I. Legal framework
Constitutional privacy and data protection framework
Slovakia's 1992 Constitution provides for privacy, data protection, and secrecy of communications. Article 16 states, "(1) The inviolability of the person and its privacy is guaranteed. It can be limited only in cases defined by law." Article 19 states, "(1) Everyone has the right to the preservation of his human dignity, personal honour and good reputation, and the protection of his name. (2) Everyone has the right to protection against unwarranted interference in his private and family life. (3) Everyone has the right to protection against the unwarranted collection, publication, or other illicit use of his personal data." Article 22 states, "(1) The privacy of correspondence and secrecy of mailed messages and other written documents and the protection of personal data are guaranteed. (2) One must not violate the privacy of correspondence and the secrecy of other written documents and records, whether they are kept in private or sent by mail or in another way, with the exception of cases to be set out in a law. Equally guaranteed is the secrecy of messages conveyed by telephone, telegraph, or other similar means."1
Privacy and data protection laws and regulations
The Personal Data Protection Act No. 428/2002 Coll. (PDPA) repealed the Act No. 52/1998 Coll. on Protection of Personal Data in Filing systems.2 The PDPA brings Slovak data protection into line with the European Parliament and Council Directive 1995/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.3
Amendments to the PDPA over the years have brought Slovakia's data protection scheme into compliance with the EU Directive. The PDPA limits the collection, disclosure, and use of personal information by government agencies and private enterprises either in electronic or manual form. In addition to establishing the Office for Personal Data Protection of the Slovak Republic (OPDP), the amendments provided data subjects with the right to obtain a copy of their data from the controller.4 The last material amendment of the PDPA was carried out in 2005 by Act No. 90/2005 Coll.
The PDPA imposes duties of access, accuracy and correction, security, and confidentiality on the data processor. Processing information on race, ethnicity, political opinions, religion, philosophical beliefs, trade union membership, health, and sexuality is forbidden. Special protections are provided for sensitive data, defined as: (i) data revealing "racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data concerning health or sex life and conviction"; (ii) identifier of general application, i.e., personal birth number; (iii) biometric data; (iv) data on physical identity; and (v) data on violations of criminal law, civil law, misdemeanours, and their enforcement.5
Information systems must be registered with the OPDP unless certain exemptions apply, such as oversight carried out over the information system by responsible personal data protection officials appointed by the controller.6 Moreover, the law imposes new duties on controllers, who are meant to ensure better protection of personal data and to put in place safeguards to mitigate the risk of processing infringing personal data.
Currently, the OPDP is preparing a further amendment to the PDPA which would reflect, in particular, the adoption of the Council Framework Decision 2008/977/JHA of 27 November 2008 on personal data protection processed within the framework of the police and judicial cooperation in criminal matters. The draft amendment will be submitted to the Slovak government in October 2010.7
In addition to the provisions established by the PDPA, other Slovak laws specify norms for data processing in particular sectors like healthcare as well as in the employment and banking sectors. These laws represent an extension of the fundamental rules laid down in the PDPA.
In the areas of processing, providing, and making available a patient's medical documentation, a complex sector-based regulation is laid down in the 2004 Act No. 576/2004 Coll. on Healthcare as amended.
Workplace privacy was introduced in September 2007 by way of an amendment to the Labour Code. Unfortunately, the regulation was formulated only as a set of principles and rather succinctly, allowing a variety of interpretations. Court decisions in workplace privacy matters are yet to come.
Privacy in telecommunications and Internet communications follows from the general principles laid down in the PDPA, and is further specified in the Act No. 610/2003Coll. on Electronic Communications,8 in particular with regard to data which constitute telecommunications secrets, inter alia, localisation and operational data. The Act on Electronic Communications also defines the limits for direct marketing.
Data protection authority
The 2002 Act created the OPDP, headed by the President, to supervise and enforce the Act. The OPDP and its President replaced the Commissioner and his Inspection Unit of Personal Data Protection. The President, currently Mr. Gyula Veszelei, is elected by the National Council for a five-year term and may be re-elected for at most two consecutive terms. The OPDP's budgetary independence was formally strengthened by a minor amendment to the PDPA, effective as of January 2009, which transferred responsibility for the OPDP's budgetary programme from the Government Office of the Slovak Republic to the General Treasury Administration.9
The OPDP monitors the implementation of the law, reviews registered systems, inspects the processing of personal data in information systems, receives and handles complaints concerning the violation of personal data protection in information systems, initiates corrective actions whenever a breach of legal obligations is discovered, and participates in the preparation of generally binding regulations in the field of personal data. In 2007 and 2008, legislation provided the OPDP with more than 67 principal annotations to legislative acts concerning issues of personal data protection.10 The OPDP is required to file a biannual report on the status of data protection with the National Council.11
The activities of the OPDP's Inspection Unit are mainly focused on examining the filing systems of controllers and processors, as well as handling notifications of data subjects and other individuals claiming to have had their rights directly affected. In specific situations, the PDPA permits the OPDP to publish or issue binding statements (measures) as well as to impose sanctions, including fines for violating provisions of the Act.
