Page 1

COLLECTION LAWS
SLOVAK REPUBLIC
Volume 2018
Announced: 30. 1. 2018

Time version of the regulation effective from: 25. 5.2018 to: 31. 8.2019
The content of the document is legally binding.
18
THE LAW
of 29 November 2017

on Personal Data Protection and on Amendments to Certain Acts

The National Council of the Slovak Republic has resolved on the following Act:
Art. I
FIRST PART
BASIC PROVISIONS
§1
Subject matter
This law regulates
a) protection of the rights of natural persons against unauthorized processing of their personal data,
b) rights, obligations and responsibilities in the processing of personal data of natural persons,
c) the position, competence and organization of the Office for Personal Data Protection of the Slovak Republic
(hereinafter referred to as the "Office").
§2
Personal data is data relating to an identified natural person or identifiable
a natural person who can be identified, directly or indirectly, in particular on a general basis
usable identifier, another identifier, such as name, surname, identification
number, location data, ) or online identifier, or on the basis of one or more
1

characteristics or traits that make up its physical identity, physiological identity, genetic identity
identity, psychic identity, mental identity, economic identity, cultural identity or
social identity.
§3
Scope
(1) This Act applies to the processing of personal data carried out in whole or in part
automated means and for the processing of personal data other than automated
by means of personal data which form part of an information system or are intended for
to form part of an information system.
(2) This Act, in addition to § 2, § 5, the second and third parts of the Act, applies to processing
personal data covered by a special regulation on the protection of individuals with regard to processing
personal data and on the free movement of such data. )
2

Page 2
Page 2

Collection of Laws of the Slovak Republic

18/2018 Coll.

(3) This Act applies to the processing of personal data by the Police Force, the Military Corps
Police, the Prison and Judicial Guard Corps, the Financial Administration, the Prosecutor's Office and the
"Competent authority") for the purposes of the prevention and detection of criminal offenses, the identification of offenders
criminal offenses, the prosecution of criminal offenses or for the purpose of the enforcement of decisions in criminal proceedings
including the protection against and prevention of threats to public policy (hereinafter
only "performance of tasks for the purposes of criminal proceedings"); from the second part of this law to processing
personal data according to the previous part of the sentence are subject only to the provisions set out in § 52, § 59,
§ 67 and § 73.
(4) This Act applies to the processing of personal data
(a) in the context of the activity of an operator or intermediary whose registered office, place of business,
organizational unit, establishment or permanent residence is in the territory of the Slovak Republic, without
regardless of whether the processing of personal data is carried out in the territory of the Slovak Republic or
outside the territory of the Slovak Republic,
(b) in the context of the activity of an operator or intermediary whose registered office, place of business,
the organizational unit, establishment or permanent residence is not in the territory of the Slovak Republic, but is
in a place where, under public international law, the law is applicable
Slovak Republic,
c) the person concerned, located in the territory of the Slovak Republic, the operator or
an intermediary whose registered office, place of business, organizational unit, establishment or
the resident is not in a Member State and the processing of personal data is related
1. with the offer of goods or services of this affected person in the territory of the Slovak Republic without
whether or not the person concerned is required to pay, or
2. with monitoring of its behavior on the territory of the Slovak Republic.
(5) This Act does not apply to the processing of personal data
a) a natural person in the framework of exclusively personal or domestic activity,
b) the Slovak Information Service, ) Military Intelligence, )
3

4

(c) by the National Security Office for the purpose of conducting security checks and for the purposes of
providing documents for the decision of the Judicial Council of the Slovak Republic on compliance
preconditions for judicial competence. )
5

§4
Free movement of personal data between the Slovak Republic and the Member States is guaranteed;
The Slovak Republic will not restrict or prohibit the transfer of personal data for reasons of protection
fundamental rights of natural persons, in particular their right to privacy with regard to the processing of them
personal data.
§5
Definition of basic terms
For the purposes of this Act, it is understood
(a) with the consent of the person concerned, any serious and freely given, specific, informed
and a clear expression of the will of the person concerned in the form of a statement or unambiguous
a confirmatory act by which the person concerned consents to the processing of his or her
personal data,
(b) genetic data means personal data relating to inherited genetic characteristics
characteristics of a natural person or acquired genetic characteristics of a natural person

Page 3
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 3

persons who provide unique information on the physiology or health of that natural person and who
result in particular from the analysis of a biological sample of the natural person concerned,
(c) biometric data means personal data resulting from special technical processing
personal data relating to the physical characteristics of a natural person,
physiological

characteristic

characters

physical

persons

or

behavioral

characteristics of a natural person and which allow unique identification or
confirm the unique identification of that natural person, in particular the image of the face or face
dactyloscopic data,
(d) health data means personal data relating to physical or mental health
the health of the natural person, including information on the provision of health care or services
related to the provision of healthcare, which reveals information about it
health status,
(e) processing of personal data means a processing operation or set of processing operations
with personal data or with files of personal data, in particular the acquisition, recording,
organizing, structuring, storing, changing, searching, browsing, using,
providing by transmission, dissemination or otherwise, regrouping or combining,
restriction, deletion, whether or not carried out by automated means
or by non-automated means,
f)

by restricting the processing of personal data, the identification of retained personal data for the purpose of
limit their processing in the future,

(g) profiling of any form of automated processing of personal data consisting of
in the use of personal data to evaluate certain personal features or characteristics
relating to a natural person, in particular for the analysis or prediction of traits or characteristics
the person concerned in connection with his performance at work, his financial situation, his health,
personal preferences, interests, reliability, behavior, position or movement,
(h) pseudonymisation, the processing of personal data in such a way that they cannot be attributed to
to the particular person concerned without the use of additional information, if such additional information
the information shall be kept separate and shall be subject to technical and organizational measures on
ensuring that personal data cannot be assigned to an identified natural person; or
an identifiable natural person,
i)

the log records the progress of the user's activity in the automated information system,

j)

encryption transforms personal data in a way that reprocessing is possible
only after entering the selected parameter, such as key or password,

(k) online identifier means an identifier provided by an application, tool or protocol, in particular:
IP address, cookies, login details for online services, radio frequency identification, which
may leave traces which, in particular in combination with unique identifiers, or
they may use other information to create a profile of the person concerned and to identify him or her,
l)

information system means any organized set of personal data that is accessible
according to specified criteria, whether it is a centralized, decentralized system
or distributed on a functional or geographical basis,

(m) a breach of personal data protection constitutes a breach of security leading to accidental or
unlawful destruction, loss, alteration or unauthorized provision of the transmitted,
stored personal data or otherwise processed personal data, or
unauthorized access to them,
n) "data subject" means any natural person whose personal data are being processed,
(o) "operator" means anyone who alone or jointly with others determines the purpose and means
processing of personal data and processes personal data in its own name; operator
or specific requirements for its designation may be laid down in a special regulation or

Page 4
Page 4

Collection of Laws of the Slovak Republic

18/2018 Coll.

international treaty by which the Slovak Republic is bound, if such a regulation or this
the contract sets out the purpose and means of the processing of personal data,
p) intermediary means anyone who processes personal data on behalf of the controller,
(q) "recipient" means anyone to whom personal data are disclosed, whether or not he is a third party; for
the recipient is not considered to be a public authority which processes personal data on the basis of
a special regulation or an international agreement by which the Slovak Republic is bound,
in accordance with the rules on the protection of personal data applicable to the purpose of the processing
personal data,
(r) "third party" means any person who is not the person concerned, the operator, the intermediary or
another natural person who, on behalf of the operator or intermediary
processes personal data,
(s) responsible person means a person designated by the operator or intermediary to perform
tasks under this Act,
t)

representative is a natural person or legal entity with its registered office, place of business, organizational
component, establishment or permanent residence in a Member State which the operator or
the intermediary has authorized in writing pursuant to § 35,

u) enterprise a natural person - an entrepreneur or a legal person carrying out an economic
activity regardless of its legal form, including associations of natural persons or associations
legal persons who regularly pursue an economic activity,
(v) a group of undertakings controlling the undertaking and the undertakings controlled by it,
(w) the principal place of business
1. the place of central operation of the operator in the European Union in the case of the operator
with establishments in more than one Member State, unless decisions are taken
on the purposes and means of personal data processing are received in another establishment
operator in the European Union and that other establishment has the power to enforce the implementation
such decisions, in which case it shall be considered as the principal place of business
the establishment which took such decisions,
2. the place of central administration of the intermediary in the European Union, in the case of an intermediary
with establishments in more than one Member State or if the intermediary does not have
central administration in the European Union, the establishment of an intermediary in the European Union,
in which, in the context of the activities of the intermediary's establishment, the main ones are carried out
processing activities, to the extent that the intermediary is subject to specific
obligations under this Act,
(x) the internal data protection procedures which it complies with
operator or intermediary with registered office, place of business, organizational unit,
establishment or permanent residence in the territory of the Slovak Republic for the purposes of transfer
personal data to an operator or intermediary in a third country,
(y) code of conduct means a set of rules on the protection of the personal data of the data subject
the operator or intermediary has undertaken to comply,
(z) by an international organization, an organization and its subsidiary bodies governed by
public international law, or any other body established by agreement
between two or more countries or on the basis of such an agreement,
(aa) Member State means a Member State or a Contracting Party to the European Union
Agreement on the European Economic Area,
and (b) the third country is a country which is not a Member State,
and (c) to employees of the Office, an employee in an employment relationship or similar employment relationship
according to a special regulation ) or a civil servant who performs civil service
6

Page 5
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 5

in civil service according to a special regulation. )
7

SECOND PART
GENERAL RULES FOR THE PROTECTION OF PERSONAL DATA OF NATURAL PERSONS WITH THEIR
PROCESSING
TITLE ONE
PRINCIPLES OF PERSONAL DATA PROCESSING
§6
The principle of legality
Personal data may only be processed lawfully and in such a way that no breach occurs
fundamental rights of the person concerned.
§7
Purpose limitation principle
Personal data may only be collected for a specific, explicit and legitimate purpose
and may not be further processed in a way incompatible with that purpose; further processing
personal data for archiving purposes, for scientific purposes, for historical research purposes or for
statistical purpose, if it is in accordance with a special regulation ) and if adequate guarantees are observed
8

protection of the rights of the affected person according to § 78 par. 8, is not considered incompatible with the original
purpose.
§8
Principle of minimization of personal data
The personal data processed must be adequate, relevant and limited to what is necessary
given the purpose for which they are processed.
§9
Principle of accuracy
The personal data processed must be correct and, where necessary, kept up to date; they must be accepted
Appropriate and effective measures to ensure that personal data that is incorrect
they have been erased or repaired without undue delay in respect of the purposes for which they are processed.
§ 10
Principle of minimization of retention
Personal data must be kept in a form which permits identification of the data subject
at the latest for as long as is necessary for the purpose for which the personal data are processed; personal information
may be kept longer if they are to be processed solely for archival purposes, for scientific purposes, for
the purpose of historical research or for a statistical purpose on the basis of a special regulation ) and if they are
8

adequate guarantees of protection of the rights of the affected person according to § 78 par. 8.
§ 11
Principle of integrity and confidentiality
Personal data must be processed in a manner that through appropriate technical means
and organizational measures guarantees adequate security of personal data, including protection against
unauthorized processing of personal data, illegal processing of personal data,
accidental loss of personal data, deletion of personal data or damage to personal data

