As a member state of the European Union, the Slovak Republic has been following EU policies on data protection for the last ten years, in particular Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The new Slovak Act on Personal Data Protection (Act No. 122/2013 Coll.) replaced Act No. 428/2002 Coll. on the Protection of Personal Data. The main aim was a thorough transposition of the aforementioned Directive. Apart from accepting and implementing almost all of the optional obligations within the Directive, Slovak lawmakers adopted a few extra ones, resulting in many uncertainties and disproportionate administrative burdens for entrepreneurs.
The new Act on Personal Data Protection brought some major changes regarding the obligations of entrepreneurs (controllers) for processing personal data. These new obligations had to be met within various relatively short periods set by the transitional provisions of the Act on Personal Data Protection.
Among the obligations were a special registration and registration of filling systems, both subject to administrative fees. These fees, together with a requirement to appoint a data protection officer, had a negative effect for small and medium enterprises which had more than 20 persons entitled to process personal data. Also criticized were the newly-introduced obligations to keep written records of instructions of the entitled persons and the harmonization of controllers’ contractual relationships with entities processing the personal data on their behalf.
The new Act also expanded the scope of the information which the controller is obliged to provide to the data subject before receiving its personal data, and introduced complications regarding the processing of biometric data and the monitoring of the premises accessible to the public. It also redefined the obligation of the controller to record security measures taken in the form of a “Security Project” or a “Security Directive” according to the accessibility and content of the filling system. The Act obliged the Office for Personal Data Protection to impose a fine on a controlled subject when any deficiencies are found, and increased the maximum extent of those fines.
In response to widespread criticism from entrepreneurs, employers and the general public, Slovak lawmakers were forced to introduce an amendment to the Act on Personal Data Protection which attempts to soften and alter some of the more contentious obligations. Changes include making the requirement to appoint a data protection officer optional, and replacing the obligation to register filling systems (but not the special registration) with an obligation to notify, which is not a subject to an administrative fee. The amendment further removed the necessity to record the security measures by an internal security directive. There were also some changes concerning the processor’s obligations, extension of rights of the employers, a softening of the obligation to impose a fine, and a reduction in the limits of the fines.
Even after adoption of these changes in April 2014, it is still questionable whether there was a need for a new law at all. In January 2012, plans were announced by Viviane Reding (European Commission Vice President and EU Commissioner responsible for Justice, Fundamental Rights and Citizenship) which included a new legal framework for the protection of personal data. The ambition of such changes is to harmonize all the rules for more than 490 million European citizens and a large number of legal entities throughout the European Union.
The concerns about the necessity of the newly adopted Slovak law are also underlined by the fact that the upcoming EU harmonization will probably be managed by a Regulation [Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to processing of personal data and on the free movement of such data (General Data Protection Regulation)] rather than a Directive. In general, a Regulation is a legal act that is binding for the member states and applied directly in its entirety across the European Union, whilst a Directive represents a legal act that sets out a goal that all the European Union countries must achieve, though it is up to the individual member states to decide how they will do so.
The Slovak Office for Personal Data Protection supports the need to protect personal data by the aforementioned Regulation as soon as possible. Therefore, even a year after the new Act on Personal Data Protection was introduced, it is still unclear whether it was really necessary.
Leo Vojčík, Managing Partner, Vojčík & Partners
Martin Hamřík, Lawyer, Vojčík & Partners