Slovakia - Data Breach Guide

Slovakia

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

Yes, there is a legal obligation to notify both, affected individuals and a regulator as a data protection authority – the Office for Personal Data Protection of Slovak Republic.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

1.2.1 What types of data must be breached to trigger notification?

It must be personal data whose breach may lead to a risk or a high risk to the rights of the natural person.

1.2.2 Obligations of data controllers and data processors

Notification must be given if personal data have been breached in the processing of personal data in the course of the activity of a data controller or data processor whose registered office, place of business, branch, establishment or permanent residence is in the territory of the Slovak Republic, processing of personal data in the territory of the Slovak Republic or outside the territory of the Slovak Republic; as part of the activity of an data controller or processor whose registered office, place of business, organizational unit, establishment or permanent residence is not in the territory of the Slovak Republic, but is in a place where the law of the Slovak Republic applies under public international law;

of the data subject (the data subject shall mean any natural person whose personal data are processed), located in the territory of the Slovak Republic, by a data controller or data processor whose registered office, place of business, organizational unit, establishment or permanent residence is not in a Member State, where the processing of personal data is related to the offer of goods or services to the data subject in the territory of the Slovak Republic regardless of whether the data subject is required to pay or not, or monitoring its behavior in the territory of the Slovak Republic.

If the personal data breach is unlikely to lead to a risk to the rights of the natural person, controller is not obliged to notify the Office for Personal Data Protection of Slovak Republic.

The controller shall notify the data subject without undue delay if such a personal data breach can lead to a high risk to the rights of the natural person.

Such a high risk exists, for example, where automated data processing and profiling mechanisms are used to assess individuals, if a publicly accessible location is monitored to a large extent (e.g. by a camera system), or where special categories of data (e.g. health data) or personal data related to criminal convictions and offences are processed to a large extent.

1.2.3 The notification shall not be required if the data controller has taken appropriate technical and organizational protection measures and applied them to the personal data affected by the breach of privacy, in particular encryption or other measures that make the personal data illegible to persons who are not authorized to have access to them. Nor is the notification required if the data controller has taken follow-up measures to ensure a high risk of infringement of the data subject's rights. Notification is also not required if excessive effort is required; the data controller shall inform the public or take other action to ensure that the person concerned is informed in an equally effective manner.

1.2.4 If the data controller has not yet notified the data breach to the data subject, the Office for Personal Data Protection of Slovak Republic may, after considering the likelihood of a high risk personal data breach, require it to do so or may decide that one of the conditions set out above is met.

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

1.3.1 Content of the notice

In particular, the notification shall include a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned, contact details of the responsible person or other contact point where more information can be obtained, a description of the likely consequences of the privacy violation, a description of the measures taken or proposed by the controller to remedy the personal data breach, including measures to mitigate its potential adverse effects, if necessary.

1.3.2 Time period in which notice must be given

The Processor is obliged to notify the Office for Personal Data Protection of Slovak Republic of the personal data breach within 72 hours after it became aware of it.

The processor is obliged to notify the data controller of the personal data breach without undue delay after it has learned of it.

1.3.3 Method of giving notice

The Office for Personal Data Protection allows several methods of giving notice:

• Online form
• Written form: sent by mail to:

Úrad na ochranu osobných údajov Slovenskej republiky
Hraničná 12, 820 07 Bratislava
Slovak Republic

• In person at: The Office for Personal Data Protection

On working days from 9.00 – 12.00

1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

The Office for Personal Data Protection of Slovak Republic may impose a fine of up to EUR 10,000,000 on the controller/processor or, in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The Office for Personal Data Protection of Slovak Republic may impose additional remedies, such as instructing controlled subject to stop processing personal data.

Any person who has suffered material or non-material damage as a result of a breach of the Act no. 18/2018 Coll. on the protection of personal data and on amendments to certain laws shall have the right to compensation from the data controller or data processor.

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

Not applicable.

1.6 What are the applicable (data protection) laws or guidelines within your country?

At European level, the protection of individuals' personal data is regulated as follows:

Primary law:

• Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
• Treaty on European Union, Articles 6 and 39
• Treaty on the Functioning of the European Union, Article 16
• Charter of Fundamental Rights of the European Union, Article 8

Secondary Law:

• Directive (EU) 2016/68 of The European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or repeal of Council Framework Decision 2008/977 / JHA
• Regulation (EU) 2018/1725 of The European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data and repealing Regulation (EC) No 45/2001 and Decision No. 1247/2002 / EC

National legislation:

• At the level of the Slovak Republic, the protection of personal data of natural persons is regulated by:
• Act no. 18/2018 Coll. on the protection of personal data and on amendments to certain laws
• Decree of the Office for Personal Data Protection of the Slovak Republic no. 158/2018 Coll. on the impact assessment procedure for the protection of personal data

1.7 Contact information for the local Data Protection Authority:

For more information, contact: