Slovak Republic: changes to personal data protection

Data controllers and processors face a number of new obligations following new legislation introduced on 1 July 2013.

Appointing data processors

• A data processor can now only be authorised by the data controller in a written contract (containing details specified in the legislation). Written authorisation will no longer be enough.
• A data processor may appoint a ‘subcontractor’, which is a new definition, to process personal data on its behalf, as long as this is agreed in a written contract with the controller.
• Data processors are now required to notify a data controller in writing of its breaches of the legislation.
• Data processors are now required to inform the Office for Personal Data Protection (the ‘Office’) if a data controller fails to rectify a breach. If it fails to do so, the processor and controller will be jointly and severally liable for the breach and any resulting damages.

Disclosing employees’ personal data

• Data controllers who are employers of data subjects are now permitted to disclose or make available (eg on their websites) the data subject’s data without first obtaining their consent, as long as it does not prejudice the data subject’s respect, dignity or security.
• The types of data to which this applies includes the data subject’s title/degree, name, surname, work or service position and occupation, unit/department, place of work, telephone number, fax number or e-mail address at work and employer’s identification data, if needed in connection with the performance of work, service or occupational obligations.

Sensitive personal data

• Data processors must still obtain verifiable consent from the data subject before processing their sensitive personal data, but the consent no longer needs to be in writing.

Data controllers

• Data controllers must now notify third parties whenever that party has been given incorrect, incomplete or obsolete personal data, or the data was given without legal authority.
• Data controllers must now inform authorised persons processing personal data of the security guidelines, and keep records of informing them (in accordance with strict legislative requirements) of the rights and obligations arising from the processing of personal data.
• Data controllers must comply with security measures (as set out in regulation No. 164/2013 Z.z. issued by the Office) when processing personal data in a filing system. This involves keeping records of all technical, personal and organisational measures, or setting them out in a security guideline or project, which depends on if in the filing system sensitive data are processed and if the system is linked to a public computer network.

Data protection officials

• A data controller who processes personal data through more than 20 authorised persons must now to appoint a data protection official to supervision data security. This was previously a requirement for any data controller employing more than five persons irrespective of whether they were involved in processing the personal data.
• Data protection officials must now pass an examination organised by the Office, and will be required to re-sit it they cease to act as a data protection official for more than two years. Details of the examination are set out in regulation No. 165/2013 Z.z. of the Office.

Cross-border transfers to non-EU countries

• Personal data can now be transferred to non-EU countries that do not ensure an adequate level of protection as long as the transfer complies with binding internal regulations or standard contractual clauses complying with European Commission decisions. Any transfer using non-standard contract terms requires consent from the Office.
• Personal data can also now be easier transferred to a data controller or processor based in the USA that has joined the ‘Safe Harbor’ initiative as long as the contract for the transfer of personal data complies with contractual particulars set out in the legislation.

Registration and penalties

• The administrative fee for registering information systems is now €20 for ordinary registration and €50 for special registration.
• All penalties for breach of the law are now mandatory, instead of being at the Office’s discretion.

Harmonisation with new requirements

• Data controllers have until 31 December 2013 to re-register their information systems.
• Data controllers have until 30 June 2013 to harmonize their contractual relations with data processors.
• Authorised persons must be instructed about the new legislation by 31 December 2013.
• Data controllers must re-issue written authorisations to data protection officials and notify the Office of them by 30 June 2013.