6 July 2014 – Since its adoption, Slovak Act No. 122/2013 Coll. on Personal Data Protection (the “Act”) was heavily criticized by business entities (the Act came into force on July 1, 2013). The Act in its original wording went, with its requirements, beyond the requirements of the EU Data Protection Directive, and as such was generally considered too burdensome and bureaucratic. An official of an association of Slovak employers even dubbed the Act an “administrative nonsense of the decade”. Following this criticism, the Slovak government decided to amend the Act (the “Amendment”), taking into account the requirements of the involved parties. The Amendment, after it was adopted by Slovak parliament, came into force on April 15, 2014. Some of the key changes of the Act resulting from the Amendment are as follows: Data Protection Officer One of the most significant changes brought about by the Amendment is the abolishment of the obligation of the data controllers that process personal data through 20 and more authorized persons (i.e., natural persons who come into contact with personal data in the course of their employment and who process personal data) to appoint in writing one or more data protection officers to oversee compliance with the relevant regulations in the course of personal data processing. Under the amended Act, the appointment of a data protection officer is voluntary, while the data controller may appoint a data protection officer regardless of the number of authorized persons. However, if the data controller does not appoint a data protection officer, it has the obligation to notify the Office for Personal Data Protection of the Slovak Republic (the “Office”) of its information systems to which the notification requirement under the Act applies. Under the amended Act, a data protection officer may already be a natural person who is a statutory body of the data controller or member of the statutory body of the data controller, or natural person who is authorized to act on behalf of such persons. The Amendment has also abolished the obligation of the data protection officer to notify the Office of any violation of the rights and freedoms of data subjects or of a breach of statutory provisions in the course of processing of personal data if the data controller did not remedy the situation without undue delay. Authorized Persons The Amendment has brought about the change in the definition of the authorized persons in Section 4(2)(e) of the Act. Under the amended Act, an authorized person is any natural person who comes into contact with personal data in the course of his/her employment (in a broader sense). Thus, the new definition includes also persons who perform work on the basis of e.g. work performance agreement or work activity agreement (as opposed to the prior definition applying only to regular employees). The above change reflects the practical needs and reduces the administrative burden on the part of the data controllers, as for the position of an authorized person who is in employment relationship (but he/she is not a regular employee) to arise, it is no longer necessary to have a special authorization. The Amendment has also narrowed down the scope of the instruction of authorized persons. The data controller is required to inform the authorized person of his/her rights and obligations in connection with personal data processing. The instruction must include, in particular, the definition of the scope of his/her authorization, permitted activities and conditions of personal data processing. As opposed to the previous state, the amended Act does not contain an exhaustive list of the essential elements that a record evidencing the instruction of the authorized person must include. Execution of the record in writing is also no longer required, however, the data controller must be able to credibly prove such record upon the Office’s request. Relationship between Data Controller and Data Processor The data controller was originally required to ensure that the contractual relationship with the data processor is in line with the Act within one year from the effective date of the Act, i.e. by June 30, 2014. The Amendment extended this deadline to two years, i.e. by June 30, 2015. The Amendment has also abolished the obligation of the data processor to notify the data controller in writing of the obvious violation of the law and, subsequently, the Office if the data controller did not remedy the situation without undue delay (in any event, within one month from the delivery of the written notice). Thus, the data processor does not incur joint liability with the data controller for the data controller’s violation of the law anymore. Security Measures Documentation Since the effective date of the Amendment, the data controllers are no longer required to document the adopted security measures in a security policy. However, the obligation to draft a security project in cases stipulated by the Act (for example in the case of processing of special categories of personal data in the information system connected to the Internet) remains unchanged. Notification to Office of Information Systems Based on the Amendment, the registration requirement concerning the information systems has been replaced by the notification requirement. The information systems originally subject to the registration are now only to be notified to the Office. Notification of the information systems is free of charge. As of September 1, 2014, the notification requirement can be fulfilled using an electronic form which the Office shall publish on its website. An important change concerns also the whistleblowing information systems (reporting of unfair practices in the workplace). These systems are generally not subject to special registration anymore, but the data controller is always required to notify the Office of them, regardless of whether or not the data controller has appointed a data protection officer. However, the Office may decide that such information system is subject to special registration. Special registration conditions, as well as the respective fee obligation, remain unaffected. Imposition of Fines The Amendment has introduced changes also in the field of fines for breach of the statutory obligations in the course of personal data processing. Prior to the Amendment, the Office was obliged to impose a fine in case of detection of a breach of the obligations imposed by the Act. The amended Act offers the Office a room for administrative discretion to decide in the case of the less serious breaches of obligations whether or not to impose a fine, depending on the circumstances of the case. In the case of the most serious breaches of the Act, however, the obligation of the Office to impose a fine remains unaffected. At the same time, the upper limits of fines have been cut down. Direct liability of the data protection officer and authorized person for breach of their duties has also been abolished. Despite the reduction of administrative burdens by the Amendment, other obligations of the data controller and other subjects in connection with personal data processing remain unchanged. Thus, it is always necessary to be informed of these obligations before the start of personal data processing and take all necessary steps to meet the statutory obligations and thus avoid eventual sanctions imposed by the Office.
Tibor Sovcik is a partner in the Slovak law firm Marek & Partners. He holds a master’s degree in business law and taxation from the University of Mannheim School of Law in Mannheim (Germany). Tibor Sovcik’s main focus is on providing legal advice on regulatory matters in various sectors, including banking, telecommunications, pharmaceuticals and military trade. He has also gained broad experience in advising on various issues relating to data privacy and records retention policies. Other areas of his practice include merger and acquisitions and commercial contracts. He has also advised on employment and labor law issues and various tax-related matters.