Page 6
Page 6

Collection of Laws of the Slovak Republic

18/2018 Coll.

data.
§ 12
Principle of responsibility
The controller is responsible for compliance with the basic principles of personal data processing,
for the compliance of personal data processing with the principles of personal data processing and is obligatory
demonstrate this compliance with the principles of personal data processing at the request of the Office.
§ 13
Legality of processing
(1) The processing of personal data is lawful if it is carried out on the basis of at least one of these
legal bases:
(a) the data subject has consented to the processing of his or her personal data for at least one person;
specific purpose,
(b) the processing of personal data is necessary for the performance of a contract to which he is a party
the person concerned, or to take action before the conclusion of the contract upon request
the person concerned,
(c) the processing of personal data is necessary under a specific or international regulation
the agreement by which the Slovak Republic is bound,
(d) the processing of personal data is necessary for the protection of life, health or property
the person concerned or another natural person,
(e) the processing of personal data is necessary for the performance of a task carried out in the public interest
or in the exercise of official authority conferred on the operator, or
(f) the processing of personal data is necessary for the legitimate interests of the controller
or a third party, except where those interests outweigh the interests or rights
the data subject requesting the protection of personal data, in particular if the data subject is a child;
this legal basis does not apply to the processing of personal data by public authorities in
performing their tasks.
(2) The legal basis for the processing of personal data pursuant to paragraph 1 letter c) and e) must be
provided for in this Act, a special regulation or in an international agreement which is
Slovak Republic bound; a special law must stipulate the purpose of personal processing
data subject, the category of data subjects and the list of personal data processed or the scope
personal data processed. Personal data processed on the basis of a special law is possible
provided, transmitted or published from the information system only if a special law
sets out the purpose of the provision or the purpose of disclosure, the list of personal data processed
or the extent of the personal data processed which may be provided or disclosed, as the case may be
recipients to whom personal data are provided.
(3) If the processing of personal data for a purpose other than the purpose for which the personal data were obtained,
is not based on the consent of the person concerned or on a special regulation, the operator on
ascertaining whether the processing of personal data for another purpose is compatible with the purpose for which they were intended
personal data originally obtained must, inter alia, take into account
(a) any link between the purpose for which the personal data were originally obtained and the purpose
intended further processing of personal data,
(b) the circumstances in which the personal data were obtained, in particular those relating to the relationship between
the person concerned and the operator,
(c) the nature of the personal data, in particular whether specific categories of personal data are processed in accordance with

Page 7
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 7

§ 16 or personal data concerning the admission of guilt for a criminal offense or misdemeanor
according to § 17,
(d) the possible consequences of the intended further processing of personal data for the data subject; and
(e) the existence of adequate safeguards, which may include encryption or pseudonymisation.
§ 14
Conditions for granting consent to the processing of personal data
(1) If the processing of personal data is based on the consent of the data subject, the controller is
must at all times be able to prove that the person concerned has given his consent to the processing of his or her duties
personal data.
(2) If the controller requests the consent to the processing of personal data concerned
person, this consent must be distinguished from other facts and must be expressed clearly
and in a comprehensible and easily accessible form.
(3) The data subject has the right at any time to withdraw his consent to the processing of personal data which
concern her. Withdrawal of consent does not affect the lawfulness of the processing of personal data
based on consent before its withdrawal; the person concerned must be present before consent is given
informed of this fact. The person concerned may withdraw the consent in the same way as
consent.
(4) In assessing whether consent has been given freely, account shall be taken in particular of whether:
performance of the contract, including the provision of the service, is conditional on consent to the processing of personal data
data which is not necessary for the performance of this contract.
§ 15
Conditions for granting consent in relation to information society services
(1) The operator processes personal data in connection with the offer of information society services )
9

data with the consent of the data subject legally if the data subject has reached the age of 16. if
the data subject is less than 16 years old, such processing of personal data is lawful only for
conditions and to the extent that such consent has been given or approved by its legal representative. )
10

(2) The operator is obliged to make reasonable efforts to verify that the legal representative
the data subject has given or approved consent to the processing of personal data pursuant to paragraph 1,
taking into account available technology.
§ 16
Processing of special categories of personal data
(1) The processing of special categories of personal data is prohibited. Special categories
personal data means data revealing racial or ethnic origin, political opinions,
religious belief, philosophical beliefs, trade union membership, genetic data
biometric, health or sexual data; or
sexual orientation of a natural person.
(2) The prohibition on the processing of special categories of personal data does not apply if
(a) the data subject has expressly consented to the processing of such personal data at least on
one specific purpose; the consent is invalid if its provision precludes a special regulation,
(b) processing is necessary for the purpose of fulfilling obligations and exercising special rights
operator or the person concerned in the field of labor law, social law
security, social protection or public health insurance according to the special

Page 8
Page 8

Collection of Laws of the Slovak Republic

18/2018 Coll.

regulation, ) of an international agreement by which the Slovak Republic is bound, or according to
11

collective agreement, provided that they provide adequate guarantees for the protection of fundamental rights and interests
the person concerned,
(c) processing is necessary to protect the life, health or property of the person concerned or another
natural person if the person concerned is not physically fit or legally able to express his or her
consent,
(d) the processing is carried out in the framework of an authorized activity by a civic association, foundation or
a non - profit organization providing services of general interest, a political party or political parties
movement, trade union, state-recognized church or religious society and this
the processing concerns only their members or those natural persons who are with them in relation to them
purposes in regular contact, personal data are used exclusively for their internal needs and will not be
provided to the recipient without written or otherwise verifiable consent
the person concerned,
e) the processing concerns personal data which the data subject has demonstrably disclosed,
f) processing is necessary for the exercise of a legal claim, ) or in the performance of a court
12

powers,
g) processing is necessary for reasons of public interest on the basis of this special law
regulation or international agreement by which the Slovak Republic is bound, which are
proportionate to the objective pursued, respect the essence of the right to the protection of personal data
and set out appropriate and concrete measures to safeguard fundamental rights and interests
the person concerned,
h) processing is necessary for the purpose of preventive occupational medicine, provision
healthcare and services related to the provision of healthcare or
the purpose of providing public health insurance, if these data are processed by the provider
health care, health insurance company, person performing related services
with the provision of healthcare or a person supervising healthcare
care and, on its behalf, a professionally qualified entitled person who is bound by the obligation
confidentiality of the facts of which it has become aware in the course of its activities and of its obligations
adhere to the principles of professional ethics,
(i) processing is necessary for the purpose of social security, the social security of police officers
and soldiers, the provision of state social benefits, the promotion of social inclusion of the physical
persons with severe disabilities into society, ) provision of social services,
13

implementation of measures for the social protection of children and social guardianship or for the purpose
providing assistance in material need, or processing is necessary for the purpose of performance
obligations or the exercise of the rights of the controller responsible for processing in the area
labor law and in the field of employment services, if the operator so requests
from a special regulation ) or an international agreement by which the Slovak Republic is bound,
14

(j) processing is necessary for reasons of public interest in the field of public health, such as
protection against serious cross-border threats to health or ensuring a high level
quality

and security

medical

care,

medicines,

dietetic

food

or

medical devices, on the basis of this Act, a special regulation or an international
agreements by which the Slovak Republic is bound, which establishes appropriate and specific
measures to protect the rights of the data subject, in particular the obligation of professional secrecy, )
15

k) processing is necessary for the purpose of archiving, for a scientific purpose, for the purpose of historical research
or for a statistical purpose under this Act, a special regulation or an international agreement,
by which the Slovak Republic is bound, which are proportionate to the objective pursued,
respect the essence of the right to the protection of personal data and established appropriate and specific
measures to safeguard the fundamental rights and interests of the person concerned.

Page 9
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 9

§ 17
Processing of personal data relating to the admission of guilt for a criminal offense; or
offense
Operators for the purpose of processing personal data in the criminal record according to a special
regulation ) can only be a state body. Process personal data relating to the admission of guilt for
16

the commission of a criminal offense or misdemeanor or related security measures is possible only
on the basis of a special regulation or an international agreement, which is the Slovak Republic
which provide adequate guarantees for the protection of the rights of the person concerned.
§ 18
Processing of personal data without the need for identification
(1) If the purpose for which the controller processes personal data requires or has required from
operator to identify the person concerned, the operator is not obliged to keep,
obtain or process additional information to establish the identity of the person concerned solely to
to comply with this law.
(2) If, in the cases referred to in paragraph 1, the operator is able to prove that the person concerned is not
able to identify it, he shall inform it in an appropriate manner, if possible.
In such cases, Sections 21 to 26 shall not apply unless the person concerned for the purpose of enforcement
provide its rights under those provisions with additional information to enable it to do so
identification.
TITLE TWO
RIGHTS OF THE PERSON CONCERNED
FIRST PART
INFORMATION AND ACCESS TO PERSONAL DATA
§ 19
Information provided if personal data are obtained from the data subject
(1) If personal data concerning the data subject are obtained from the data subject, it is the operator
obliged to provide to the person concerned in obtaining them
(a) the identification and contact details of the operator and of the operator 's representative, if any;
commissioned
b) contact details of the responsible person, if specified,
(c) the purpose of the processing of the personal data for which the personal data are intended, as well as the legal basis
processing of personal data,
(d) the legitimate interests of the controller or of a third party where personal data are processed in accordance with
§ 13 par. 1 letter f),
e) identification of the recipient or category of recipient, if any,
(f) information that the controller intends to transfer personal data to a third country; or
an international organization, the identification of a third country or an international organization,
information on the existence or non-existence of a decision of the European Commission (hereinafter referred to as the "Commission")
on the adequacy or reference to reasonable guarantees or appropriate guarantees and means of obtaining
copies thereof or information on where they have been made available if the operator intends to transfer
according to § 48 par. 2, § 49 or § 51 par. 1 and 2.
(2) In addition to the information pursuant to paragraph 1, the operator is obliged to obtain personal data

