On 30 April 2013 the National Council of the Slovak Republic finally approved the new act on protection of personal data (Act No. 122/2013 Coll.) (New Act). It came into force on 1 July 2013 and replaced the original act on protection of personal data (Act No. 428/2002 Coll.) (Original Act). The New Act brings several changes most significant of which are described below.
Relationship of data controller and data processor
Contrary to the Original Act, the New Act stipulates essential terms which a written contract between a data controller (e.g. employer) and a data processor (e.g. external payroll agency) must contain.
Employee Personal Data
If it is necessary in connection with performance of their work, service or position, employers are entitled to make available or publish certain personal data about data subjects (e.g. title, name, surname, working position, place of work, telephone number, work e-mail address, etc.) even without their consent, although this must still be in a manner which does not interfere with dignity and security of the data subject. This was not allowed by the Original Act.
Data protection officer (DPO)
Under the New Act the obligation to appoint a DPO to supervise protection of personal data processed applies only to a data controller which processes personal data using 20 or more authorised persons (i.e. individuals who handle and process personal data). Under the Original Act, this obligation applied to a data controller employing more than 5 employees. A DPO may only be appointed as such having, inter alia, successfully passed the data protection officer examinations at the Slovak Data Protection Authority (DPA).
The New Act removes the option of appointing a data protection officer "voluntarily". Hence, a data controller processing personal data using less than 20 authorised persons is required to register with the Data Protection Authority filing systems in which it processes personal data unless the information system: (i) is subject to special registration with the DPA, (ii) contains personal data about membership in a civil association, trade union, political party or movement processed for its internal purposes or personal data about religion processed for internal purposes of a parish, or (iii) contains personal data processed based on a law, a legally binding act of the European Union or an international treaty binding for the Slovak Republic.
A significant and positive change introduced in relation to cross-border transfers is the removal of the need to obtain a data subject's written consent (or to meet other specific exemption(s)) for transfer of personal data to a country outside the EU whose laws do not provide an adequate level of protection provided, however, that a data controller adopts appropriate safeguards (i.e. so long as standard contractual clauses or binding corporate rules are in place to protect the security of the employee’s data).
The New Act stipulates specific terms that must be contained in a contract for transfer of personal data entered into with a safe harbour certified data recipient – for example, from the US (as a country not providing adequate level of protection).
Under the New Act, transfers of personal data under the above conditions are not subject to prior approval by the DPA.
The New Act stipulates transition periods within which processing of personal data must be made compliant with the new requirements. The lengths of such periods vary from 6 months (e.g. in relation to registrations of information systems) to 1 year (e.g. in relation to making compliant contractual arrangements between data controllers and data processors or appointment of DPO).
Content is for general information purposes only. The information provided is not intended to be comprehensive and it does not constitute or contain legal or other advice. If you require assistance in relation to any issue please seek specific advice relevant to your particular circumstances. In particular, no responsibility shall be accepted by the authors or by Abbiss Cadres LLP for any losses occasioned by reliance on any content appearing on or accessible from this article. For further legal information click here.
Circular 230 disclosure
To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this article (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.
If you would like to copy or otherwise reproduce this article then you may do so provided that: (1) any such copy or reproduction is for your own personal use or if it is made available to any third party it is done so on a free of charge basis; and (2) the article is reproduced in full together with the contact details, disclaimer and any logos as they appear on each article.