By August 2010, the OPDP had registered 40,900 appointment notifications of personal data protection officials responsible for internal enforcement. The OPDP also maintains a register of 230 regular filing systems and 60 filing systems which are subject to a special registration requirement (e.g., because they contain biometric data).12
In 2009 the Office issued eight approvals for the cross-border flow of personal data to countries which do not provide an adequate level of data protection (three approvals were issued in 2008); the subject of these flows was mainly personal data concerning employees and clients of international corporations.13
In 2009 the OPDP initiated 272 proceedings compared to 252 in 2008. The ODPD's Inspection Unit, acting in conjunction with the complaint investigation subdivision, conducted 107 inspections and issued 72 "submissions to explanations" to be carried out by the controllers and processors of filing systems. Altogether, 161 "orders" were issued for the removal of deficiencies that were discovered by these inspections. This represents an increase of 120 percent compared to 2008.14
The OPDP received several complaints about fraud, faked contracts, and identity theft resulting in credit/debit card fraud. Many banks and private sector entities are instituting biometric authentication/verification in order to combat some of these abuses. However, consent to use biometric data is only required under the PDPA if said data falls under the PDPA's definition of personal data. There are no biometric-specific rules on collecting, using, or disclosing this data.15
The OPDP also organises numerous seminars and consultation sessions concerning the recent amendments to the PDPA, and has also presented several lectures and launched a new website. The OPDP is also active in organising public discussions such as the press discussion that took place on 28 January 2010, "Can we protect personal data for the sake of our privacy and safety of our children?"16
The OPDP also conducted a survey of data protection awareness. According to the last survey, carried out in February 2009 and conducted through the Opinion Research Institute of the Statistical Office of the Slovak Republic, the awareness of all categories of citizens' personal data protection rights increased by 5 percent between February 2007 and February 2009, and – all together – rose by 36 percent between November 1999 and February 2009. The poll showed that the biggest concern of most of the respondents was the misuse of their national ID number, followed by health-related data, and data on personal assets.17
The OPDP cooperates closely with the data protection authorities in other Central and Eastern European countries. In December 2001, the Data Protection Commissioners from the Czech Republic, Hungary, Lithuania, Slovakia, Estonia, Latvia, and Poland signed a joint declaration agreeing to provide closer cooperation and assistance. The Commissioners agreed to meet twice a year in the future so as to provide each other with regular updates and overviews of developments in their countries, and to establish a common website for more effective communication.18
The OPDP is active in developing and maintaining contacts within the partnerships with Central and Eastern European personal data protection authorities, e.g., by means of the annual Central and Eastern European Commissioners Conference.