Page 10
Page 10

Collection of Laws of the Slovak Republic

18/2018 Coll.

provide the data subject with information on
(a) the retention period of personal data; if this is not possible, information on the criteria for its determination,
b) the right to request access from the controller to personal data concerning the data subject,
on the right to rectify personal data, on the right to delete personal data or on the right to
restrictions on the processing of personal data, on the right to object to the processing of personal data, such as
also on the right to the transfer of personal data,
c) withdraw his consent at any time,
d) the right to file a motion to initiate proceedings pursuant to Section 100,
(e) whether the provision of personal data is a legal requirement or a contractual requirement
or a requirement necessary for the conclusion of the contract and whether the person concerned is
obliged to provide personal data, as well as the possible consequences of not providing personal data
data,
f) the existence of automated individual decision-making, including profiling according to § 28 par. 1
a 4; in such cases, the operator shall provide the person concerned with information on the used
procedure, as well as the importance and expected consequences of such processing of personal data
for the person concerned.
(3) The operator is obliged to provide the data subject before further processing of personal data
information on another purpose and other relevant information under paragraph 2, if any
the controller intends to further process personal data for a purpose other than that for which they were obtained.
(4) Paragraphs 1 to 3 shall not apply to the extent that the information has been provided to the data subject
before processing personal data.
§ 20
Information provided if personal data are not obtained from the data subject
(1) If personal data have not been obtained from the data subject, the controller is obliged to the data subject
provide the person
(a) the identification and contact details of the operator and of the operator 's representative, if any;
commissioned
b) contact details of the responsible person, if specified,
(c) the purpose of the processing of the personal data for which the personal data are intended, as well as the legal basis
processing of personal data,
d) categories of personal data processed,
e) identification of the recipient or category of recipient, if any,
(f) information that the controller intends to transfer personal data to a third country; or
an international organization, the identification of a third country or an international organization,
information on the existence or non - existence of a Commission decision on adequacy or a reference to
reasonable warranties or appropriate warranties and means to obtain a copy or information thereof
on where they were made available, if the operator intends to transfer according to § 48 par. 2, § 49 or
§ 51 par. 1 and 2.
(2) In addition to the information pursuant to paragraph 1, the operator is obliged to provide the person concerned
information about
(a) the retention period of personal data; if this is not possible, information on the criteria for its determination,
(b) the legitimate interests of the controller or of a third party where personal data are processed
according to § 13 par. 1 letter f),

Page 11
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 11

(c) to require the controller to have access to personal data concerning the data subject
on the right to rectify personal data, on the right to delete personal data or on the right to
restrictions on the processing of personal data, on the right to object to the processing of personal data, such as
also on the right to the transfer of personal data,
d) withdraw his consent at any time,
e) the right to file a motion to initiate proceedings pursuant to Section 100,
(f) the source from which the personal data come, or information on whether they come from publicly available
available resources,
g) the existence of automated individual decision-making, including profiling according to § 28 par. 1
a 4; in such cases, the operator shall provide the person concerned with information on the used
procedure, as well as the importance of automated individual decision-making and
consequences of such processing of personal data for the data subject.
(3) The operator is obliged to provide information pursuant to paragraphs 1 and 2
(a) no later than one month after the personal data have been obtained, taking into account:
the circumstances in which the personal data are processed,
(b) at the latest at the time of the first communication with the data subject, if personal data are to be used
to communicate with the data subject, or
(c) at the latest when the personal data are provided for the first time, if provision is envisaged
personal data to another recipient.
(4) The operator is obliged to provide the person concerned with further processing of personal data
information on another purpose and other relevant information under paragraph 2, if any
the controller intends to further process personal data for a purpose other than that for which they were obtained.
(5) Paragraphs 1 to 4 shall not apply
a) to the extent that the person concerned already has the information,
(b) to the extent that the provision of such information proves impossible or would require
disproportionate efforts, in particular if personal data are processed for archiving purposes, for scientific purposes,
for the purpose of historical research or for the statistical purpose to which the conditions apply
and guarantees according to § 78 par. 8, or if the obligation referred to in paragraph 1 is likely to occur
make it impossible or seriously difficult to achieve the objectives of such personal processing
data; in such a case, the operator is obliged to take appropriate measures to protect the rights
and the legitimate interests of the data subject, including making the information available to the public,
(c) to the extent that provision is made to obtain or provide such information
in a special regulation applicable to the operator and in which they are laid down
appropriate measures to protect the rights and legitimate interests of the person concerned, or
(d) where personal data must remain confidential in accordance with a specific obligation of professional secrecy
prescription. )
15

§ 21
Right of access to personal data
(1) The person concerned has the right to obtain a confirmation from the operator as to whether they are being processed
personal data concerning him. If the controller processes such personal data, the data subject shall be affected
the person has the right to access this personal data and information about
a) the purpose of processing personal data,
b) the category of personal data processed,

Page 12
Page 12

Collection of Laws of the Slovak Republic

(c) the identification of the recipient or of the category of recipient to whom the personal data were or are to be
provided, in particular of the recipient in a third country or of an international organization, if any
possible,
(d) the retention period of personal data; if this is not possible, information on the criteria for its determination,
(e) the right to require the controller to correct personal data concerning the data subject;
deletion or restriction of their processing, or the right to object to the processing of personal data
data,
f) the right to file a motion to initiate proceedings pursuant to Section 100,
g) sources of personal data, if personal data were not obtained from the data subject,
h) the existence of automated individual decision-making, including profiling according to § 28 par. 1

18/2018 Coll.

h) the existence of automated individual decision-making, including profiling according to § 28 par. 1
a 4; in such cases, the operator shall provide the data subject with information in particular on the one used
procedure, as well as the importance and expected consequences of such processing of personal data
for the person concerned.
(2) The person concerned has the right to be informed of adequate guarantees regarding the transfer
according to § 48 par. 2 to 4 if the personal data are transferred to a third country or internationally
organizations.
(3) The operator is obliged to provide the person concerned with his personal data, which he processes. For
the controller may re-provide the personal data requested by the data subject
charge a reasonable fee corresponding to the administrative costs. The operator is obliged
provide personal data to the data subject in a manner required by his or her request.
(4) The right to obtain personal data pursuant to paragraph 3 may not have adverse consequences for the rights of others
natural persons.
PART TWO
CORRECTION AND DELETION AND LIMITATION OF PERSONAL DATA PROCESSING
§ 22
The right to correct personal data
The person concerned has the right to have the operator correct incorrectly without undue delay
personal data concerning him. With regard to the purpose of the processing of personal data, the data subject has
person the right to supplement incomplete personal data.
§ 23
The right to delete personal data
(1) The person concerned has the right to have the operator delete the personal without undue delay
data relating to it.
(2) The operator is obliged to delete personal data without undue delay if the person concerned
exercise the right of cancellation pursuant to paragraph 1 if
a) personal data are no longer needed for the purpose for which they were obtained or otherwise processed,
b) the person concerned revokes the consent pursuant to § 13 par. 1 letter a) or § 16 par. 2 letter (a), on the basis of
which the processing of personal data is carried out and there is no other legal basis for
processing of personal data,
c) the data subject objects to the processing of personal data pursuant to § 27 par. 1 and do not outweigh any
legitimate reasons for the processing of personal data or the data subject objects to the processing
personal data according to § 27 par. 2,

Page 13
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 13

d) personal data are processed illegally,
(e) the reason for the cancellation is the fulfillment of an obligation under this Act, a special regulation, or
an international agreement by which the Slovak Republic is bound, or
f) personal data have been obtained in connection with the offer of information society services pursuant to Section 15
par. 1.
(3) If the controller has published personal data and is obliged to delete them pursuant to paragraph 1, it is at the same time
obliged to take appropriate security measures, including technical measures with regard to
available technology and the cost of implementing them in order to inform others
operators who process the personal data of the data subject on his request to them
operators have deleted references to her personal data and copies or copies thereof.
(4) Paragraphs 1 and 2 shall not apply if the processing of personal data is necessary
a) to exercise the right to freedom of expression or the right to information,
b) to fulfill an obligation under this Act, a special regulation or an international agreement,
by which the Slovak Republic is bound, or to fulfill a task carried out in the public interest
or in the exercise of official authority conferred on the operator,
c) for reasons of public interest in the field of public health in accordance with § 16 par. 2 letter h) to j),
(d) for archival purposes, for scientific purposes, for historical research purposes or for statistical purposes
according to § 78 par. 8, if the right under paragraph 1 is likely to render impossible or serious
difficult to achieve the objectives of such processing, or
e) to exercise a legal claim.
§ 24
The right to restrict the processing of personal data
(1) The data subject has the right to have the controller restrict the processing of personal data,
if
(a) the data subject objects to the accuracy of the personal data during the period allowed
verify the accuracy of personal data to the operator,
(b) the processing of personal data is illegal and the data subject objects to the deletion of personal data
data and calls instead for restrictions on their use,
(c) the controller no longer needs personal data for the purpose of processing personal data, but
they are needed by the person concerned to assert a legal claim, or
d) the data subject objects to the processing of personal data pursuant to § 27 par. 1, until verification that
the legitimate reasons on the part of the operator outweigh the legitimate reasons of the person concerned
persons.
(2) If the processing of personal data has been restricted pursuant to paragraph 1, in addition to storage, it may
personal data may be processed by the controller only with the consent of the data subject or for the purpose of application
legal claim, for the protection of persons or for reasons of public interest.
(3) The person concerned, whose processing of personal data is restricted pursuant to paragraph 1, is
the controller is obliged to inform before the restriction of the processing of personal data
canceled.

Page 14
Page 14

Collection of Laws of the Slovak Republic

18/2018 Coll.

