|
What Needs to be
Done Prior to Collection
Contact the data subject
Contact the Office for Personal Data Protection
Section 10 -
Obtaining Personal Data
(1) The controller
who intends to obtain personal data from the data subject shall be
obliged to inform the data subject, at the latest during obtaining
of the data, and notify him in advance of the following without
being requested
a) the name and
registered office or permanent residence of the controller; if on
the territory of the Slovak Republic the controller’s representative
acts on behalf of the controller which has
a registered office or permanent residence in a third
country, the controller’s representative shall also notify the data
subject of the name and registered office or permanent residence of
the controller,
b) the name and
registered office and permanent residence of the processor, provided
that the processor obtains personal data on behalf of the controller
or the controller’s representative; in such case the processor shall
be obliged to notify the data subject in time of information under
this Subparagraph,
c) the purpose of
the personal data processing; and
d) additional
information in the extent necessary for safeguarding the rights and
legitimate interests of the data subject with regard to all
circumstances of the processing of personal data, in particular the
right to be informed about conditions of the processing of his
personal data
1. identification
of the entitled person obtaining personal data or proving his
pertinence, by a reliable document, to the entity, on behalf of
which it acts; the entitled person shall be obliged to satisfy such
request of the data subject without undue delay,
2. advice on
voluntariness or obligation to provide the requested personal data;
if the data subject may decide about provision of his personal data,
the controller shall notify the data subject on what legal basis he
intends to process the data subject’s personal data; if the
obligation of the data subject to provide his personal data arises
from a special Act, the controller shall inform the data subject
which act imposes this obligation on the data subject and he shall
warn the data subject of the consequences of refusing to provide the
personal data,
3. third parties,
provided that it is expected or clear that personal data will be
provided to them,
4. group of
recipients, provided that it is expected or clear that personal data
will be made available to them,
5. form of making
public, provided that personal data are to be made public,
6. third
countries, provided that it is expected or clear that personal data
will be transmitted to these countries,
7. advice on the
existence of the data subject’s rights.
(2) If the
controller did not obtain the data subject’s personal data directly
from the data subject, he shall be obliged to notify the data
subject, without undue delay but at the latest in the time before
providing them for the first time to a third party (if such
provision was expected already in obtaining of the personal data),
of the information under Paragraph 1 Subparagraphs a) to c) and of
additional information in the extent necessary for safeguarding the
rights and legitimate interests of the data subject with regard to
all circumstances of the processing of personal data, in particular
the right to be informed about conditions of the processing of his
personal data
a) advice on the
possibility to decide on processing of the obtained personal data,
b) list of
personal data,
c) third parties,
provided that it is expected or clear that personal data will be
provided to them,
d) group of
recipients, provided that it is expected or clear that personal data
will be made available to them,
e) form of making
public, provided that personal data
is to be made public,
f) third
countries, provided that it is expected or clear that personal data
will be transmitted
to these countries,
g) advice on the
existence of the data subject’s rights.
(3) The data
subject does not have to be notified of the information under
Paragraph 1, provided that with regard to all circumstances the
controller is capable of proving to the
Office, anytime
upon its request, that
at the time of obtaining the personal data all
necessary information
is already known to the data subject. The data subject
does not have to be notified of the information under Paragraph 2 if
a) with regard to
all circumstances the controller is capable of proving to the
Office, anytime upon its request, that all necessary information
is already
known to the data subject in the time of the decisive
event,
b) the processing
of personal data is permitted by a special Act or by an
international treaty binding for the Slovak Republic,
c) the subject of
the processing is constituted solely by personal data that
has already been made public, or
d) the processed
personal data
is intended for the purposes of artistic or literary
expression, or for the purposes of informing the public by means of
the mass media under the conditions stipulated in Section 7
Paragraph 4 Subparagraph a) the part of the sentence before the
semicolon, or for historical or scientific research and development,
or for the purposes of the State’s statistics, and if with regard to
all circumstances the controller is capable of proving to the
Office, anytime upon its request, that provision of such information
is objectively impossible or would involve disproportionate costs
and effort.
(4) The controller
obtaining personal data for the purposes of identification of a
natural
person at his
single entrance of the controller’s premises shall be entitled to
request his name, surname, title and Identity Card number, or the
number of an official identity card, or the number of a travel
document, citizenship and for proving, by a submitted document, that
the provided personal data
is true. If the natural person identifies himself
according to a special Act, the controller shall only be entitled to
request for the registration number of his official identity card.
In such cases, Paragraph 1 shall not apply.
(5) The controller
or the processor obtaining, making available or providing personal
data on the premises accessible to the public shall ensure their
processing in secrecy.
(6) The personal
data necessary for achieving the purpose of the processing may only
be obtained by photocopying, scanning or other recording of official
documents on an information carrier upon a written consent of the
data subject or if a special Act expressly
permits their
obtaining without a consent of the data subject. Neither the
controller nor the processor may force data subject’s consent or
make it conditional with a threat of rejecting the contractual
relation, service, goods or duty of the controller or processor laid
down by law.