The OPDP also maintains active bilateral cooperation, in particular with its sector partners in the Czech Republic, Poland, and Romania. A thorough exchange of the best practices on mass media policies, awareness raising, and opportunities for cooperation with the Office of Personal Data Protection of the Czech Republic took place in Bratislava in October 2009.19
Major privacy and data protection case law
In situations that are not regulated by detailed provisions of the Acts,20 the public administration has the discretion to interpret and apply general legal terms such as "privacy" or "honour" in conformity with the Constitution, and thus may consider that the right to privacy is in certain cases constrained by the right to information. The obligation of the public administration to consider Constitutional principles21 was recognised by the Slovak Constitutional Court in the ruling II. ÚS 44/00, which held that making a film record of policemen performing their official duties is not an invasion of their right to privacy and should be allowed.22
Another serious problem arises when information about official duties (performed within public administrative bodies or institutions' public functions) is considered personal data. This information is often withheld. For instance, the Ministry of Foreign Affairs refused to provide information about the names and functions of its employees in order, it said, to protect their personal data. Two legal actions have been brought against the Ministry in the regional court in Bratislava in this connection, but neither has been decided yet.23 At the end of 2004, the Cabinet approved rewards for high state officials. However, when journalists asked the Cabinet to disclose the amounts of these rewards, or specific sums and persons' names, the Cabinet responded that this information could not be disclosed on data protection grounds.24
In 2005, the OPDP issued an order requiring the state administrative authority to terminate the disclosure of national identification numbers ("birth numbers") on the website of the Official Journal. The authority was also instructed to remove previously published birth numbers from its website. However, the authority filed a petition with a court, requesting the reversal of the OPDP's decision. The court dismissed the claim, arguing that the decision was based on appropriate grounds, and was in line with the competence granted to the OPDP by law. The law explicitly prohibits the disclosure of an "identifier of a general application", such as birth numbers.25 In a similar case in 2006 involving the publication of birth numbers, the OPDP ordered that all birth numbers be removed from the website of the Commercial Bulletin or made unreadable. The Ministry of Justice of the Slovak Republic challenged this decision in court. The court dismissed the Ministry's claim and confirmed the OPDP's order at the end of January 2008.26
In another case, a natural person sued the OPDP for not issuing legal sanctions against a newspaper publishing company that enabled the publication of the plaintiff's personal data on its website without the person's knowledge (the website allowed anyone to publish their opinions). The petitioner claimed that an unknown person had posted his personal data, including his name, surname, and address, on the website, and therefore claimed that his rights as stipulated in the Act had been violated. However, the petitioner himself had previously repeatedly published his personal data on other websites. In November 2004, the regional court ruled that the ODPD's procedure was in line with the Act. The petitioner appealed against the judgment and in May 2007, the Supreme Court fully confirmed the regional court's verdict.
- 1. Act No. 460 of 1 September 1992, Constitution of the Slovak Republic (1 September 1992), available at in English http://www.slovakia.org/sk-constitution.htm.
- 2. Act No. 428/2002 Coll. on Protection of Personal Data (PDPA), as amended by Act No. 602/2003 Coll., Act No. 576/2004 Coll., Act No. 90/2005 Coll. and Act No. 583/2008 Coll., available in English at http://www.dataprotection.gov.sk/buxus/docs/act_428_2002_01_09.pdf.
- 3. OJ L 281, 23November 1995, at31–50, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:E....
- 4. Id.
- 5. Id.
- 6. Id.
- 7. 13th Annual Report of the Article 29 Working Party on Data Protection, July 2010.With the exception of the cited document (not yet available on-line), all the Annual reports of Art. 29 WP are available at http://ec.europa.eu/justice/policies/privacy/workinggroup/annual_reports....
- 8. Act No. 610/2003 Coll. on Electronic Communications, available at http://www.telecom.gov.sk/index/open_file.php?file=telekom/legsr/Act_on_....
- 9. 12th Annual Report of Article 29 Working Party on Data Protection, June 2009.
- 10. OPDP's Report on Status of Personal Data Protection 2007 – 2008, June 2009.
- 11. Act No. 428/2002 Coll. on Protection of Personal Data (PDPA), supra.
- 12. Email from Mr. Kudoláni of OPDP, 13 August 2010.
- 13. 13th Annual Report of Article 29 Working Party on Data Protection, supra.
- 14. Id.
- 15. 9th Annual Report of Article 29 Working Party on Data Protection, June 2006.
- 16. Press release, 28 January 2010, available in Slovak at http://www.dataprotection.gov.sk/buxus/docs/Tlacova_sprava_28012010.pdf.
- 17. OPDP's Report on Status of Personal Data Protection 2007 – 2008, supra.
- 18. Website of Central and Eastern Europe Data Protection Authorities http://www.ceecprivacy.org.
- 19. 13th Annual Report of the Article 29 Working Party on Data Protection, supra.
- 20. In instances where general legal terms such as "privacy" or "honor" are applied – for example, under Section 11 of the Slovak Civil Code "A natural person has a right to the protection of his personality, honor, dignity, privacy, name, and personal expressions."
- 21. For example, the principle stated in Article 152 paragraph 4 of the Constitution, according to which all laws shall be interpreted and applied in conformity with the Constitution.
- 22. Slovak Constitutional Court, judgment II. ÚS 44/00, in Slovak at http://www.concourt.sk/Zbierka/2001/10_01s.pdf.
- 23. These are pending cases and have not yet been decided; ref Nos. 1S 64/05 and 2S 94/05.
- 24. PRAVDA, 10 December 2004, available in Slovak athttp://spravy.pravda.sk/sk_domace.asp?r=sk_domace&c=A041209_183102_sk_do....
- 25. 12th Annual Report of the Article 29 Working Party on Data Protection, supra.
- 26. 11th Annual Report of the Article 29 Working Party on Data Protection, supra.