< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security
Last reviewed April 2020
- Act no. 18/2018 Coll. on personal data protection and amending and supplementing certain Acts
- Decree of the Office no. 158/2018 Coll. on procedure for data protection impact assessment
- Act. No. 351/2011 Coll. on electronic communications
Office for personal data protection of the Slovak Republic (the “Office”)
If applicable: stage of legislative implementation of GDPR
GDPR is already implemented in the Slovak legal order.
If applicable: local derogations as permitted by GDPR
- Possibility of processing personal data for selected purposes without the consent of the data subject
- Possibility of publishing the employee's contact information by the employer
- Special regulation of personal identification number processing and publication
- Genetic, biometric and health data
- Data provided by another natural person
- Processing for archiving, scientific or historical research and statistical purposes
- Automated and non-automated data processing operations
- Information relating to data subjects who are identified or identifiable
- Data controller and data processor established in Slovakia, outside Slovakia within member state of EU and outside of EU
The Office may impose a fine up to EUR 20,000,000 or, in the case of a company, up to 4% of the total worldwide annual turnover for the previous financial year, whichever amount is higher.
A fine may be imposed on anyone who has not complied with or has violated any of the basic principles of personal data processing; breached obligations when transferring personal data to a third country or breached any of the obligations of lawful processing of personal data.
The Office may impose additional remedies, such as instructing to stop processing the personal data.
Registration / notification
Notification to the Office or a data subject must be given if the personal data has been breached while processing personal data in the course of the activity of a data controller or a processor.
Main obligations and processing requirements
A data controller shall take appropriate measures to ensure and prove that the processing of personal data is carried out in accordance with the Act on personal data protection.
The measures shall include the introduction of adequate procedures for the protection of personal data by the data controller; also check the existence of the purpose of processing of personal data and after its fulfillment ensure its deletion.
The data controller shall be obliged to introduce and implement specifically designed protection of personal data. It shall consist of taking appropriate measures, in particular in the form of pseudonymisation, before personal data processing, to ensure adequate security of the personal data.
Data subject rights
The data subject shall have the right to:
- obtain confirmation from the data controller whether their personal data is being processed
- be provided with information on the period of retention of personal data
- request the correction of personal data
- deletion or limitation of data processing, or the right to object to the processing of personal data
- be informed on the source of personal data, if personal data has not been obtained from the data subject
- be informed of the existence of automated individual decision making, including profiling
- be informed of adequate security if the personal data is transferred to a third country
- apply to the Office to initiate personal data protection proceedings if personal data are being processed illegally
- claim compensation from the data controller or the data processor if material or non-material damage is suffered.
Processing by third parties
The data controller may only authorize the processor who provides sufficient guarantees to take appropriate measures to ensure that the processing of personal data meets the requirements of the Act on personal data protection.
The data controller or the processor who does not have a registered seat, a branch, an establishment or a permanent residence in a Member State is obliged to authorize its representative in the territory of a Member State when processing the personal data of the data subject based in the Slovak Republic.
Transfers out of country
The transfer of personal data or intent to be processed after transferred to a third country may only take place if the data controller and the processor comply with the general conditions and the conditions for the subsequent transfer of personal data from the third country to another third country.
The transfer may take place if the Commission has decided that the third country guarantees an adequate level of protection of personal data.
Data Protection Officer
The Data Protection Officer ensures the surveillance of personal data protection in the course of their processing by the controller or the processor.
The data protection officer can only be a natural person who has the full legal capacity, is irreproachable and has a valid confirmation of passing the exam by the Office. Statutory body of the data controller or the processor or an external person may also be designated.
Security measures may include, in particular, the pseudonymisation and encryption of personal data, ensuring the continued confidentiality, integrity, availability and resistance of personal data processing systems against threat, the process of restoring the availability of and access to personal data in the event of a physical or technical incident, the process of regular testing, and assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of personal data processing.
If the data controller fails to comply with the notification obligation within the deadline, they must justify the reason for the failure to notify.