(7) The premises
accessible to the public may be monitored by means of a video
recording or audio recording only for the purposes of the public
policy and security, disclosing criminal activities or interference
with the State’s security, provided that the premises are clearly
marked as being monitored. Marking of the fact that the premises are
being monitored is not required if it is not stipulated by a special
Act. The recording may only be used for the purposes of criminal
prosecution or proceedings concerning misdemeanors, unless otherwise
stipulated by a special Act.
(8) The controller
who obtained personal data under Section 7 Paragraph 4 Subparagraph
d) without the
data subject being aware of that or directly from the data subject,
shall provide the data subject, in the course of their first
contact, with the information under Paragraph 1, and if the personal
data
is processed for the purposes of direct marketing, he
shall also notify the data subject of his right to object in writing
to their provision and use in the mail correspondence.
(9) The
controllers whose scope of activity is direct marketing shall keep a
list of the provided personal data under Section 7 Paragraph 4
Subparagraph d) in the following extent: name, surname, title and
address of the data subject, date of
its provision or the date of effectiveness of the
prohibition of their further provision under Section 13 Paragraph 6,
and the name of the legal or natural person to whom the above
personal data
was provided. The legal and natural persons to whom the
above personal data
was provided shall keep a list in the same extent.
Contact the
Office for Personal Data Protection
Section 24 -
Obligation to Register and Keep Records
The controller
shall register the filing systems or keep records of them in the
extent and under conditions stipulated by this Act.
Registration -
Section 25
Conditions of
Registration
(1) The Office
shall execute the registration of filing systems free of charge.
(2) The obligation
to register shall apply to all filing systems, in which personal
data
is processed by fully or partially automated means of
processing, except for the filing systems
a) which are
subject to a special registration under Section 27 Paragraph 2,
b) which are
subject to internal supervision of a personal data protection
official, which was authorized by the controller in writing under
Section 19 Paragraph 2 or 8 and executes internal supervision of
personal data protection pursuant to this Act,
c) containing
personal data of natural persons processed for the purposes of
fulfilment
of pre-contractual relations or for the purposes of exercising the
rights and obligations resulting for the controller from an existing
or terminated employment relationship, civil service relationship,
civil service employment relationship or membership relation with
these natural persons, including personal data of their close
persons,
d) containing
personal data concerning membership of the persons in a trade-union
organization,
who are its members and if
this personal data
is processed by the trade union
organization
and used solely for its internal needs or containing personal data
concerning
religious beliefs of persons associated in a Church or religious
association acknowledged by the State and if
this personal data
is processed by the Church or the religious association
and used solely for their internal needs, or containing personal
data concerning membership of persons in a political party or
movement, of which they are members and if
this personal data
is processed by the political party or movement and
used solely for their internal needs; or
e) containing
personal data necessary for exercising of the rights or
fulfilment
of the obligations arising from a special Act or which are processed
pursuant to a special Act.
(3) Assignment of
a registration number to the filing system and issuance of a
confirmation of its registration shall constitute a part of the
registration; if the condition under Section 26 Paragraph 2 is
fulfilled, the processing of personal data in the filing system
shall not be conditioned by an issuance of a confirmation of its
registration.
(4) In the case of
doubts whether the filing system is subject to registration, a
decision shall be made by the Office. The decision of the Office
shall be binding.
Section 26
Registration
(1) The controller
shall be liable for submittal of his filing system for registration.
(2) The controller
shall submit the filing system for registration before commencement
of the processing of personal data.
(3) At submittal
of the filing system for registration the controller shall state the
following data:
a)
the name, registered office or permanent residence,
corporate form and identification number of the controller,
b)
the name and surname of the statutory authority of the
controller,
c)
the name and surname of the personal data protection
official performing internal supervision of personal data
protection, provided that his appointment is required (Section 19
Paragraph 2),
d)
the name, registered office or permanent residence,
corporate form and identification number of the controller’s
representative, provided that he acts on the territory of the Slovak
Republic on behalf of the controller, who has his registered office
or permanent residence in a third country; in such case the data of
the controller, who appointed the controller’s representative shall
be stated in Subparagraph a),
e)
the name and surname of the statutory authority or
member of the statutory authority of the controller’s
representative; in such case the data of the statutory authority or
the member of the statutory authority of the controller, who
appointed the controller’s representative shall be stated in
Subparagraph b),
f)
the identifier of the filing system,
g)
the purpose of the processing of personal data,
h)
the list of personal data,
i)
the group of data subjects,
j)
the group of recipients, provided that it is expected
or clear that the personal data will be made available to them,
k)
the third parties or a group of third parties, provided
that it is expected or clear that personal data will be provided to
them,
l)
the third countries, provided that it is expected or
clear that personal data will be transferred to these countries and
the legal basis of the
transborder
flow,
m)
the legal basis of the filing system,
n) the form of
making public, provided that personal data
is to be made public,
o)
the general characteristics of the measures for
ensuring protection of personal data,
p)
the date of commencement of the processing of personal
data.
(4) The data in
the extent under Paragraph 3 shall be submitted to the Office in
writing and they shall be confirmed by the controller’s statutory
authority or electronically in the form of a database file with an
attached print copy of the contents of the file confirmed by the
controller’s statutory authority. The written form and the format of
the database file shall be determined by the Office. Attaching of
the above copy shall not be required in the case that the database
file bears an electronic signature pursuant to a special Act.
|
