|
SLOVAKIA
The Office for Personal Data Protection for the Slovak Republic
website:
http://www.dataprotection.gov.sk/buxus/generate_page.php?page_id=93&buxus=f6f144fead57940065eddd03fe7f8f7f
Act No. 428/2002 on Personal Data Protection
(as amended most recently by Act No 585/2008):
http://www.dataprotection.gov.sk/buxus/docs/act_428_2002_01_09.pdf
What needs to be
done prior to collection?
REGISTER WITH THE
OFFICE FOR PERSONAL DATA PROTECTION
Section 24 –
Obligation to register and keep records
The controller
shall register the filing systems or keep records of them in the
extent and under the conditions stipulated by this Act.
Section 25 –
Conditions of Registration
(1)
The
Office shall execute the registration of filing systems free of
charge.
(2)
The
obligation to register shall apply to all filing systems, in which
personal data are processed by fully or partially automated means of
processing, except for the filing systems
a.
Which are subject to a special registration under Section 27
Paragraph 2,
b.
Which are subject to internal supervision of a personal data
protection official, which was authorised by the controller in
writing under Section 19 Paragraph 2 or 8 and executes internal
supervision of personal data protection pursuant to this Act
c.
Containing personal data of natural persons processed for the
purposes of fulfilment of pre-contractual relations or for the
purposes of exercising the rights and obligations resulting for the
controller from an existing or terminated employment relationship,
civil service employment relationship or membership relation with
these natural persons, including personal data of their close
persons,
d.
Containing personal data concerning membership of the persons in a
trade-union organisation, who are its members and if these personal
data are processed by the trade-union organisation and used solely
for its internal needs or containing personal data concerning
religious beliefs of persons associated in a Church or religious
association acknowledged by the state and if these personal data are
processed by the Church or the religious association and used solely
for their internal needs, or containing personal data concerning
membership of persons in a political party or movement, of which
they are members and if these personal data are processed by the
political party or movement and used solely for their internal
needs; or
e.
Containing personal data necessary for exercising of the rights or
fulfilment of the obligations arising from a special Act or which
are processed pursuant to a special Act
(3)
Assignment of a registration number to the filing system and
issuance of a confirmation of its registration shall constitute a
part of the registration; if the condition under Section 26
Paragraph 2 is fulfilled, the processing of personal data in the
filing system shall not be conditioned by an issuance of a
confirmation of its registration
(4)
In
the case of doubts whether the filing system is subject to
registration, a decision shall be made by the Office. The decisions
of the Office shall be binding.
Section 26 –
Registration
(1)
The
controller shall be liable for submittal of his filing systems for
registration
(2)
The
controller shall submit the filing systems for registration before
commencement of the processing of the personal data
(3)
At
submittal of the filing system for registration the controller shall
sate the following data:
a.
Name, registered office or permanent residence, corporate form and
identification number of the controller,
b.
Name and surname of the statutory authority of the controller,
c.
Name and surname of the personal data protection official performing
internal supervision of personal data protection, provided that his
appointment is required (Section 19 Paragraph 2),
d.
Name, registered office or permanent residence, corporate form and
identification number of the controller’s representative, provided
that he acts on the territory of the Slovak Republic on behalf of
the controller, who has his registered office or permanent residence
in a third country; in such case the data of the controller, who
appointed the controller’s representative shall be stated in
Subparagraph (a),
e.
Name and surname of the statutory authority or member of the
statutory authority of the controller’s representative; in such case
the data of the statutory authority or the member of the statutory
authority of the controller, who appointed the controller’s
representative shall be stated in paragraph (b),
f.
Identifier of the filing system,
g.
Purpose of the processing of personal data,
h.
List of personal data,
i.
Group of data subjects,
j.
Group of recipients, provided that it is expected or clear that the
personal data will be made available to them,
k.
Third parties or a group of third parties, provided that it is
expected or clear that personal data will be provided to them,
l.
Third countries, provided that it is expected or clear that personal
data will be transferred to these countries and the legal basis of
the transborder flow,
m.
