Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

III. Privacy topics

Internet and consumer privacy

E-commerce

Unsolicited commercial emails (so-called "spam" emails) fall within the scope of Act No. 147/2001 Coll. on Advertising and, in particular the Act No. 610/2003 Coll. on Electronic Communications, adopted in 2003.1 In February 2006, the latter was supplemented with new provisions regulating cookies and unsolicited communications in order to fully implement EU Directive 2002/58/EC.2

The regulation is based on the "opt-in" principle, with an exception, granted in compliance with Article 13 of the Directive on privacy and electronic communications,3 for direct marketing by a legal or natural person based upon the use of electronic contact details of its customers obtained within the context of a previous sale of its own similar products or services. The customers must be given the opportunity to object, free of charge and in a simple manner, to such use of electronic contact details at any time. The Act on Electronic Communications prohibits sending commercial emails that conceal the identity of the sender on whose behalf the communication is made, or without a valid address to which the recipient may send a request that such communications cease.4

According to the Act on Electronic Communications, a violation of the provisions concerning direct marketing in respect of unsolicited commercial emails may be sanctioned by the Telecommunications Regulatory Authority of the Slovak Republic with a fine of up to €33,000.

Cybersecurity

No specific information has been provided under this section.

Online behavioural marketing and search engine privacy

No specific information has been provided under this section.

Online social networks and virtual communities

No specific information has been provided under this section.

Online youth safety

As part of the above mentioned project, www.zodpovedne.sk, two websites were created: www.stopline.sk, which is aimed at reporting illegal content and activities on the Internet with particular emphasis on the protection of children and youth; and www.pomoc.sk("help"), which is an integrated helpline (it offers consultations via telephone, chat, and email) providing counselling via Internet, mobile communications, and new technologies. Moreover, a weekly TV show, Cookie.sk, was featured on public television as a part of the project. While the TV show was aimed primarily at youth, children were addressed by a series of cartoons and a related website, ovce.sk ("sheep"). Besides that, textbooks and workbooks for primary and secondary schools were distributed and the project was promoted via posters, leaflets, brochures, radio broadcasts, workshops in regional cities, round-tables for local authorities, seminars for parents and children, and summer computer courses.

Workplace privacy

Protection of employee privacy is one of the main tenets of the Slovak Labour Code. According to Article 11 of the "General Principles" section of the Labour Code, employers can only collect personal data that relates to the qualifications and professional experience of employees and data that may be relevant to the work carried out by employees. In addition, employees' consent to the collection and processing of their personal data is required and they must be informed of the purpose of collecting and processing the data. Employers are allowed to use the data only for the purpose that was notified to employees.5

The protection of employee privacy starts even before the establishment of the employment relationship, i.e., during and after the job interview. According to Article 41 of the Labour Code, employers are only allowed to request information from first-time job applicants and then only information that relates to the work to be performed. Job applicants who have been employed before may also be asked to provide the new employer with a work report as well as a confirmation of employment. Employers must not request information about the job applicant's pregnancy, family relationships, integrity (except for work where the candidate's integrity is required by law or by nature of the work), political or religious affiliation, or union membership.6

Furthermore, employers shall not, without serious grounds based on the specific nature of the employer's activities, interfere with employees' privacy in the workplace by monitoring them without notification or by inspecting private mail addressed to them. If employers have adopted a control mechanism, they are obliged to inform employees about the extent and methods of the control.7

Health and genetic privacy

Medical records

Processing, providing, and making available a patient's medical records is regulated primarily in the 2004 Act on Healthcare. The medical records shall be processed by the general practitioner and, to the extent necessary, also by a specialist. The Act comprehensively stipulates cases where the doctor shall provide an excerpt from the medical records, and also cases where the doctor may grant access to the medical records (e.g., relatives, insurance company's review doctor), as well the extent to which the access shall be granted.

This regulation also governs the duties of healthcare providers (e.g.,doctors, pharmacists, nurses, etc.) to provide personal data to the national filing systems, such as the National Health Register, which contains personal data of patients suffering from selected health problems/diseases, e.g., diabetes, cancer, etc. The controller of the National Health Registries is the National Health Information Centre. Only the statistical data summarising the incidence of a disease can be publicly disclosed, but in no case may the data relating to individual patients be divulged. Each individual's data in the register are treated as medical records under the Act on Healthcare.

Genetic identification

No specific information has been provided under this section.

Financial privacy

Under the Act No. 483/2001 Coll. on Banks, the banks are obliged to request their clients to prove their identity when carrying out any transaction, except for certain transactions under €2,000, and clients are obliged to comply with such request. Identity may be proved by showing the national identity card (občiansky preukaz), or by providing a signature in cases where the client is known to the bank the signature is identical to the specimen signature in the bank's records. However clients are required to present a national identity card when giving a signature specimen.8

All client information and documents that are not publicly available and that relate to the clients' businesses, account(s), and balances are protected by banking secrecy. The bank shall keep this information confidential and protect it against disclosure, misuse, damage, destruction, loss, or theft. Information subject to banking secrecy may only be disclosed to third persons with the client's prior written consent or written instruction, except where there is a statutory obligation requiring the bank to disclose the information to public authorities such as the National Bank of Slovakia, law enforcement agencies, tax and customs authorities, Slovak Intelligence Service, etc., upon their written request. Clients are entitled to request information as to what personal data relating to them are kept in the bank's database. Any unlawful or intentional disclosure of banking secrets is considered a crime under the Criminal Code and may be sanctioned with a term of imprisonment from six months to three years.9

In 2007, the European Commission Directorate-General for Justice, Freedom, and Security Data Protection Unit asked the OPDP for cooperation in the investigation of the "SWIFT case". Among other things, it asked for the official opinion of the OPDP on the status of measures taken by the banks in respect of the legal obligation to inform their clients about the processing of the personal data collected for the purpose of bank payments carried out via SWIFT (Society for Worldwide Interbank Financial Telecommunication). The Chief Inspector of the OPDP appealed by letter to 24 banking institutions, asking them to carry out a complex revision of their duties relating to trans-border payments performed via SWIFT, focusing on evaluating whether the processing of personal data caused any violation of the rights and freedoms of their respective clients; the National Bank of Slovakia was also included. When collecting, processing and subsequently transferring the personal data across borders, each bank is obliged to give its clients sufficient information about the conditions of their personal data's processing. The OPDP asked the banking institutions to provide a comprehensive and complete position on their own particular measures and mechanisms that either had been or would be executed in order to comply with the statutory requirements. If a banking institution did not take the relevant measures, it was obliged to specify which mechanisms and particular measures would be executed. Using these findings, the Section of Inspection of the OPDP formulated the information that was sent by the President of the OPDP to the European Commission on 14 May 2007. By the end of August 2007, the questionnaire concerning fulfilment of the obligation to inform respective bank clients about international payment transfers performed by SWIFT had been sent to the EC.10

The obligation of clients to provide their personal data upon a trader's request is stipulated in the Act No. 566/2001 Coll. on Securities. Securities traders are allowed to make photocopies of clients' personal identification cards for the purpose of obtaining their personal data. Without the clients' consent, traders may only disclose the obtained personal information to statutory prescribed entities (state authorities) and only for statutorily prescribed purposes.11

Footnotes