§ 25
Notification obligation in relation to repair, erasure or restriction of processing
personal data
(1) The operator is obliged to notify the recipient of the correction of personal data, deletion of personal data
data or restrictions on the processing of personal data carried out pursuant to § 22, § 23 par. 1 or
§ 24, if this does not prove impossible or does not require disproportionate effort.
(2) The operator shall inform the person concerned about the recipients pursuant to paragraph 1, if it is affected
person requests.
PART THREE
RIGHT TO TRANSFER, RIGHT TO OBJECT AND AUTOMATED INDIVIDUALLY
DECISION - MAKING
§ 26
Right to portability of personal data
(1) The data subject has the right to obtain personal data concerning him or her which he / she has provided
operator, in a structured, commonly used and machine-readable format and has the right
transfer this personal data to another operator, if technically possible and if
a) personal data are processed according to § 13 par. 1 letter a), § 16 par. 2 letter a) or § 13 par. 1
letter b) a
(b) the processing of personal data is carried out by automated means.
(2) The exercise of the right referred to in paragraph 1 shall not affect the right pursuant to § 23. The right to
portability does not apply to the processing of personal data necessary for the performance of the task
carried out in the public interest or in the exercise of official authority conferred on the operator.
(3) The right under paragraph 1 may not have adverse consequences for the rights of other persons.
§ 27
The right to object to the processing of personal data
(1) The data subject has the right to object to the processing of his or her personal data for a reason relating to
its specific situation carried out according to § 13 par. 1 letter e) or letter (f) including profiling
based on these provisions. The controller may not further process personal data if
does not demonstrate the necessary legitimate interests for the processing of personal data which prevail over
the rights or interests of the person concerned or the grounds for exercising a legal right.
(2) The data subject has the right to object to the processing of personal data concerning him or her
the purpose of direct marketing, including profiling, to the extent that it relates to direct marketing.
If the data subject objects to the processing of personal data for the purpose of direct marketing,
the operator may not further process personal data for the purpose of direct marketing.
(3) The operator is obliged to explicitly notify the person concerned of the rights under paragraphs 1 and 2
at the latest at the time of the first communication with her, the information on this right must be clearly stated
and separately from any other information.
(4) In connection with the use of information society services, the person concerned may have his or her right
object to the application by automated means using technical specifications.
(5) The data subject has the right to object to the processing of personal data concerning him,
for reasons relating to its specific situation, except where the processing is personal

Page 15
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 15

necessary for the performance of a task for reasons of public interest where personal data are processed
for a scientific purpose, for the purpose of historical research or for a statistical purpose according to § 78 par. 8.
§ 28
Automated individual decision-making, including profiling
(1) The person concerned has the right not to be subject to the decision which is based
exclusively on the automated processing of personal data, including profiling, and which is legally valid
effects that affect or similarly significantly affect it.
(2) Paragraph 1 shall not apply if the decision
(a) necessary for the conclusion of the contract or the performance of the contract between the person concerned
and the operator,
b) performed on the basis of a special regulation or an international agreement, which is Slovenská
Republic, and which also provide for appropriate safeguards
the rights and legitimate interests of the person concerned, or
(c) based on the express consent of the person concerned.
(3) In cases pursuant to paragraph 2 letter a) and c) the operator is obliged to perform appropriate
measures to protect the rights and legitimate interests of the data subject, in particular the right of verification
decisions not in an automated manner by the operator, the right to express their
opinion and the right to challenge the decision.
(4) Decisions pursuant to paragraph 2 may not be based on special categories of personal data
according to § 16 par. 1 except in cases where § 16 par. 2 letter a) or letter g) and at the same time are
appropriate measures are in place to guarantee the rights and legitimate interests of the person concerned.
PART FOUR
OBLIGATIONS OF THE OPERATOR IN THE EXERCISE OF THE RIGHTS OF THE PERSON CONCERNED
§ 29
(1) The operator is obliged to take appropriate measures and provide the person concerned with information
pursuant to Sections 19 and 20 and notifications pursuant to Sections 21 to 28 and 41, which relate to the processing of her personal data
data, in a concise, transparent, comprehensible and easily accessible form, clearly worded, namely
especially in the case of information specifically for the child. He is obliged to provide the information in paper form
in electronic or electronic form, as a rule in the same form in which the application was submitted. if
at the request of the person concerned, the operator may also provide the information orally if the person concerned
the person proves his / her identity in another way.
(2) The operator provides co-operation to the affected person in exercising his rights pursuant to Sections 21 to 28.
In the cases specified in § 18 par. 2, the operator may not refuse to act on request
the person concerned in the exercise of his rights under Sections 21 to 28, unless he proves that the person concerned is not
able to identify.
(3) The operator is obliged to provide the person concerned with information on the measures taken
accepted on the basis of her application pursuant to § 21 to 28 within one month from the delivery of the application. Listed
the time limit may be justified by the operator in justified cases, taking into account the complexity and number of applications
extended for another two months, even repeatedly. The operator is obliged to inform everyone
such extension within one month of receipt of the request, together with the reasons
extension of the time limit. If the person concerned has submitted the application in electronic form, the operator
provide the information in electronic form if the person concerned has not requested it
information in another way.

Page 16
Page 16

Collection of Laws of the Slovak Republic

18/2018 Coll.

(4) If the operator does not take measures at the request of the person concerned, he is obliged to
within one month of receipt of the request, inform the person concerned of the reasons for not doing so
and the possibility of filing a petition pursuant to Section 100 with the Office.
(5) Information pursuant to Sections 19 and 20 and notifications and measures taken pursuant to Sections 21 to 28 and 41 shall be
provide free of charge. If the request of the person concerned is manifestly unfounded or disproportionate
especially due to its repetitive nature, the operator may
(a) require a reasonable fee taking into account the administrative costs of providing the information
or a reasonable fee taking into account the administrative costs of the notification or a reasonable fee
a fee taking into account the administrative costs of carrying out the requested measure,
or
(b) refuse to act on a request.
(6) The operator shall prove the manifest unfoundedness of the application or the inadequacy of the application.
(7) The operator may request the provision of additional information necessary for
confirmation of the identity of the person concerned, if he / she has legitimate doubts about the identity of the natural person,
which submits an application pursuant to Sections 21 to 27; the provision of § 18 is not affected by this.
(8) Information to be provided to the data subject pursuant to Sections 19 and 20 may be submitted
combined with standardized icons to provide a well visible, clear
and a clear overview of the intended processing of personal data. Standardized icons must
be machine readable if used in electronic form.
(9) Information to be included in standardized icons and determination procedures
standardized icons shall be established by a generally binding legal regulation issued by the Office.
FIFTH PART
RESTRICTIONS
§ 30
Restriction of the rights of the data subject
(1) The operator or intermediary may, under the conditions laid down by special
regulation or an international agreement by which the Slovak Republic is bound, to limit the scope
obligations and rights under § 19 to 29 and under § 41, as well as the principles under § 6 to 12, if they relate to rights
and obligations under Sections 19 to 29, if such a restriction is established in order to ensure
a) security of the Slovak Republic,
b) defense of the Slovak Republic,
c) public order,
d) performance of tasks for the purposes of criminal proceedings,
e) other important objectives of general public interest of the European Union or the Slovak Republic,
in particular the subject of an important economic interest or an important financial interest
European Union or the Slovak Republic, including monetary, budgetary and tax
matters, public health or social security,
f) protection of the independence of the judiciary and court proceedings,
(g) the prevention of breaches of ethics in regulated professions or regulated professional bodies
activities,
(h) a monitoring function, a control function or a regulatory function linked to the exercise of official authority
in the cases referred to in points (a) to (e) and (g),

Page 17
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 17

(i) the protection of the rights of the person or other persons concerned,
j) assertion of a legal claim,
k) economic mobilization.
(2) The operator or intermediary may proceed in accordance with paragraph 1 only if
a special regulation or international agreement by which the Slovak Republic is bound provides
at least
a) the purpose of the processing of personal data or the category of processing of personal data,
b) the category of personal data,
c) the extent of the restriction imposed,
(d) safeguards against misuse of personal data or illegal access; or
illegal transmission,
e) designation of the operator or categories of operators,
(f) the storage period and the applicable guarantees, having regard to the nature, extent and purpose of the processing
personal data or the category of personal data processing,
(g) the risks to the rights of the data subject; and
(h) the right of the person concerned to be informed of the restriction, provided that the purpose of the restriction is not jeopardized.
TITLE THREE
RIGHTS AND OBLIGATIONS OF THE OPERATOR AND INTERMEDIARY
FIRST PART
GENERAL OBLIGATIONS OF THE OPERATOR AND INTERMEDIARY
§ 31
Operator
(1) Given the nature, extent and purpose of the processing of personal data and the risks of varying
probability and seriousness for the rights of a natural person, the operator is obliged to accept
appropriate technical and organizational measures to ensure and demonstrate that the processing
personal data is carried out in accordance with this Act. These measures are the operator
obliged to update as necessary.
(2) Measures pursuant to paragraph 1 shall include the introduction of adequate procedures for the protection of personal data
data by the controller, if this is appropriate in view of the processing activities.
(3) The operator may use an approved certificate to prove the fulfillment of obligations pursuant to paragraph 1
code of conduct according to § 85 or certificate according to § 86.
(4) The controller is obliged to regularly check the duration of the purpose of personal data processing
and to ensure the deletion of personal data without undue delay after its completion; this does not apply if
personal data are part of the registration record. )
17

(5) The operator ensures the discarding of the registration record, which contains personal
data, according to a special regulation. )
18

§ 32
Specifically designed and standard personal data protection
(1) The operator is obliged to introduce personal data before processing and during processing
personal data have a specifically designed personal data protection that is in place

Page 18
Page 18

Collection of Laws of the Slovak Republic

18/2018 Coll.

in the adoption of appropriate technical and organizational measures, in particular in the form of pseudonymisation,
effective implementation of adequate safeguards for the protection of personal data and compliance with fundamental principles
according to § 6 to 12.
(2) The operator is obliged in the case of specifically proposed protection of personal data pursuant to paragraph 1
take into account the latest knowledge of personal data protection, the costs of implementing measures under
paragraph 1, the nature, scope, context and purpose of the processing of personal data and the risks of the processing
personal data with different probabilities and severities by the processing of personal data
represents for the rights of the data subject.
(3) The operator is obliged to introduce a standard personal data protection, which consists
in the adoption of appropriate technical and organizational measures to ensure processing
personal data only for a specific purpose, minimizing the amount of personal data obtained
and the extent of their processing, retention period and availability of personal data. The operator is
obliged to ensure that personal data are not accessible by default without the intervention of a natural person
unlimited number of natural persons.
(4) The operator may use to prove the fulfillment of obligations under paragraphs 1 to 3
certificate according to § 86.
§ 33
Joint operators
(1) Joint operators are two operators or several operators who:
determine by agreement the purpose and means of the processing of personal data. They are also mandatory in the agreement
transparently determine the responsibility of each of them for the fulfillment of duties and tasks under this Act,
in particular as regards the exercise of the rights of the data subject and his obligations to provide information under
§ 19 and 20, unless these obligations of the operator are stipulated by a special regulation or
international treaty by which the Slovak Republic is bound. The agreement shall also specify the contact details
place for the person concerned.
(2) The operator is obliged to provide the basic requirements of the agreement pursuant to paragraph 1 to the data subject
person, in particular the identification of the contracting parties, the subject of the contract, the duration of the contract,
provisions governing the exercise of the rights of the person concerned, the obligations of operators to provide
information pursuant to § 19 and 20 and the contact point for the person concerned.
(3) Notwithstanding the terms of the agreement under paragraph 1, the person concerned may exercise his rights
for each operator and against each operator.
§ 34
Broker
(1) If the processing of personal data is to take place on behalf of the controller, the controller
it may only entrust an intermediary who provides sufficient guarantees to accept reasonable
technical and organizational measures so that the processing of personal data meets the requirements
of this Act and to ensure the protection of the rights of the person concerned. On behalf of the intermediary
the processing of personal data pursuant to the first sentence does not require the consent of the data subject.
(2) The intermediary may not entrust the processing of personal data to another intermediary
without the prior specific written consent of the operator or the general
written

consent

operator.