Legal basis of the filing system,
n.
The
form of making public, provided that personal data are to be made
public,
o.
General characteristics of the measures for ensuring protection of
personal data,
p.
Data of commencement of the processing of personal data
(4)
The
data in the extent under Paragraph (3) shall be submitted to the
Office in writing and they shall be confirmed by the controller’s
statutory authority or electronically in the form of a database file
with an attached print copy of the contents of the file confirmed by
the controller’s statutory authority. The written form and the
format of the database file shall be determined by the Office.
Attaching of the above copy shall not be required in the case that
the database file bears an electronic signature pursuant to a
special Act.
Section 28 –
Notification of Alterations and Deregistration
(1)
The
Controller shall notify the Office in writing of any alterations of
the data under Section 26 Paragraph (3) except for subparagraph (p)
which occurred in the course of processing within 15 days
(2)
The
Controller shall deregister the filing system from the registration
in writing within 15 days from the day of termination of the
processing of personal data in the filing system. The data of
termination of the processing of personal data shall constitute a
part of deregistration
(3)
The
provision of Section 26 Paragraph 4 shall apply accordingly to the
notification of alterations of data and deregistration of the filing
system
CONTACT THE DATA
SUBJECT
Section 10 –
Obtaining Personal Data
(1)
The
controller who intends to obtain personal data from the data subject
shall be obliged to inform the data subject, at the latest during
obtaining of the data, and notify him in advance of the following
without being requested:
a.
The
name and registered office or permanent residence of the controller;
if on the territory of the Slovak Republic the controller’s
representative acts on behalf of the controller which has registered
office or permanent residence in a third country, the controller’s
representative shall also notify the data subject of the name and
registered office or permanent residence of the controller;
b.
The
name and registered office and permanent residence of the processor,
provided that the processor obtains personal data on behalf of the
controller or the controller’s representative; in such case the
processor shall be obliged to notify the data subject in time of
information under this sub paragraph;
c.
The
purpose of the personal data processing; and
d.
Additional information in the extent necessary for safeguarding the
rights and legitimate interests of the data subjects with regard to
all circumstances of the processing of personal data, in particular
the right to be informed about conditions of the processing of his
personal data
i.
Identification of the entitled person obtaining personal data or
providing his pertinence, by a reliable document, to the entity, on
behalf of which it acts; the entitled person shall be obliged to
satisfy such request of the data subject without undue delay;
ii.
Advice on
voluntariness or obligation to provide the requested personal data;
if the data subject may decide about provision of his personal
data, the controller shall notify the data subject on what legal
basis he intends to process the data subject’s personal data; if the
obligation of the data subject to provide his personal data arises
from a special Act, the controller shall inform the data subject
which act imposes this obligation on the data subject and he shall
warn the data subject of the consequences of refusing to provide the
personal data;
iii.
Third parties, provided that it is expected or clear that personal
data will be provided to them;
iv.
Group of
recipients, provided that it is expected or clear that personal data
will be made available to them;
v.
Form of
making public, provided that personal data are to be made public;
vi.
Third
countries, provided that it is expected or clear that personal data
will be transmitted to these countries;
vii.
Advice on the existence of the data subject’s rights
(2)
If
the controller did not obtain the data subject’s personal data
directly from the data subject, he shall be obliged to notify the
data subject, without undue delay but at the latest in the time
before providing them for the first time to a third party (if such
provision was expected already in obtaining of the personal data),
of the information under Paragraph 1 Subparagraphs (a) to (c) and of
additional information in the extent necessary for safeguarding the
rights and legitimate interests of the data subject with regard to
all the circumstances of the processing of personal data, in
particular the right to be informed about the conditions of the
processing of his personal data
a.
Advice on the possibility to decide on processing of the obtained
personal data,
b.
List of personal data,
c.
Third parties, provided that it is expected or clear that personal
data will be provided to them,
d.
Group of recipients, provided that it is expected or clear that
personal data will be made available to them,
e.
