Data protection and cybersecurity laws in Slovakia

Data protection

1. Local data protection laws and scope

  • Act no. 18/2018 Coll. on personal data protection and amending and supplementing certain Acts

This Act implements the data protection standards of the GDPR and defines necessary local derogations as permitted by the GDPR.

https://dataprotection.gov.sk/uoou/en/content/english-version-act-182018-personal-data-protection-and-amending-and-supplementing-certain

  • Act No. 351/2011 Coll. on electronic communications

This law regulates the rights and obligations of undertakings and users of electronic communications networks and electronic communications services and protection of privacy and protection of the processing of personal data in the field of electronic communications.

https://www.teleoff.gov.sk/data/files/22211.pdf

  • Act No. 300/2005 Coll. the Criminal Code     

The Slovak Criminal Code considers the protection of personal data a protected interest and thus recognises offence of unauthorized processing of personal data under § 374.

https://www.legislationline.org/download/id/3763/file/Slovakia_CC_2005_en.pdf

  • Decree of the Office for personal data protection of the Slovak Republic no. 158/2018 Coll. on procedure for data protection impact assessment

This decree regulates the impact assessment procedure of planned processing operations by the data controller on the protection of personal data.

https://www.slov-lex.sk/pravne-predpisy/SK/ZZ/2018/158/20180615 
(EN version is not available at the moment)

3. Anticipated changes to local laws

There are no anticipated changes.

4. Sanctions & non-compliance

Administrative sanctions: 
  • The Office may impose a fine up to EUR 20m or, in the case of a company, up to 4% of the total worldwide annual turnover for the previous financial year, whichever amount is higher.
  • A fine may be imposed on anyone who has not complied with or has violated any of the basic principles of personal data processing; breached obligations when transferring personal data to a third country or breached any of the obligations of lawful processing of personal data.
  • The Office may impose additional remedies, such as instructing entities to stop processing personal data.
Criminal sanctions: 

Offence of unauthorized processing of personal data is punishable by imprisonment up to two years depending on the damage inflicted and the overall nature of the offence.

Others:

N/A

5. Registration / notification / authorisation

Notification to the Office or a data subject must be given if the personal data has been breached while processing personal data in the course of the activity of a data controller or a processor.

6. Main obligations and processing requirements

There are following local derogations as permitted by the GDPR:

  • There is an exception of the duty of prior consent for processing of personal data for the needs of informing the public by the mass media. The most common examples are the processing of personal data in television or radio news and newspapers, provided they are registered with the Ministry of Culture of the Slovak Republic.  

This exception can be overridden by the right of the data subject to the protection of his or her personality and privacy, in cases of processing of personal data, which would violate those rights;

  • The Slovak legislator developed own provisions in this area processing of personal data of the deceased. Under the provisions of the Personal Data Protection Act, if the data subject is not alive, consent to the processing of his or her personal data may be given by any of his or her close persons. At the same time, it is necessary to bear in mind that if only one close person expresses disagreement in writing, the consent is not valid;
  • The employers are entitled to disclose specific work-related personal data of employees without prior consent such as name, surname, job classification, professional department, place of work, telephone number, the email address etc., if this is necessary in connection with the performance of his/her work duties. 
  • This provision cannot be extended to other categories of personal data that are not specified in the relevant provision (e.g. photographs);
  • The data processor can process genetic, biometric and health data also on the legal basis of a special regulation or an international agreement by which the Slovak Republic is bound;
  • The rights of data subjects may be restricted for scientific, historical or for statistical purposes based on special regulation or international agreement by which the Slovak Republic is bound (subject to certain conditions and guarantees). Affected rights of the data subject can be restricted only if they are likely to prevent or seriously impede the achievement of objectives of relevant historical, statistical, or scientific inquiry; 
  • Disclosure of a generally applicable identifier is prohibited. However, a generally applicable identifier (e.g. personal identification number) may be used for the purpose of identifying a natural person only pursuant to a special regulation. The disclosure prohibition also does not apply if the universally applicable identifier is published by the data subject himself or in case of explicit consent of the data subject.  

7. Data subject rights

There are no derogations from the GDPR.

8. Processing by third parties

According to Slovak Act on personal data protection, the data processor may obtain personal data of the data subject from another natural person and process them in its information system only with the prior written consent of the data subject. This provision is relevant for example to referral programs (client or employee referrals). 

9. Transfers out of country

There are no derogations from the GDPR.

10. Data Protection Officer

There are no derogations from the GDPR.

11. Security

There are no derogations from the GDPR.

12. Breach notification

There are no derogations from the GDPR.

13. Direct marketing

The data subject shall have the right to object to the processing of personal data concerning him/her for the purpose of direct marketing, including profiling, in so far as it relates to direct marketing. If the data subject objects to the processing of personal data for the purpose of direct marketing, the controller shall not further process personal data for the purpose of direct marketing.

14. Cookies and adtech

Storage or access to information stored in a user's device is only possible if the user has given consent based on clear and complete information about the purpose of the processing. The use of the appropriate settings of a web browser or other computer program shall also be deemed to be consent for this purpose.

Data controller shall offer the data subject the OPT-IN method. Such a method shall specify the purpose for which the cookies are used.