Broker

is a

obligatory

in advance

to inform

operator on the authorization of another intermediary, if the authorization was made on the basis of
general written consent.
(3) The processing of personal data by intermediaries is governed by a contract or other legal regulation

Page 19
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 19

an act which binds the intermediary towards the operator and in which it is established
the subject and duration of the processing, the nature and purpose of the processing, the list or scope of personal data,
the categories of persons concerned and the obligations and rights of the operator. In a contract or other legal
the act must provide in particular that the intermediary is obliged
(a) process personal data only on the basis of written instructions from the controller, even if
it is a transfer of personal data to a third country or international organization other than a transfer
on the basis of a special regulation or an international agreement, which is the Slovak Republic
bound; the intermediary is obliged to notify the operator of such a transfer
requirement before the processing of personal data, if a special regulation or international
the agreement by which the Slovak Republic is bound does not prohibit such notification for reasons
public interest,
(b) ensure that the persons authorized to process personal data undertake to observe professional secrecy
on information which they have become aware of, unless they are bound by the obligation of professional secrecy pursuant to
special law, )
15

c) take measures pursuant to Section 39,
d) comply with the conditions for the involvement of another intermediary pursuant to paragraphs 2 and 5,
(e) taking into account the nature of the processing of personal data, to the fullest extent possible
the operator by appropriate technical and organizational measures in carrying out his
the obligation to take measures at the request of the person concerned under the second part of the second
heads,
f) to provide co-operation to the operator in ensuring the fulfillment of obligations pursuant to Sections 39 to 43
taking into account

on the nature

processing

personal

data

and information

available

to the intermediary,
(g) delete personal data or return personal data to the controller upon termination of the provision
services relating to the processing of personal data by decision of the controller
and delete existing copies that contain personal data if a special regulation or
the international agreement by which the Slovak Republic is bound does not require the retention of these
personal data,
(h) after the termination of the provision of personal data processing services on the basis of
the controller's decision to delete or return the personal data to the controller and to delete them
existing copies that contain personal data, if a special regulation or international
the agreement by which the Slovak Republic is bound does not require the retention of these personal data
data,
(i) provide the operator with the information necessary to demonstrate compliance
and to cooperate in the audit of personal data protection and control by
operator or an auditor appointed by the operator.
(4) The intermediary is obliged to inform the operator without undue delay, if he has any
that the operator's instruction violates this law, special regulation or international
the agreement by which the Slovak Republic is bound, which relate to the protection of personal data.
(5) If the intermediary engages in the performance of special processing activities on behalf of
the operator of another intermediary, to that other intermediary in the contract, or
another legal act is obliged to impose the same obligations regarding the protection of personal data,
as provided for in the contract or other legal act between the operator
and intermediaries in accordance with paragraph 3, in particular the provision of sufficient guarantees for admission
appropriate technical and organizational measures to ensure that the processing of personal data complies
requirements of this Act. The original intermediary shall be liable to the operator if
the other intermediary fails to fulfill his obligations regarding the protection of personal data.

Page 20
Page 20

Collection of Laws of the Slovak Republic

18/2018 Coll.

(6) The intermediary may prove the fulfillment of sufficient guarantees referred to in paragraphs 1 and 5
an approved code of conduct pursuant to Section 85 or a certificate pursuant to Section 86.
(7) A contract or other legal act pursuant to paragraphs 3 and 5 must be concluded in paper form or
in electronic form.
(8) An intermediary who has violated this Act by determining the purpose and means of processing
personal data shall be considered in connection with such processing of personal data as
operator; the provisions of § 38 and § 104 to 106 are not affected by this.
§ 35
Operator 's representative or intermediary' s representative
(1) Operator or intermediary who does not have a registered office, organizational unit, establishment
or permanent residence in a Member State, he is obliged to authorize his representative in writing in the territory
Member State if it carries out the processing of personal data of the data subject
in the territory of the Slovak Republic, while the processing activity is related
a) with the offer of goods or services of this affected person in the territory of the Slovak Republic, regardless of
whether or not the person concerned is required to pay, or
b) monitoring their behavior in the territory of the Slovak Republic.
(2) The obligation under paragraph 1 shall not apply to
(a) the processing of personal data, which is occasional, does not involve large-scale processing
special categories of personal data according to § 16 par. 1 or the processing of personal data
relating to the admission of guilt for a criminal offense or misdemeanor under § 17 and is not
likely to lead to the nature, context, extent or purpose of the processing
to the risk to the rights of individuals, or
(b) a public authority or body governed by public law.
(3) The Office and the data subject may request information concerning the processing of personal data
for the purposes of ensuring compliance with this Act, in addition to the operator and intermediary, etc.
a representative of the operator or a representative of the intermediary.
(4) The authorization of a representative by an operator or intermediary shall not affect the right
the person concerned to file a petition for the commencement of proceedings pursuant to Section 100 or for other legal protection
according tospecial

regulation, )
19

which onesperhaps

apply

against

operator

or

to the intermediary.
§ 36
Processing of personal data under the supervision of the controller or processor
An intermediary and any person acting on behalf of an operator or intermediary who has
access to personal data, may process such personal data only on the basis of instructions
operator or under a special regulation or international agreement which is
Slovak Republic bound.
§ 37
Records of processing activities
(1) The operator and the operator's representative, if authorized, are obliged to keep a record
on the processing activities for which he is responsible. This record must contain
(a) the identification and contact details of the operator, joint operator, representative

Page 21
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 21

operator, if authorized, and the responsible person,
b) the purpose of the processing of personal data,
c) a description of the categories of data subjects and categories of personal data,
d) categories of beneficiaries, including a beneficiary in a third country or an international organization,
(e) the designation of the third country or international organization if the operator intends to transfer
personal data to a third country or international organization and documentation
on adequate guarantees, if the operator intends to transfer according to § 51 par. 1 and 2,
f) estimated deadlines for deleting different categories of personal data,
g) a general description of technical and organizational security measures pursuant to § 39 par. 1.
(2) The mediator and the representative of the mediator, if authorized, are obliged to keep a record
on the categories of processing operations carried out on behalf of the operator. This record
must contain
(a) the identification and contact details of the intermediary and the operator on whose behalf
the intermediary acts, the operator's representative or the intermediary, if authorized,
and the responsible person,
b) the categories of personal data processing carried out on behalf of each controller,
(c) the designation of the third country or international organization if the operator intends to transfer
personal data to a third country or international organization, and documentation
on adequate guarantees, if the operator intends to transfer according to § 51 par. 1 and 2,
d) a general description of technical and organizational security measures pursuant to § 39 par. 1.
(3) Records pursuant to paragraphs 1 and 2 shall be kept in paper form or in electronic form.
(4) Operator or intermediary and representative of the operator or representative
intermediary, if authorized, are obliged to make the alert available on request
on the processing activities of the Office.
(5) Obligations under paragraphs 1 and 2 shall not apply to an employer with less than 250
employees, unless it is unlikely that the processing of personal data which it carries out
will lead to the risk of protecting the rights of the data subject if the processing of personal data is occasional
or if it does not include special categories of personal data according to § 16 par. 1 or personal data
concerning the admission of guilt for a criminal offense or misdemeanor pursuant to Section 17.
(6) The Office shall publish a model record of processing activities on its website.
§ 38
Right to damages and liability
(1) Any person who has suffered property damage or non-property damage as a result of a breach
of this Act, has the right to compensation for damage ) from the operator or intermediary.
20

(2) The operator who participated in the processing of personal data is liable for damage
caused by illegal processing. The intermediary is liable for the damage caused
processing of personal data, only if he has not fulfilled the obligations under § 34 to 37, § 39, § 40 par. 3,
§ 44, § 45, § 51 par. 3 or if he acted beyond or in contravention of the operator 's instructions, which
were in accordance with the law.
(3) The operator or intermediary may be released from liability pursuant to paragraph 2, if
proves that he did not cause the damage.

Page 22
Page 22

Collection of Laws of the Slovak Republic

18/2018 Coll.

(4) If more than one controller participated in the same personal data processing
or the intermediary or the operator and the intermediary together and are in accordance with paragraphs 2 and 3
responsible for the damage caused by the processing of personal data, they are jointly liable for the damage
and inseparable.
(5) If the operator or intermediary has paid compensation in accordance with paragraph 4
in full, has the right to request from other operators or intermediaries involved
to the same processing of personal data, that part of the compensation corresponding to their share
liability for damage under the conditions laid down in paragraph 2.
PART TWO
PERSONAL DATA SECURITY
§ 39
Processing security
(1) The operator and the intermediary are obliged to accept, with regard to the latest knowledge, on
the costs of implementing the measures, the nature, scope, context and purpose of the processing of personal data
and to risks of varying probability and severity for the rights of individuals
technical and organizational measures to ensure a level of safety commensurate with this risk,
those measures may include in particular:
a) pseudonymization and encryption of personal data,
(b) ensuring the continued confidentiality, integrity, availability and resilience of processing systems
personal data,
(c) the process of restoring access to and access to personal data in the event of a physical incident
or technical incident,
d) process

regular

testing,

assessment

and ratings

effectiveness

technical

and organizational measures to ensure the security of the processing of personal data.
(2) In assessing the appropriate level of safety, account shall be taken of the risks it poses
processing of personal data, in particular accidental destruction or unlawful destruction, loss,
alteration or unauthorized disclosure of transmitted personal data, stored personal data
data or otherwise processed personal data, or unauthorized access to such personal data
data.
(3) Compliance with the requirements referred to in paragraph 1 may be demonstrated by an approved code
conduct pursuant to Section 85 or a certificate pursuant to Section 86.
(4) The operator and the intermediary are obliged to ensure that the natural person acting for
the controller or processor who has access to the personal data has processed those data
data only on the basis of instructions from the operator or according to a special regulation, or
international treaty by which the Slovak Republic is bound.
§ 40
Notification of a breach of personal data protection by the Office
(1) The operator is obliged to notify the Office of a breach of personal data protection within 72 hours after
how he found out about him; this does not apply if the breach of personal protection is not likely
data will lead to a risk to the rights of the individual.
(2) If the operator fails to fulfill the notification obligation pursuant to paragraph 1, he must miss the deadline
justify.