Form of making public, provided that personal data are to be made
public,
f.
Third countries, provided that it is expected or clear that personal
data will be transmitted to these countries,
g.
Advice on the existence of the data subject’s rights
(3)
The
Data subject does not have to be notified of the information under
Paragraph 1, provided that with regard to all the circumstances the
controller is capable of proving to the Office, anytime upon its
request, that in the time of obtaining the personal data all
necessary information have already been know to the data subject.
The data subject does not have to be notified of the information
under Paragraph 2 if
a.
With regard to all circumstances the controller is capable of
proving to the Office, anytime upon its request, that all necessary
information have already been know to the data subject in time of
the decisive event,
b.
The
processing of personal data is permitted by a Special Act or by an
international treaty binding for the Slovak Republic
c.
The
subject of the processing is constituted solely by the personal data
that have already been made public; or
d.
The
processed personal data are intended for the purposes of artistic or
literacy expression, or for the purposes of informing the public by
means of the mass media under the conditions stipulated in Section 7
Paragraph 4 Subparagraph (a) the part of the sentence before the
semicolon, or for historical or scientific research and development,
or for the purposes of the State’s statistics, and if with regard to
all circumstances the controller is capable of proving to the
Office, anytime upon its request, that provision of such information
is objectively impossible or would involve disproportionate costs
and effort
(4)
The controller obtaining personal data for the purposes of
identification of a natural person at his single entrance of the
controller’s premises shall be entitled to request his name,
surname, title and Identity Card number, or the number of an
official identity card, or the number of a travel document,
citizenship and for proving, by a submitted document, that the
provided personal data is true. If the natural person identifies
himself according to a special Act, the controller shall only be
entitled to request for the registration number of his official
identity card. In such cases, Paragraph 1 shall not apply.
(5)
The controller or the processor obtaining, making available or
providing personal data on the premises accessible to the public
shall ensure their processing in secrecy.
(6)
The personal data necessary for achieving the purpose of the
processing may only be obtained by photocopying, scanning or other
recording of official documents on an information carrier upon a
written consent of the data subject or if a special Act expressly
permits their obtaining without a consent of the data subject.
Neither the controller nor the processor may force data subject’s
consent or make it conditional with a threat of rejecting the
contractual relation, service, goods or duty of the controller or
processor laid down by law.
(7)
The premises accessible to the public may be monitored by means
of a video recording or audio recording only for the purposes of the
public policy and security, disclosing criminal activities or
interference with the State’s security, provided that the premises
are clearly marked as being monitored. Marking of the fact that the
premises are being monitored is not required if it is not stipulated
by a special Act. The recording may only be used for the purposes of
criminal prosecution or proceedings concerning misdemeanours, unless
otherwise stipulated by a special Act.
(8)
The controller who obtained personal data under Section 7
Paragraph 4 Subparagraph d) without the data subject being aware of
that or directly from the data subject, shall provide the data
subject, in the course of their first contact, with the information
under Paragraph 1, and if the personal data is processed for the
purposes of direct marketing, he shall also notify the data subject
of his right to object in writing to their provision and use in the
mail correspondence.
(9)
(9) The controllers whose scope of activity is direct marketing
shall keep a list of the provided personal data under Section 7
Paragraph 4 Subparagraph d) in the following extent: name, surname,
title and address of the data subject, date of its provision or the
date of effectiveness of the prohibition of their further provision
under Section 13 Paragraph 6, and the name of the legal or natural
person to whom the above personal data was provided. The legal and
natural persons to whom the above personal data was provided shall
keep a list in the same extent.
What needs to be
done prior to shipping?
