Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Slovakia - Data Protection

History of Data Protection in SLOVAKIA

The first dedicated legislation on data protection in Slovakia was Act No. 52/1998 Coll. on the protection of personal data in information systems. The Commissioner for the Protection of Personal Data was charged with supervising the system.

On 1 September 2002 a new Act (No. 428/2002 Coll.) on the Protection of Personal Data entered into force. Its aim was to introduce a more comprehensive system of protection in line with European law as Slovakia aimed to join the European Union. Slovakia was one of the 10 states that gained membership to the EU in May 2004. It has recently been amended by Act No. 90/2005 Coll.

Summary of Data Protection in SLOVAKIA

Title of Data Protection Legislation Coll. on Protection of Personal Data (English consolidated version)
Name of supervisory authority Office for Personal Data Protection
General Powers of supervisory authority Article 28 of the Act sets out the Commissioner's functions: "The Commissioner shall carry out the following main functions:
a) he or she shall decide in cases of doubt about the registration of information systems under Article 19(5);
b) he or she shall conduct prior checks of information systems filed for registration (Art. 20) and shall review them with regard to any potential danger of violating the rights and freedoms of data subjects (Art. 21(2));
c) he or she shall continuously monitor the current status of the protection of personal data in information systems and the registration of these systems;
d) he or she shall recommend measures to controllers for ensuring the protection of personal data in information systems;
e) he or she shall monitor the processing of personal data in information systems; to this end he or she shall be entitled to inspect materials and obtain extracts of data from the controller and processor;
f) at the controller's request, he or she shall decide in cases of doubt about the provision of personal data to another country;
g) he or she shall receive and deal with complaints concerning any breach of the protection of personal data in information systems;
h) in the event of a suspected breach of the obligations vested hereunder, he or she may summon the controller or the processor with the aim of requiring an explanation;
i) he or she shall notify the authorities conducting criminal proceedings in the case of a suspected criminal offence;
j) he or she shall file motions, if a breach of obligations set forth hereunder is discovered;
k) he or she shall participate in the preparation of generally binding regulations in the field of personal data protection;
l) he or she shall manage the operations of the inspection unit;
m) he or she shall submit to the Government of the Slovak Republic and the National Council of the Slovak Republic a report on the status of the protection of personal data in information systems at least once a year."
Who has standing to notify the supervisory authority of breaches? Probably anybody, but certainly the data subject. See Article 13(5) and Article 28(g) of the Act on the Protection of Personal Data in Information Systems.
What are the penalties for data controllers if they breach the law? Controllers who breach the law may be punished by a fine (Article 33 of the Act on the Protection of Personal Data in Information Systems). In addition, the Commissioner can also publicise the facts of the case (Article 37(3) and 38).
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? Article 3(a) of the 2002 Act defines personal data as "any data relating to an identified or identifiable natural person, where such a person is one who can be identified, either directly or indirectly, in particular by reference to an identification number or to one or more features or attributes constituting his physical, physiological, mental, economic, cultural or social identity." Presumably, then, national identification numbers are to be treated as ordinary personal data.
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably necessary to get consent when is not impracticable or inappropriate.
Does the Data Protection Legislation cover the deceased? Yes. Consent to use the data of the deceased may be given by a "near person" (Article 4(5) of the Act).
Who is able to indirectly identify the data subject? Anybody.

Laws and Regulations