15. Risk scale

Severe

Cybersecurity

1. Local cybersecurity laws and scope

The NIS Directive was implemented in 2018, through Act no. 69/2018 Coll. on cybersecurity and on amendments to certain laws

Relevant local laws and regulations:

  • Act no. 69/2018 Coll. on cybersecurity and on amendments to certain laws;
  • Act no. 300/2005 Coll. Criminal code
  • Decree of the National Security Authority no. 165/2018 Coll. on establishing identification criteria for individual; categories of serious cybersecurity incidents and details of reporting of cybersecurity incidents;
  • Decree of the National Security Authority no. 164/2018 Coll. which determines the identification criteria of the operated service (basic service criteria);
  • Decree of the National Security Authority no. 362/2018 Coll. on laying down the content of security measures, the content and structure of security documentation and the scope of general security measures;
  • Decree of the National Security Authority no. 436/2019 Coll. on cybersecurity audit and the auditor's knowledge standard.

2. Anticipated changes to local laws

Further future changes in the Slovak legislation are likely to be introduced in process of implementation of the NIS 2 Directive, the draft of which was submitted to the European Commission in December 2020.

However, it is likely that this will be preceded by the approval of the amendment of the Cybersecurity Act.

The proposal, which is to amend the Cybersecurity Act, has undergone an interdepartmental comment procedure in November 2020 and it is likely to enter into force in 2021 (subject to parliamentary approval).

3. Application 

The scope of local laws is as follows:

  • Act on cybersecurity and on amendments to certain laws

This act regulates the organisation, competence and responsibilities of public authorities in the field of cybersecurity, national cybersecurity strategy, unified cybersecurity information system, the organisation and scope of cybersecurity incident response teams ("CSIRTs") and their accreditation, the status and obligations of the basic service provider and the digital service provider, precautions, cybersecurity system, control of compliance with this act and audit.

  • Criminal Code

In the cybersecurity field the Slovak Criminal Code defines offences related to computer systems or computer data.

  • Decree of the National Security Authority on establishing identification criteria for individual categories of serious cybersecurity incidents and details of reporting of cybersecurity incidents

This decree regulates identification criteria for individual categories of serious cybersecurity incidents and details of reporting of cybersecurity incidents.

  • Decree of the National Security Authority which determines the identification criteria of the operated service (basic service criteria)

This regulates the identification criteria of the operated service.

  • Decree of the National Security Authority on laying down the content of security measures, the content and structure of security documentation and the scope of general security measures

This decree regulates the content of security measures, the content and structure of the security documentation and the scope of the general security measures taken by the basic service provider.

  • Decree of the National Security Authority on cybersecurity audit and the auditor's knowledge standard

This decree regulates the cybersecurity audit and the auditor's knowledge standard.

5. Key obligations 

National Security Authority is responsible for following:

  • Determines standards, operational procedures, issues methodology and behaviour policy in cyberspace;
  • Determines the principles of prevention and solving cybersecurity incidents;
  • Elaborates national cybersecurity strategy;
  • Publishes an annual report on the state of cybersecurity in the Slovak Republic;
  • Fulfils the notification and reporting obligations to the relevant bodies of the European Union and the North Atlantic Treaty Organization;
  • Ensures the membership of the Slovak Republic in the cooperation group and in the network of CSIRT units;
  • Develops international cooperation and monitors the impacts of cybersecurity activities on the foreign policy interests of the Slovak Republic and partners within the European Union and the North Atlantic Treaty Organisation;
  • Accredits CSIRT units in addition to the National CSIRT and the governmental CSIRT units and adds them to the accredited CSIRT units list.

6. Sanctions & non-compliance 

Administrative sanctions:
  • The Authority may impose fines ranging from EUR 300 up to EUR 30,000 on a basic service operator who commits an administrative offence by infringement of his obligations;
  • The Authority may impose fines ranging from EUR 300 up to 1% of the total annual turnover of the preceding financial year (not more than EUR 300,000), on the basic service operator for breaching the obligation to notify the Office of the name and registered seat, contact details, etc. within 30 days of the date on which the digital service is provided;
  • The Authority may impose fines ranging from EUR 300 up to EUR 30,000 on a digital service provider for breaching the obligation to report changes in the name and registered seat, contact details, etc., the digital service provider may also be fined for breach of obligations arising from the contract concluded with the basic service operator, if uses the basic service operator to provide its digital service;
  • The Authority may impose fine ranging from EUR 300 up to EUR 100,000 on those who do not provide information at the Office's request aimed at developing a national cybersecurity strategy.
Criminal sanctions:

The Slovak Criminal Code recognizes following offences related to computer systems or computer data:

  • Unauthorised interference with a computer system: depending on the damage inflicted and the overall nature of the offence, it is punishable by imprisonment from six months up to ten years 
  • Unauthorised tampering with computer data: depending on the damage inflicted and the overall nature of the offence, it is punishable by imprisonment from six months up to ten years
  • Unauthorised interception of computer data: depending on the damage inflicted and the overall nature of the offence, it is punishable by imprisonment from six months up to ten years
  • Production and possession of an access device, computer system password or other data: depending on the damage inflicted and the overall nature of the offence, it is punishable by imprisonment up to five years.
Others:

N/A

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes, there is a national computer emergency response team (SK-CERT).

The task of performing the National CSIRT Unit is being carried out by the SK-CERT.

8. National cybersecurity incident management structure

National incident management structure is handled by the National Security Authority.

9. Other cybersecurity initiatives 

  • Cyber Defence Center of the Slovak Republic
  • Cyber Security Competence and Certification Centre
  • Cysec Club
Portrait ofOliver Werner
Oliver Werner
Partner
Bratislava
Portrait ofMartina Šímová
Martina Šímová
Senior Associate
Bratislava