Page 23
18/2018 Coll.

Collection of Laws of the Slovak Republic

(3) The intermediary is obliged to notify the operator of a breach of personal data protection
without undue delay after learning of it.
(4) The notification pursuant to paragraph 1 must contain in particular:
(a) a description of the nature of the personal data breach, including, where possible, categories
and the approximate number of persons affected by the infringement and the categories and approximate number
the personal data records concerned,
(b) the contact details of the responsible person or other contact point where more can be obtained
information,
c) a description of the probable consequences of the personal data breach,
(d) a description of the measures taken or proposed by the operator to remedy the breach
personal data, including measures to mitigate its potential adverse effects,
if necessary.
(5) The operator is obliged to provide information pursuant to paragraph 4 to the extent that they are available to him
known at the time of notification under paragraph 1; if at the time of notification under paragraph 1 they are not
known to the operator of all the information referred to in paragraph 4, provide it without delay after
learn about them.
(6) The operator is obliged to document each case of breach of personal data protection
pursuant to paragraph 1, including facts related to a personal data breach, his
consequences and remedial action taken.
§ 41
Notification of the personal data breach to the data subject
(1) The operator is obliged to notify the person concerned of the violation without undue delay
protection of personal data, if such a breach of personal data protection can lead to a high level of protection
risk to the rights of the individual.
(2) The notification pursuant to paragraph 1 must contain a clearly and simply worded description of the nature
violation of personal data protection and information and measures pursuant to § 40 par. 4 letter b) to d).
(3) Notification under paragraph 1 shall not be required if
(a) the operator has taken appropriate technical and organizational protection measures and applied them to
personal data concerned by the personal data breach, in particular encryption or

Page 23

other measures by which personal data are illegible to persons who are not
entitled to have access to them,
(b) the operator has taken follow-up measures to ensure a high risk of infringement
the person concerned in accordance with paragraph 1,
(c) it would require a disproportionate effort; the operator is obliged to inform or accept the public
another measure to ensure that the person concerned is informed equally effectively
way.
(4) If the controller has not yet notified the breach of personal data protection to the data subject, the Office
may, after considering the likelihood of personal data breaches leading to a high
require him to do so or may decide that one of the conditions is met
referred to in paragraph 3.
PART THREE
PERSONAL DATA PROTECTION IMPACT ASSESSMENT AND PREVIOUS

Page 24
Page 24

Collection of Laws of the Slovak Republic

18/2018 Coll.

CONSULTATION
§ 42
Impact assessment on personal data protection
(1) If the type of processing of personal data, in particular using new technologies and taking into account
the nature, extent, context and purpose of the processing of personal data may lead to a high risk for
rights of natural persons, the controller is obliged to perform before processing personal data
assessment of the impact of planned processing operations on the protection of personal data. For file
similar processing operations, which present a similarly high risk, one will suffice
assessment.
(2) The operator is obliged to carry out an impact assessment on the protection of personal data
consult the individual person with the responsible procedures, if one has been designated.
(3) An impact assessment on the protection of personal data is required in particular as regards
(a) a systematic and comprehensive assessment of personal characteristics or characteristics relating to
the data subject, which is based on the automated processing of personal data, including
profiling and on which decisions with legal effects concerning the data subject are based
person or with a similarly serious effect on him,
b) processing in a large range of special categories of personal data according to § 16 par. 1 or
personal data relating to the admission of guilt for a criminal offense or misdemeanor
according to § 17, or
(c) systematic monitoring of publicly accessible places on a large scale.
(4) The personal data protection impact assessment shall contain in particular:
(a) a systematic description of the planned processing operations and the purpose of the processing of personal data
including an indication of any legitimate interest pursued by the operator,
b) an assessment of the necessity and adequacy of the processing operations in relation to the purpose,
(c) an assessment of the risk to the rights of the data subject; and
(d) risk mitigation measures, including guarantees, safeguards and mechanisms for
ensuring the protection of personal data and to demonstrate compliance with this Act
taking into account the rights and legitimate interests of the person concerned and other natural persons,
concerned.
(5) In assessing the impact of processing operations performed by the operator; or
intermediaries, the Authority shall take into account whether the operator or intermediary acts in accordance
with an approved code of conduct pursuant to Section 85 or a certificate pursuant to Section 86, in particular for the purposes of
personal data protection impact assessments.
(6) The operator is entitled to obtain the opinions of the person or organization concerned, which
represents its interests in the intended processing of personal data; protection of commercial interests,
public interest or the security of processing operations must not be affected.
(7) The controller is obliged to assess whether the processing of personal data is carried out in accordance
with a personal data protection impact assessment, in particular if there has been a change in the risk that
represents a processing operation.
§ 43
Prior consultation
(1) The operator is obliged to consult the Office before processing personal data

Page 25
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 25

data, if it is clear from the personal data protection impact assessment pursuant to § 42 that the processing
personal data will lead to a high risk to the rights of individuals if the controller does not accept
measures to mitigate this risk.
(2) If the Office considers that the intended processing of personal data pursuant to paragraph 1 shall be
in breach of this Act, in particular if the operator has insufficiently identified the risk or
mitigated the risk, the Authority shall provide a request for consultation within eight weeks of receipt
written advice to the operator or, where applicable, to the intermediary. The Office may take into account
due to the complexity of the intended processing of personal data, extend the deadline according to the previous sentence
by six weeks; the Office shall notify the operator in writing of the extension of the time limit and the reasons for the extension,
where appropriate, to the facilitator within one month of receiving a request for consultation. Lehota na
the provision of advice shall not take place until the Office has obtained the information requested for the purposes
consultation.
(3) During consultations with the Office pursuant to paragraph 1, the operator is obliged to provide the Office
(a) information on the controller 's obligations in relation to its processing
activities subject to prior consultation pursuant to paragraph 1, on common
operators and intermediaries involved in the processing of personal data, in particular
when processing personal data within a group of companies,
(b) information on the purposes of the intended processing of personal data and the means on it
execution,
(c) information on the measures and guarantees provided to protect the rights of the data subject under
of this Act,
d) contact details of the responsible person, if specified,
e) assessment of the impact on the protection of personal data pursuant to § 42 a
(f) such other information as the Office may request.
PART FOUR
RESPONSIBLE PERSON
§ 44
Designation of the responsible person
(1) The operator and the intermediary are obliged to designate a responsible person if
(a) the processing of personal data is carried out by a public authority or body governed by public law
except for the courts in the exercise of their jurisdiction,
(b) the principal activities of the controller or intermediary are processing operations which:
due to their nature, scope or purpose, require regular and systematic ones
large-scale monitoring of the data subject, or
(c) the main activities of the operator or intermediary are the processing of specific
categories of personal data according to § 16 to a large extent or processing of personal data
concerning the admission of guilt for a criminal offense or misdemeanor under § 17 in bulk
scope.
(2) A group of undertakings may designate one responsible person if that person is competent to perform
tasks according to § 46 for each company from the group of companies.
(3) If the operator or intermediary is a public authority or public body
institution, one responsible person may be designated for several such bodies or institutions,
taking into account their scope and organizational structure.

Page 26
Page 26

Collection of Laws of the Slovak Republic

18/2018 Coll.

(4) Except in the cases referred to in paragraph 1, the responsible person may be designated by the operator or
intermediaries or associations and other entities representing categories of operators, or
intermediaries. The responsible person may act on behalf of such associations and other entities
representing operators or intermediaries.
(5) Except in the cases referred to in paragraph 1, it is the operator or intermediary or association
and other entities representing categories of operators or intermediaries
responsible person, if required by a special regulation or international agreement which is
Slovak Republic bound. The responsible person may act on behalf of such associations and others
entities representing operators or intermediaries.
(6) The responsible person shall be determined on the basis of his professional qualities, in particular on the basis of his
expertise in law and procedures in the field of personal data protection and on the basis of competence
perform tasks according to § 46.
(7) The responsible person may be an employee of the operator or intermediary or
may perform tasks under contract.
(8) The operator and the intermediary are obliged to publish, for example on their website,
contact details of the responsible person, if designated, and notify them to the Office.
§ 45
The position of the responsible person
(1) The operator and the intermediary are obliged to ensure that the responsible person is properly
and carried out personal data protection activities in a timely manner.
(2) The operator and the intermediary are obliged to provide the responsible person in the performance of tasks
necessary co-operation pursuant to Section 46; in particular, they are required to provide it with the means necessary to comply
these tasks and access to personal data and processing operations, as well as to ensure
maintaining her expertise.
(3) The operator and the intermediary are obliged to ensure that the responsible person in connection
she did not receive any instructions with the performance of tasks pursuant to Section 46. Neither the operator nor the intermediary
they may not recall or punish for the performance of their tasks pursuant to Section 46. The person responsible is in the performance of tasks
according to § 46 directly responsible to the statutory body of the operator or the statutory body
intermediary.
(4) The data subject may contact the responsible person with questions concerning processing
its personal data and the exercise of its rights under this Act.
(5) The responsible person is bound by the duty of confidentiality in connection with the performance of his tasks
in accordance with this Act or a special regulation. )
15

(6) The responsible person may also perform other tasks and duties than pursuant to Section 46; operator or
the intermediary is obliged to ensure that none of such other tasks or responsibilities are performed
to a conflict of interest.
§ 46
Tasks of the responsible person
(1) The responsible person in particular
(a) provides