Notification is not required if: (i) the data controller has taken appropriate technical and organizational protective measures and applied them to the personal data affected by the privacy violation, in particular encryption or other measures that make the personal data illegible to persons not authorized to have access to it, (ii) the data controller has taken follow-up measures to ensure a high risk of infringement of the data subject's rights. If it would require a disproportionate effort, the controller shall inform the public or take other action to ensure that the data subject is informed in an equally effective manner.
The data subject shall have the right to object to the processing of personal data concerning him/her for the purpose of direct marketing, including profiling, in so far as it relates to direct marketing. If the data subject objects to the processing of personal data for the purpose of direct marketing, the controller shall not further process personal data for the purpose of direct marketing.
Storage or access to information stored in a user's device is only possible if the user has given consent on the basis of clear and complete information about the purpose of the processing. The use of the appropriate settings of a web browser or other computer program shall also be deemed to be consent for this purpose.
Data controller shall offer the data subject the OPT-IN method. Such a method shall specify the purpose for which the cookies are used.
Last reviewed April 2020
Laws and regulations
- Act no. 69/2018 Coll. on cyber security and on amendments to certain laws
- Decree of the National Security Authority no. 166/2018 Coll. on details of the technical, technological and personnel equipment of the cyber security incident handling unit
- Decree of the National Security Authority no. 165/2018 Coll. on establishing identification criteria for individual categories of serious cyber security incidents and details of reporting of cyber security incidents
- Decree of the National Security Authority no. 164/2018 Coll. which determines the identification criteria of the operated service (basic service criteria)
- Decree of the National Security Authority no. 362/2018 Coll. on laying down the content of security measures, the content and structure of security documentation and the scope of general security measures
- Decree of the National Security Authority no. 436/2019 Coll. on cyber security audit and the auditor's knowledge standard
Anticipated changes to law
No anticipated changes at the moment.
Such legislation shall cover the organization, scope and responsibilities of public authorities in the field of cyber security, the national cyber security strategy, the unified cyber security information system, the organization and operation of cyber security incident handling units (CSIRTs) and their accreditation, position and duties of the basic service provider and digital service provider, security measures, cyber security system, control over compliance and audit.
National Security Authority (the “Authority”)
The Authority has the following functions:
- Determines standards, operational procedures, issues methodology and behaviour policy in cyberspace.
- Determines the principles of prevention and solving cyber security incidents.
- Elaborates national cyber security strategy.
- Publishes an annual report on the state of cyber security in the Slovak Republic.
- Fulfils the notification and reporting obligations to the relevant bodies of the European Union and the North Atlantic Treaty Organization.
- Ensures the membership of the Slovak Republic in the cooperation group and in the network of CSIRT units
- Develops international cooperation and monitors the impacts of cyber security activities on the foreign policy interests of the Slovak Republic and partners within the European Union and the North Atlantic Treaty Organization.
- Accredits CSIRT units in addition to the National CSIRT unit and the government CSIRT unit and adds them to the list of accredited CSIRT units.
The Authority will impose a fine of between EUR 300 and EUR 30,000 to a basic service operator who commits an administrative offense by infringement of his obligations.
The Authority will impose a fine of EUR 300 up to 1% of the total annual turnover of the preceding financial year (not more than EUR 300,000), to the basic service operator for breaching the obligation to notify the Authority of the name and registered seat, contact details, etc. within 30 days of the date on which the digital service is provided.
The Authority will impose a fine of between EUR 300 and EUR 30,000 to a digital service provider for breaching the obligation to report changes in the name and registered seat, contact details, etc.; the digital service provider will also be fined for breach of obligations arising from the contract concluded with the basic service operator, if IT uses the basic service operator to provide its digital service.
The Authority will impose a fine of between EUR 300 and EUR 100,000 to those who do not provide information at the Authority's request aimed at developing a national cyber security strategy.
Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
Yes, there is the national computer emergency response team – CERT (SK-CERT) that has been transformed from the national computer security incident response team (CSIRT National Unit) on 1 September 2019.
Is there a national incident management structure for responding to cybersecurity incidents?
Yes, a national incident management structure exists and is managed through the National Security Authority.
Other cybersecurity initiatives
Cyber Security Competence and Certification Centre.
< back to Overview