Act on Personal Data Protection

Act No. 428/2002 Coll. on Protection of Personal Data

The new Act on Personal Data Protection replaces the existing Act No. 52/1998 Coll. on Protection of Personal Data in Information Systems. The new act reflects requirements contained in documents of the European Union and the Council of Europe. The whole field is assigned to a single authority - the Personal Data Protection Office (the ``Office'').

The aim of the act is to protect fundamental rights and freedoms of persons in the area of processing of personal data, to set out rules of data processing, responsibilities for safe processing, conditions of cross-border transmission of data, registration and record keeping of information systems and rights of concerned persons.

The act applies to any legal or physical persons processing personal data or deciding on the method and purpose of processing, with exceptions stipulated in the act. Application of the previous legal regulation caused difficulties in determination to which entities and in which cases this regulation applies, since many entities felt not to be bound by the act.

Personal data is defined as data concerning an identified or identifiable physical person, meaning a person identifiable directly, or through generally applicable identificators (e.g. a birth number), or through one or more characteristic signs, forming the person's physical, physiological, psychical, mental, economical, cultural or social identity. Personal data may be processed only by an operator - an entity determining the purpose and method of processing, or an intermediary - an entity processing data in the name of the operator. These entities must have their registered seats or places of residence in the territory of the Slovak Republic.

It is permitted to process only such personal data, extent and content of which correspond to the purpose of their processing. The method of processing and use of personal data must also correspond to the purpose of processing. Further processing for historical, statistical and scientific purposes is permitted.

Personal data may be processed only with a consent of the concerned person. The operator proves such consent by information on who gave the consent, to whom it was given, for what purpose, list of provided personal data, time period for which the consent was granted and conditions of its withdrawal. The act stipulates the cases, in which the consent is not required:

1. processing for scientific, historical, artistic or literary purposes or for purposes of informing the public through mass media, if the processing is conducted by an authorised entity,
2. processing for statistical purposes with anonymous personal data,
3. processing necessary for protection of vital interests of the concerned person, who does not have legal capacity or is physically unable to consent, provided that the consent cannot be obtained from the trustee,
4. only the degree, name, surname and address is processed without a possibility to attach other personal data and such data are used exclusively for purposes of postal services of the operator and for record of such data; in case of direct marketing conducted by the operator, personal data may be provided to another operator only if not made public or available to other persons, exclusively for purposes of direct marketing and the concerned person does not raise an objection, or
5. personal data already published is being processed; such data must be adequately indicated.

The act defines special categories of personal data subject to a strict regime. It is forbidden to process personal data on racial or ethnic origin, political opinions, religion or atheism, membership in political parties or trade unions, health or sexual life. This restriction does not apply if the concerned person agreed with the use or in cases stipulated by law. The birth number of a physical person (as stipulated by the Act No. 301/1995 Coll. on Birth Number) may be used for processing only if its use is necessary for the purpose of processing. Restrictions apply also to use of biometric data (fingerprints, DNA) and psychological data.

A person authorised by an operator or intermediary to collect personal data is obliged to inform the concerned person about his/her identity, the operator, purpose of processing, form of publishing and countries where the data will be used.

An operator who collects personal data for purpose of identification of persons entering its premises is entitled to request name, surname, degree, ID card or passport number, citizenship and proof of this data by an identification document.

Copying, scanning or similar recording of official identification documents for purpose of collection of personal data necessary for purpose of processing is permitted only with a written consent of the concerned person or if a special law expressly permits it without the concerned person's consent. The consent may not be enforced or conditioned by threat of refusal of contractual relationship, services, goods or a duty stipulated by law.

Premises open to the public may be monitored by a video or audio surveillance system only for purposes of keeping public order and security, detecting criminal activities or state security. Monitoring of premises has to be indicated.

The use of personal data for purposes of direct marketing is subject to special restrictions. The operator has to inform the concerned person during their first contact about the right to object in writing against the use of data in a postal contact. These operators and other persons receiving the personal data, have to keep a list of provided personal data with indication of date of submission and a possible ban of further submission.

An operator is obliged to destroy personal data once the purpose of processing has been fulfilled, or if the concerned person has filed an objection or refused to grant a consent, or the personal data may not be corrected or supplemented to make them true and up-to-date. Personal data further used for archival purposes are not subject to liquidation.

An information system connected with a public computer network, processing special categories of personal data, or containing data processed for state security interests, shall be secured by an approved security project. Its operator is obliged to procure a security audit of the information system conducted by a specialised institution, upon request of the Office.

An operator employing more than five employees is liable to appoint a responsible person, who took a special training, to supervise the protection of personal information.

A concerned person may request in writing from an operator:

1. information on processing of his/her personal data in the information system,
2. the source of personal data,
3. a transcript of personal data being processed,
4. correction of incorrect data or data which is not up-to-date,
5. liquidation of personal data if the purpose of processing has been achieved, and return of official identification documents used for personal data processing,
6. liquidation of personal data if processed in breach of law.

Transfer of personal data to foreign countries (cross-border flow of personal data), is permitted under the condition of informing the concerned person and adequacy of personal data protection in the target country. It is not necessary to inform the concerned person if data are transferred within the organisational structure of an operator, and if data is transferred based on an international treaty or special law. Transfers to European Union member states will be not regulated as cross-border flow of personal data as from the day of accession to the European Communities and the European Union. The act stipulates conditions for transfers to countries not securing adequate personal data protection. In case of doubt on issues of cross-border data flow, the Office is entitled to decide.

Compared with the previous legal regulation, the number of operators liable to register their information systems has been markedly reduced. Until now, most of the systems had to be registered. Only the following information systems need to be registered by the Office under the new act:

1.

processing special categories of personal data,

2.

processing personal data for purpose of cross-border flow, or

3.

in which the data are processed by an intermediary.

Information systems not subject to registration by the Office, require internal record keeping by their operator. Such records shall contain the same information range as required for registration by the Office. The record keeping duty does not apply to information systems used for postal services or for record keeping of persons entering certain premises. Both the registration and the records have to be publicly available.

The newly established Office replaces the current Personal Data Protection Commissioner. The Office is a budgetary organisation connected with the Office of the Government. It is headed by the chairman, whose deputy is the deputy chairman. The supervisory activities are procured by inspectors, headed by the chief inspector.

The Office supervises compliance with the act and resolves petitions of individuals and legal persons. In case of breach of law, it calls for immediate blocking of personal data or orders suspension of certain activity breaching the duties under the law, performance of measures necessary to remedy certain shortcomings or to secure rights and interests of concerned persons, within a set time period. The chairman decides about objections raised against the Office's decisions. Final decisions may be reviewed in the administrative judiciary.

For breach of this act, the Office may levy a fine up to SKK 10 million. In case of a serious breach, the chairman may publish the name, seat or residence of operator or intermediary and characterise the breach committed in the area of personal data protection.

This Act became effective from 1 September 2002.

---

Next: Other significant legal regulations
Up: July 2002
Previous: Amendment to Commercial Code