Information

and advice

operator

or

to the intermediary

and employees who process personal data on their obligations under

Page 27
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 27

of this Act, special regulations or international agreements, which is Slovenská
Republic of Boundary, concerning the protection of personal data,
b) monitors compliance with this Act, special regulations or international agreements,
by which the Slovak Republic is bound, concerning the protection of personal data and with the rules
operator or intermediary related to the protection of personal data, including
segregation of duties, awareness raising and training of those involved in
processing operations and related personal data protection audits,
(c) provide advice on request for personal data protection impact assessments
and monitoring of its implementation according to § 42,
d) cooperates with the Office in the performance of its tasks,
(e) act as the contact point for the Office in relation to processing issues
personal data, including prior consultation pursuant to Section 43 and, if necessary, consultation
in other matters.
(2) In performing his tasks, the responsible person shall take due account of the risk associated with
processing operations, taking into account the nature, scope, context and purpose of the processing
personal data.
TITLE FOUR
TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY
OR INTERNATIONAL ORGANIZATION
§ 47
General principle of transmission
Transfer of personal data which are being processed or are intended to be processed after being transferred to
third country or international organization may only take place if the operator
and the intermediary comply with the conditions, including the conditions for the subsequent transfer of personal data
data from the third country in question or from the international organization in question to another third country
country or other international organization.
§ 48
Transfer of personal data to a third country or international organization
(1) The transfer of personal data to a third country or international organization may be:
to be carried out if the Commission has decided that the third country, territory or one or more designated sectors
in a given third country or international organization guarantee an adequate level of protection
personal data. Such a transfer does not require special permission.
(2) In the absence of a Commission decision pursuant to paragraph 1, the transfer of personal data to a third country
or an international organization can only take place if adequate guarantees are provided
protection of personal data.
(3) Adequate guarantees under paragraph 2 may be established without the need to request the Office
for a special permit, through
a) an international agreement by which the Slovak Republic is bound,
b) internal company rules according to § 49,
(c) the standard data protection clause adopted by the Commission;
(d) a standard data protection clause adopted by the Authority;
e) the approved code of conduct according to § 85 together with the obligations of the operator or
intermediary in a third country consisting in the application of adequate safeguards, even if applicable

Page 28
Page 28

Collection of Laws of the Slovak Republic

18/2018 Coll.

the rights of the person concerned, or
f) a certificate pursuant to Section 86 together with an obligation of the operator or intermediary in the third
country consisting in the application of adequate safeguards, including as regards the rights of the person concerned.
(4) Adequate guarantees pursuant to paragraph 2 may also be provided with the permission of the Office, in particular
a) contractual clauses between the operator or intermediary and the operator,
an intermediary or consignee in a third country or international organization, or
(b) provisions

in administrative

agreements

between

authorities

public

power

or

public institutions which include effective means of enforcing the law of the person concerned
persons for filing a motion to initiate proceedings pursuant to Section 100 and for other legal protection pursuant to
special regulation. )
19

§ 49
Internal company rules
(1) The Office shall approve internal company rules if
(a) apply to each member of a group of undertakings or a group of undertakings involved in
joint economic activity, including their staff, and are applied by those members,
(b) they lay down internal procedures for exercising the rights of the data subject in respect of processing
personal data, and
(c) meet the requirements of paragraph 2.
(2) The internal rules shall state at least
(a) the structure and contact details of the group of undertakings or group of undertakings involved in
joint economic activity and each of their members,
(b) a transfer of personal data or a set of transfers, including categories of personal data, of the type
processing and its purposes, the type of persons concerned and the identification of the third country concerned, or
countries
c) their liability for the operator and the intermediary,
d) the application of the general principles of personal data protection, in particular purpose limitation,
minimization of personal data, limitation of retention period, quality of personal data,
specifically designed and standard personal data protection, legal basis for processing
personal data, processing of special categories of personal data, security measures
security of personal data, as well as requirements in connection with subsequent transfers
entities that are not bound by internal company rules,
(e) the right of the data subject in relation to the processing of personal data and the means to
the exercise of these rights, including the right not to be subject to decision-making
exclusively on automated processing, including profiling according to § 28, the right of filing
motion for the commencement of proceedings pursuant to Section 100 and for other legal protection of the law pursuant to a special
Regulation ) and the right to compensation for breaches of internal company rules,
19

f) a statement that the operator or intermediary with its registered office, organizational unit,
establishes responsibility for the establishment or permanent residence in the territory of the Slovak Republic
breach of internal company rules by any non-registered member concerned,
an organizational unit, establishment or permanent residence in a Member State; operator or
the intermediary is fully exempted or partially exempted from this liability only if
proves that he did not cause the damage,
g) the manner in which, in addition to the methods pursuant to Sections 19 and 20, information is provided to the data subject
on internal rules, in particular as regards the provisions of points (d) to (f),

Page 29
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 29

(h) the role of the responsible person or another person or entity responsible for monitoring
compliance with internal company rules, as well as monitoring of training
and handling of complaints,
(i) the complaints procedure,
(j) the mechanism it has within the group of undertakings or group of undertakings involved in
ensure the verification of compliance with in-house
rules and which includes personal data protection audits and methods to ensure action
for redress in order to protect the rights of the person concerned; report the results of the verification
the responsible person or entity referred to in point (h) and the statutory body of the managing authority
an undertaking of a group of undertakings or a group of undertakings involved in a joint economic
activities and, upon request, provide the
(k) a mechanism for reporting and recording changes to the rules and for reporting such changes
office,
(l) a mechanism for cooperation with the Office to ensure compliance with the rules, in particular:
providing the results of the verification referred to in point (j) of the Office,
m) mechanism

reporting

legal

requirements,

which

operator

or

the intermediary is located in a third country and which are likely to be significant
adverse effects on guarantees provided by the Office's internal rules, and
(n) adequate training of natural persons who have permanent or regular access
to personal data, in the field of personal data protection.
§ 50
Transfer or provision of personal data provided by law in the Slovak Republic
does not allow
A court decision, a decision of a tribunal or a decision of an administrative authority of a third country,
which requires the controller or intermediary to transfer or provide personal data
personal data may be recognized or enforceable only if it complies with international law
an agreement concluded with a third country by which the Slovak Republic or the European Union is bound.
§ 51
Exceptions for special situations
(1) If there is no decision on adequacy according to § 48 par. 1 or adequate guarantees pursuant to § 48
par. 2 to 4, including internal company rules, transfer of personal data to a third country or
international organization can only take place if
(a) the person concerned has expressly consented to the proposed transfer after being
informed of the possible risks of such a transfer due to the absence of a decision
on adequacy and adequate guarantees,
(b) the transfer is necessary for performance of a contract between the person concerned and the operator; or
the implementation of pre-contractual measures taken at the request of the person concerned,
(c) the transfer is necessary for the conclusion of the contract or the performance of the contract concluded in the interest
the person concerned between the operator and another person,
(d) the transfer is necessary in the public interest under a specific or international regulation
the agreement by which the Slovak Republic is bound,
e) the transfer is necessary for the exercise of the legal claim of the person concerned,
(f) the transfer is necessary to protect the life, health or property of the person concerned or another
natural person if the person concerned is physically incapable or legally incapable of expressing himself

Page 30
Page 30

Collection of Laws of the Slovak Republic

18/2018 Coll.

consent, or
(g) the transfer is made from a register which is in accordance with a special regulation or an international regulation
of the Treaty by which the Slovak Republic is bound, intended to provide information to the public
and which may be consulted by the public, provided that the conditions for inspection under
of this Act, a special regulation or an international agreement, which is the Slovak Republic
bound.
(2) If the transfer cannot be carried out in accordance with § 48 and no exception can be applied for
special situation under paragraph 1, the transfer of personal data to a third country or internationally
organization can only take place if
a) the transfer is not of a recurring nature,
(b) the transfer concerns only a limited number of persons concerned,
(c) the transfer is necessary for the purpose of the serious legitimate interests of the operator over which
the rights or interests of the data subject do not prevail, and
(d) the controller has assessed the circumstances surrounding the transfer of personal data and on that basis
assessment provided appropriate guarantees for the protection of personal data.
(3) The operator is obliged to inform the Office in advance about the transfer pursuant to paragraph 2. Operator
in addition to providing information pursuant to Sections 19 and 20, he is obliged to inform the person concerned about the transfer
pursuant to paragraph 2 and about his legitimate interests within the time limits pursuant to § 19 and 20. The operator
or the intermediary shall document the assessment as well as the appropriate safeguards in the records
on processing activities pursuant to Section 37.
(4) Transmission pursuant to paragraph 1 letter (g) may not include personal data or whole categories of personal data
data contained in the register. If the register is intended for consultation by authorized persons
interest, the transfer may take place only at the request of those persons or when they are to be such
persons by the beneficiaries.
(5) Paragraph 1 (a) (a) to (c) and paragraph 2 shall not apply to activities carried out by public authorities
power in the exercise of official authority.
THIRD PART
SPECIAL RULES FOR THE PROTECTION OF PERSONAL DATA OF NATURAL PERSONS
WHEN PROCESSED BY THE COMPETENT AUTHORITIES
TITLE ONE
PRINCIPLES OF PERSONAL DATA PROCESSING
§ 52
The procedure of the competent authorities in the processing of personal data for the performance of tasks for the purposes of
criminal proceedings, § 6, § 8, § 9, § 11, § 12 and § 13 par. 2 as well.
§ 53
Purpose limitation principle
Personal data must be collected for a specific, explicit and legitimate purpose
and may not be further processed in a way incompatible with that purpose; the same competent
authority or other competent authority is authorized to process personal data for archiving, for scientific purposes
purpose, for the purpose of historical research or for statistical purposes in connection with the performance of tasks for
criminal proceedings if it accepts adequate guarantees for the protection of the rights of the person concerned.

Page 31
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 31

§ 54
Principle of minimization of retention
Personal data must be kept in a form which permits identification of the data subject
at the latest for as long as is necessary for the purpose for which the personal data are processed.
§ 55
Legality of processing
(1) The competent authority is entitled to process personal data for the performance of tasks for criminal purposes
proceedings under this Act, a special regulation or an international agreement which is
Slovak Republic bound.
(2) Process personal data for the performance of tasks for the purposes of criminal proceedings that were originally
obtained for another purpose, it is possible if the processing of personal data is for the purpose of criminal proceedings
necessary and proportionate.
(3) The competent authority is entitled to process personal data for a purpose other than the performance of tasks on
purposes of criminal proceedings, if this is compatible with the purpose for which they were assembled, and if the processing is
necessary and proportionate for this other purpose. For the processing of personal data for other purposes
subject to special regulation, ) in the case of processing of personal data in the course of an activity which falls within the
2

the scope of European Union law; unless the processing is part of an activity which falls within
within the scope of European Union law, the processing of personal data for other purposes shall be subject to the following
law in addition to this part.
(4) If the competent authority performs activities other than the performance of tasks for the purposes of criminal proceedings, on
the processing of personal data for other activities is subject to a special regulation, ) in the case of processing
2

personal data in the context of an activity falling within the scope of European Union law; if it doesn't work
on the processing of personal data in the framework of activities falling within the scope of European Union law,
this law applies to the processing of personal data for other activities in addition to this part.
§ 56
Processing of special categories of personal data
(1) Special categories of personal data may be processed by the competent authority only if
a) they have been demonstrably provided by the person concerned,
(b) their processing is necessary under a special regulation or international agreement establishing
the Slovak Republic is bound, or
(c) their processing is necessary for the protection of the life, health or property of the person concerned; or
another natural person.
(2) The competent authority must take appropriate measures when processing special categories of personal data
guarantees for the protection of the rights of the person concerned.
§ 57
Categories of persons concerned
The competent authority shall, as far as possible, be required to distinguish between personal data of different categories
the persons concerned, such as in particular
(a) persons who can reasonably be presumed to have committed or intend to commit
crime,

