< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security
Last reviewed 8 October 2018
- Act No. 18/2018 Coll. on Personal Data Protection (New Data Protection Act) – from 25 May 2018
- Act No. 351/2011 Coll. on Electronic Communications
If applicable: stage of legislative implementation of GDPR
Data Protection Act is effective since 25 May 2018
If applicable: local derogations as permitted by GDPR
Data Protection Act presents more detailed rules in the following areas:
- Processing of national identification numbers (Article 87): Processing a birth identification number is possible only if its use is necessary to achieve the purpose of the processing. Express consent is required and must not be ruled out by a special regulation (if processing is based on consent). Publishing a birth identification number is forbidden; this does not apply if a data subject publishes it himself/herself.
- Processing in the context of employment (Article 88): An employer may provide the following employee personal data, if necessary for fulfilment of the data subject’s working obligations – title, name, surname, job position, personnel number or employment number of the employee, department, place of work, phone number, fax number, work email address, identification data of the employer. Provision or publication of personal data must not undermine the integrity, dignity and security of data subject.
- Processing and freedom of expression and information (Article 85): Processing for journalistic purposes and processing for academic, artistic or literary expression is possible also without the consent of data subject, unless the processing for the respective purposes breaches data subject’s right to personality protection or right to privacy or if such processing without consent is prohibited by a special act or international treaty binding upon Slovakia.
- GDPR shall apply in Slovakia to the extent of its scope.
- Data Protection Act (with the exception of sections containing the provisions stipulated directly in GDPR and sections concerning processing for criminal purposes) shall apply to data processing regulated by GDPR.
- Data Protection Act shall apply also to data processing by the Police Corps, Military Police, Prison and Judicial Guards, Financial Administration, public prosecutors and courts for the purposes of criminal proceedings.
- The Data Protection Office does not have powers to enforce sanctions imposed within administrative proceedings.
- Sanctions for non-compliance with data protection laws are fines and disciplinary fines.
- Under GDPR and the Data Protection Act it is possible to impose a maximum fine of EUR 20,000,000 or 4% of the worldwide annual turnover, whichever higher.
- The Office for Personal Data Protection of the Slovak Republic does not regularly publish statements or comments on specific cases once the investigation is completed. Instead, it publishes a report every two years providing statements on selected significant cases, without naming the investigated person.
- In 2016, the highest fine issued by the Office was EUR 7,000 (the average fine was EUR 2,130). The case involved collecting biometrical information without a reasonable purpose, but concrete information on the case was not disclosed.
Registration / notification
- Data controllers must notify the Data Protection Office of their data protection officer, if appointed.
Main obligations and processing requirements
- The obligations and processing requirements shall be governed by the provisions of GDPR.
Data subject rights
- Rights are provided in line with GDPR.
Processing by third parties
- Processing by a data processor on behalf of a data controller is possible only if based on a written data processing agreement, which must contain all the obligatory requirements under the GDPR.
Transfers out of country
- Free transfer within the EU.
- Not possible to transfer personal data to a non-adequate third country without the necessary safeguards in place (e.g. EU model clauses, binding corporate rules, Privacy Shield certification) or without consent of the data subject or under other conditions stated in the GDPR.
Data Protection Officer
- The appointment is obligatory only in situations specifically mentioned in GDPR.
- The data controller and data processor must take appropriate technical and security measures to protect the processed personal data.
- The notification obligations are governed by GDPR.
For the purposes of direct marketing, the calling of subscribers or users, the use of automated calling and communication systems without human intervention, facsimile machines, electronic mail, and SMS, is allowed only with prior consent, which must be provable. The consent given may be revoked at any time.
The prior consent of the recipient of e-mail is not required if it concerns the direct marketing of similar products or services to those of a previous sale during which the marketer obtained the recipient’s contact information. E-mail recipients must be offered the option of rejecting use of their contact information at the time of the collection of their information, and in each subsequent message delivery.
For regular (postal) mail, any direct marketing has to be based on one of the legal grounds under GDPR.
Last reviewed 8 October 2018
Laws and regulations
- Act No. 215/2004 Coll. on Protection of Classified Information (Act on Protection of Classified Information)
- Act No. 272/2016 Coll. on Trusted Services for Electronic Transactions in the Internal Market (Act on Trusted Services)
- Act No. 69/2018 Coll. on Cybersecurity (Act on Cybersecurity)
- Decree of National Security Authority No. 164/2018 Coll. on determining the identification criteria of the operated service (basic service criteria)
- Decree of National Security Authority No. 165/2018 Coll. on determining the identification criteria for each category of serious cyber-security incident and the details of cyber-security incident reporting
- Decree of National Security Authority No. 166/2018 Coll. on details on the technical, technological and personnel capabilities of the Cyber Security Response Unit
Anticipated changes to law
NIS Directive is transposed into Slovak law by Act on Cybersecurity, which entered into force on 1 April 2018.
Act on Protection of Classified Information sets out:
- conditions for protection of classified information
- rights and obligation of individuals concerning protection of classified information
- competency of the National Security Authority and other state authorities in relation to classified information.
Act on Trusted Services sets out:
- conditions for the provision of trusted services
- obligations of the providers of trusted services
- competency of the National Security Authority.
Act on Cybersecurity sets out:
- organisation, competencies and obligations of public administration authorities in the field of cybersecurity
- National Cybersecurity Strategy
- Cybersecurity Single Information System (CSIRT)
- status and obligations of the operator of essential service and digital service provider
- inspection of compliance with the Act on Cybersecurity
- security measures and cybersecurity assurance system.
Decree of National Security Authority No. 164/2018 Coll. determining the identification criteria of the operated service (basic service criteria).
Decree of National Security Authority No. 165/2018 Coll. determining the identification criteria for each category of serious cyber-security incident and the details of cyber-security incident reporting.
Decree of National Security Authority No. 166/2018 Coll. sets out details on the technical, technological and personnel capabilities of the Cyber Security Response Unit
National Security Authority: http://www.nbusr.sk/index.html
- Responsible for the protection of classified information and cryptographic protection of information.
- Responsible for cyber security matters and trusted services.
- Sets strategy for protection in the above areas.
- Mandatory reporting of cybersecurity protection in the Slovak Republic.
- Act on Protection of Classified Information – breach incurs maximum penalty of up to SKK 1,000,000 (EUR 33,194)
- Act on Trusted Services – breach incurs maximum penalty of up to EUR 66,000
- Act on Cybersecurity-breach incurs maximum penalty of up to EUR 300,000
- Other administrative and criminal sanctions may also apply
Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
National Security Authority acts as the national CSIRT unit with the competency for the whole Slovak Republic.
The governmental CSIRT unit is operated by the Office of Deputy Prime Minister the Slovak republic for Investment and Informatization for the sub-sector of public administration information systems.
Central governmental bodies (typically a ministry) shall perform tasks of CSIRT units for the sectors or sub-sectors belonging to their competency.
National Security Authority operates also Slovak Computer Emergency Response Team (SK-CERT), which was accredited on 3 May 2018.
Is there a national incident management structure for responding to cybersecurity incidents?
The Slovak government approved the Cyber Security Strategy of the Slovak Republic for 2015-2020, which proposes a new institutional framework for cyber security management in the country.
Other cybersecurity initiatives
The government-approved Action Plan for Implementing the Cyber Security Strategy of the Slovak Republic for 2015-2020. The Action Plan includes proposed tasks for providing adequate protection of the state’s cyber space against potential dangers that could cause irreparable damage to the Slovak Republic and thus impair the trustworthiness of the state and/or an organisation.
< back to Overview