint only an officer to this position who first has passed an examination organized by the Personal Data Protection Authority.
The GDPR introduces a more modern approach to personal data protection than is currently valid in Slovakia. According to the GDPR, valid consent of a data subject after May 2018 will not require that its period of validity be specified or the electronic form of contracts with data processors or “general” consent with sub-processors not identifying them will be sufficient. Notification, special registration, or record keeping of each information system will be replaced by the obligation of a controller/processor employing 250 and more persons (subject to exceptions) to maintain records (also in electronic form) on the processing activities.
The main new effects that the GDPR will have on Slovak data controllers or processors include the obligation to notify the Authority of any security incidents, the data subjects´ right to be forgotten, the right of data portability, and, especially, a significant increase in possible fines (up to 4% of annual worldwide turnover or EUR 20 million).
As an answer to the GDPR, the Personal Data Protection Authority has already announced the preparation of a new Act on Personal Data Processing. Specific regulations on the processing of the personal data of employees or birth identification numbers is expected, as the GDPR left those areas to national legislation.
By Andrea Farinic Stefancikova, Head of Data Protection Practice Group for CEE, Peterka & Partners
This Article was originally published in Issue 4.2 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