Section 23 –
Transfer of Personal Data to Third Countries
(1)
If
the third country ensures an adequate level of protection of
personal data, the personal data may be transferred to this country
only under condition that the data subject was provided with the
information under Section 10 paragraph 1 or 2, or any of the
conditions under Section 10 paragraph 3 was fulfilled
(2)
The
adequacy of the level of protection of personal data shall be
assessed in the light of all the circumstances surrounding the
transfer. Particular consideration shall be given to the respective
legal regulations in the country of final destination with respect
to the nature of the personal data, the purpose and duration of the
processing
(3)
Personal data may be transferred to the third country, which does
not ensure an adequate level of protection only based on a decision
of the European Commission or if any of the conditions under
Paragraph 4 are fulfilled
(4)
Where the country of final destination does not ensure an adequate
level of protection, the transfer may be executed only under the
condition that
a.
The
data subject gave a written consent to it, while knowing that the
country of final destination does not ensure an adequate level of
protection
b.
It
is necessary for performance of a contract between the data subject
and the controller or for establishment of pre-contractual matters
upon request of the data subject;
c.
It
is necessary for entering into, or performance of, a contract
concluded by the controller, in the interest of the data subject
with another entity;
d.
It
is necessary for performance of an international treaty binding for
the Slovak Republic or resulting from the laws due to an important
public interest or for proving, filing or defending a legal claim
e.
It
is necessary for protection of vital interests of the data subject;
or
f.
It
concerns the personal data, which constitute a part of the lists,
registers or files and are kept and publicly accessible pursuant to
special Acts or are available, under these Acts, to the persons
which prove a legal claim and fulfil the conditions prescribed by
law for making them available
(5)
If
the controller decides to transfer personal data to a third country,
which does not ensure an adequate level of protection after their
obtaining, he shall notify the data subject before the transfer of
the personal data of the reason for his decision and advise the data
subject about his right to refuse such transfer under Section 20
paragraph 5, provided that the transfer is to be executed under the
condition referred to in paragraph 4 subparagraph (a); the
controller shall be entitled to execute the proposed transfer of
personal data only after obtaining a written consent of the data
subject.
(6)
If
the controller authorises an entity residing abroad for the
processing of personal data on the controllers behalf, this entity
shall be entitled to process the personal data only in the extent
and under conditions agreed upon with the controller in a written
contract. The scope of the contract must be elaborated in accordance
with the standard contractual terms stipulated for the transfer of
personal data by an entity residing abroad processing them on the
controller’s behalf
(7)
A
consent of the Office shall be necessary for transfer of personal
data under paragraph 6
(8)
The
persona executing transfer of personal data shall ensure their
security during the transit
(9)
Protection of Personal Data transferred to the territory of the
Slovak Republic from the entities with registered office or
permanent residence abroad shall be executed in accordance with this
Act
(10)
In
the case of doubts whether a transborder personal data flow may be
executed, a decision shall be made by the Office. The decision of
the Home Office shall be binding.
Section 23a –
Transfer of Personal Data within Member States of the European Union
A free flow of
personal data between the Slovak Republic and the Member States of
the European Union shall be ensured; the Slovak Republic shall not
restrict or prohibit transfer of personal data for the reasons of
protection of fundamental rights and freedoms of natural persons, in
particular their right to privacy in respect of processing of their
personal data
What are the
sanctions for non compliance?
Section 49 –
Administrative Offences
(1)
The
Office may impose a fine in the amount from SKK 50,000
to SKK 10,000,000
to the controller or the processor who
-
Failed to fulfil or breached any of the obligations stipulated in
Sections 5, 6, 7, 10 or circumvented the provisions of this Act in
the course of his fulfilment of any of the obligations stipulated in
Sections 5, 6, 7, 10, or processes or processed personal data
contrary to Sections 5, 6, 7, 10.
(2)
The
Office may impose a fine in the amount from SKK 50,000
to SKK 5,000,000
to the controller or the processor who
-
Transferred personal data to third countries contrary to Section 23,
or processes or processed personal data contrary to any of the
conditions stipulated in Section 23, Section 23a Paragraphs 2, 3, or
failed to fulfil any of the obligations stipulated in Section 23,
Section 23a Paragraphs 2, 3.
Please refer to
the Office for Personal Data Protection for the Slovak Republic
website for further details on the Statute
|
