On 30January 2018, a new act on the protection of personal data in the Slovak Republic was published in the Collection of Laws under the number 18/2018 Coll. (hereinafter referred to as the "New Personal Data Protection Act"). The New Personal Data Protection Act replaces the current Slovak Act No. 122/2013 Coll. on the protection of personal data. The reason for the adoption of the New Personal Data Protection Act is primarilydue tothe European reform of the law on the protection of personal data, implemented in particular by the General Data Protection Regulation (hereinafter referred to as "GDPR"). The Personal Data Protection Act should enter into force together with the GDPR on 25 May 2018. The New Personal Data Protection Act largely duplicates the provisions of the GDPR, which as a regulation is directly applicable in the Slovak Republic, but also transposes into the Slovak legal order, the so-called "Police" Directive (European Parliament and Council Regulation (EU) No 2016/680) and also uses the option contained in the GDPR, to define categories of exceptions and derogations from the GDPR in the legal systems EU Member States.
The latter exceptions and derogations, which will be further analyzed in this text, are contained in the provisions of Section 78 of the New Personal Data Protection Act. The key points to note consist of the following.
Possibility to process personal data for selected purposes without the consent of the data subject
Without the consent of the data subject, it is possible under Slovak law to process personal data for academic, artistic or literary purposes, or if the processing of personal data is necessary for the informing of the public through mass media and if the personal data is processed by the processorentitled to such business activity. However, such processing must not infringe the right of the data subject for protectionof his or her personality or the right to privacy and, according to the explanatory memorandum, the processor must alsoconsider whether the processing operation is indeed necessary.
The possibility of publishing contact details of the employee by the employer
In the situation where the processor is the employer of the data subject, the processor is, for the purposes and in connection with the fulfillment of the work, professional or functional obligations of the data subject, entitled to provide or disclose his or her personal data within the scope of:
- title, name, surname,
- job, job classification, functional classification,
- personal or employee number of the employee, department,
- place of work,
- phone number, fax number,
- e-mail address at the workplace and
- employer identification data.
The provision of the data must not infringeon the esteem and dignity of the data subject and, according to the explanatory memorandum, the operator must also consider whether the processing operation is indeed necessary.
Special regulation for the processing and publication of the birth number
When processing personal data, a birth number can be used to identify a natural person only if its use is necessary to achieve the intended purpose of the processing. If the birth number is processed on the legal basis of the consent of the data subject, such consent must be expressedandsimultaneously, such processing of the birth number must not be prohibited by a special law. It is forbidden to publish the birth number, the only exception being the possibility of publishing the birth number directly by the data subject himself or herself.
Genetic, biometric and health data
The New Personal Data Protection Act gives the processor the possibility to process genetic data, biometric data and health data on the legal basis of a specific law or an international treaty which the Slovak Republic is bound by. This is an authorization for the processor who needs the processing of such personal data for the purpose, for example, of providing healthcare in accordance with special laws.
Data provided by another natural person
The possibility of obtaining personal data about the data subject from another natural person and their processing in the information system of the processor, is subject to the prior written consent of the data subject. Since this condition is explicitly bound only to the data provided by a natural(not a legal) person, it can be assumed that the provision is intended, inter alia, to protect the personal data of data subjects who have been recommended by other persons knowing them. The aforementioned obligation to obtain prior consent does not apply if, by providing personal data about the data subject into the information system, another individual protects his or her rights or legitimately protected interests, or notifies facts justifying the legal liability of the data subject, or the personal data is processed under a special law subject to specific provisions of the GDPR. A processor who processes such personal data must be able to demonstrate to the Data Protection Office at any time and upon its request that he has obtained it in accordance with this act.
Processing for archiving purposes, for scientific purposes or for historical research and for statistical purposes
Since these are privileged purposes, which are covered by a derogation from the purpose limitation principle, it is also possible to limit the rights of the data subjectswhen processing of personal data for these purposes, namely the right of access, the right of rectification, the right of limitation and the right to object, and for the purpose of archiving in the public interest also the right to have another recipientnotified and the right for portability pursuant to the GDPR.
If you have any further inquiries to this topic, or need any assistance with personal data protection, please feel free to contact us and our legal professionals at Konečná &Zacha will guide you through the GDPR jungle.