Page 32
Page 32

Collection of Laws of the Slovak Republic

18/2018 Coll.

b) persons convicted of a criminal offense,
(c) victims of crime or persons for whom there are grounds for doing so
consider that they are or could be victims of crime,
(d) other third parties with regard to the offense, in particular those who may be called upon to:
testimony in criminal proceedings, persons who can provide information on criminal offenses,
or contact persons or associates of any of the persons referred to in points (a) and (b).
§ 58
Origin and veracity of personal data
(1) The competent authority shall, if possible, indicate personal facts based on facts and personal data
data based on personal assessments.
(2) Competent authority before the provision of personal data or before the transfer of personal data
verify their accuracy, completeness and timeliness, where possible, and take measures to ensure that
not to provide or transmit personal data which is incorrect, incomplete or
out of date.
(3) The competent authority shall attach to the provision and transmission of personal data available information which:
enable the receiving competent authority to assess their degree of accuracy, completeness, timeliness
and reliability, if circumstances allow. Incorrect personal data can not be competent authority
provide and transmit; unverified personal data must be provided by the competent authority when providing or
transmission and must indicate the degree of their reliability. If the competent authority unduly
provides personal data or misappropriates personal data or provides incorrectly
personal data or transfers incorrect personal data, is obliged without undue delay
inform the recipient and ask the recipients of the personal data to whom such personal data have been provided,
to correct, supplement, delete or restrict processing without undue delay
such personal data.
TITLE TWO
RIGHTS OF THE PERSON CONCERNED
§ 59
The procedure of the competent authorities in the processing of personal data for the performance of tasks for the purposes of
criminal proceedings apply § 29 as well.
§ 60
Information to be made available or provided to the data subject
(1) The competent authority shall, in particular, make available on its website:
a) their identification data and contact details,
b) contact details of the responsible person,
c) information on the purpose of the processing for which the personal data are intended,
d) contact details of the Office,
e) information on the right to file a motion to initiate proceedings pursuant to Section 100,
(f) information on the right to request from the competent authority access to the personal data concerning the data subject
persons concerned, their rectification, erasure or restriction of their processing.
(2) At the request of the person concerned, the competent authority is obliged to provide in special cases
information to the data subject

Page 33
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 33

a) the legal basis for the processing of personal data,
(b) the retention period of personal data; if this is not possible, information on the criteria for its determination,
c) the categories of recipients of personal data, including in a third country and an international organization,
(d) other facts, in particular where personal data have been obtained without the knowledge of the data subject.
§ 61
Right of access to personal data
The person concerned shall have the right to obtain confirmation from the competent authority as to whether they are being processed
personal data concerning him and, if so, he has the right to access that personal data
and information about
a) the purpose of the processing of personal data and the legal basis for the processing of personal data,
b) the category of personal data processed,
c) the recipient or category of recipients to whom the personal data have been or are to be provided,
in particular the recipient in a third country or an international organization,
(d) the retention period of personal data; if this is not possible, information on the criteria for its determination,
(e) the right to request from the competent authority the rectification of personal data concerning the data subject
or their deletion or restriction of the processing of personal data or just to object
processing of personal data,
f) contact details of the Office,
g) the right to file a motion to initiate proceedings pursuant to Section 100,
(h) sources of personal data, if available.
§ 62
The right to correct personal data, the right to delete personal data
and restriction of these rights
(1) The person concerned has the right to have the competent authority rectify it without undue delay
incorrect personal data concerning him. With regard to the purpose of personal data processing, it has
the data subject has the right to complete incomplete personal data.
(2) The person concerned has the right to have the competent authority erased without undue delay
personal data concerning him and the competent authority shall be obliged to delete them without undue delay
personal data if
a) the processing of personal data is in conflict with the principles of personal data processing pursuant to Section 52
up to 55,
b) the processing of personal data is in conflict with § 56, or
c) deletion of personal data is necessary for the purpose of fulfilling obligations under this Act,
a special regulation or international agreement by which the Slovak Republic is bound.
(3) Instead of erasure, the competent authority shall restrict the processing of personal data if
(a) the data subject has challenged the accuracy of the personal data and their accuracy or inaccuracy
cannot be determined, or
(b) personal data must be kept for evidentiary purposes.
(4) If the processing of personal data is limited pursuant to paragraph 3 letter (a), the competent authority shall be
obligated before the restriction on the processing of personal data to the data subject

Page 34
Page 34

Collection of Laws of the Slovak Republic

18/2018 Coll.

to inform.
(5) The competent authority is obliged to inform the person concerned in writing of the refusal of the right to
the correction referred to in paragraph 1, the right of erasure pursuant to paragraph 2 or the restriction of processing
personal data pursuant to paragraph 3 and the grounds for refusal.
§ 63
Restrictions on the provision of information and the rights of the data subject
(1) The competent authority may defer the provision of information, restrict the provision of information or
to refrain from providing information according to § 60 par. 2, to limit, in whole or in part, the right to
access pursuant to § 61 or may completely or partially limit the obligation to inform pursuant to § 62
par. 5, ak
(a) there may be an effect on or obstruction of an official or judicial procedure; or
savings,
b) the performance of tasks for the purposes of criminal proceedings could be endangered,
(c) it is necessary to ensure the protection of public policy or public security; or
(d) it is necessary to protect the rights of others.
(2) A special regulation may stipulate the categories of personal data processing to which
paragraph 1 applies.
(3) The competent authority is obliged to inform the person concerned in writing of the refusal of the right to
access or restriction of the right of access pursuant to Section 61 and the reasons for such refusal; or
restrictions; this shall not apply if the provision of such information would jeopardize the purpose referred to in paragraph 1.
(4) The competent authority must document factual or legal reasons, on the basis of
which the right of access pursuant to Section 61 has been restricted, and to provide them at the request of the Office.
(5) If the competent authority restricts the provision of information or restricts the right of the person concerned
pursuant to paragraph 1, he shall inform the person concerned in writing of the possibility of applying to the
initiation of proceedings pursuant to Section 100, including the possibility of exercising the right to verify the legality of procedures
competent authority pursuant to paragraphs 1 and 3 by the Office and of the possibility of exercising the rights of the person concerned to
other legal protection. )
19

§ 64
Notification of the correction, deletion or restriction of the processing of personal data
The competent authority is obliged to report the correction of incorrect personal data to the competent authority,
from whom he obtained incorrect personal data. If the competent authority corrects incorrect personal data,
deletes incorrect personal data or restricts their processing according to § 62 par. 1 to 3, informs
the recipient who is obliged to correct, delete or limit such personal data
processing.
§ 65
The provisions of Sections 61 to 64 do not apply in the case of personal data of which they are a part
an investigation file or a court file in criminal proceedings; the rights set out in these
provisions shall be carried out in accordance with a special regulation. )
21

Page 35
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 35

§ 66
Automated individual decision making
(1) A decision of a competent authority which has adverse legal effects on the person concerned,
it must not be based solely on the automated processing of personal data, including
profiling, if a special regulation or international agreement, which is the Slovak Republic
bound, does not provide otherwise. A special regulation or international agreement which is
Slovak Republic bound, adequate guarantees must be provided for the protection of the rights of the data subject
persons, in particular the right to have the decision verified in an automated manner by
competent authority.
(2) A decision pursuant to paragraph 1 may not be based on special categories of persons
data, unless appropriate measures are taken to guarantee the rights and legitimate interests of the data subject
persons.
(3) Profiling which leads to discrimination against persons on the basis of specific categories of personal
data is prohibited.
TITLE THREE
RIGHTS AND OBLIGATIONS OF THE COMPETENT AUTHORITY AND THE INTERMEDIARY
§ 67
The procedure of the competent authorities in the processing of personal data for the performance of tasks for the purposes of
criminal proceedings, § 31, § 32, § 33 par. 1 and 3, § 34, § 36, § 37, § 39 to 41, § 42 par. 1
to 5 and 7 and § 44 to 46 as well.
§ 68
(1) The competent authority shall verify every three years whether the personal data processed are still necessary for
performance of tasks for the purposes of criminal proceedings, unless a special regulation provides otherwise.
(2) The competent authority shall keep records of the processing activities for which it is responsible.
Records of processing activities must contain, in addition to information pursuant to Section 37, etc.
information about
(a) the use of profiling if profiling is intended by the competent authority,
(b) the legal basis for the processing operations, including the transfer, for which the personal data are
determined.
§ 69
Log management
(1) The competent authority in obtaining, changing, inspecting, providing, including transmission,
the combination and erasure of personal data in an automated processing system
logs. It must be possible to determine the reason, date and time of the search from the browsing and serving logs
or the provision and identification of the person who viewed the personal data or their
provided as well as the identity of the beneficiaries.
(2) The competent authority shall use and store the logs exclusively for the purpose of verifying the lawfulness of the processing
personal data, self-monitoring, for the purpose of ensuring integrity and security
personal data and for the purposes of criminal proceedings.
(3) The competent authority and the intermediary of the competent authority shall make the logs available on request

Page 36
Page 36

Collection of Laws of the Slovak Republic

18/2018 Coll.

office, if available.
§ 70
Prior consultation
(1) The competent authority shall consult the Office prior to the processing of personal data which:
should form part of a new information system if it is from an impact assessment on the protection of personal data
data according to § 42 it is clear that this processing will lead to a high risk for the rights of natural persons,
if the competent authority does not take measures to mitigate that risk or with the type of treatment,
particularly with the use of new technologies, mechanisms or procedures, it carries a high risk of infringement
the rights of the person concerned.
(2) The competent authority shall, together with the request for prior consultation, provide the Office with:
personal data protection impact assessment pursuant to Section 42, carried out by the Office and at the request of the Office
as well as other information to enable the Office to assess the compliance of the processing of personal data with this
law and in particular the risks in terms of the protection of the personal data of the data subject and the related guarantees.
(3) If the Office considers that the intended processing of personal data pursuant to paragraph 1 would be
illegal, in particular if the competent authority has insufficiently identified the risk or mitigated the risk, the Authority
within six weeks of receipt of the request for consultation, provide the competent authority, where appropriate
intermediary, written advice. The Office may, in view of the complexity of the intended
extend the time limit under the previous sentence for the processing of personal data by one month;
extension

deadlines

and reasons

extension

office

announce

to the operator,

possibly

aj

to the intermediary, within one month of receipt of the request for consultation. Deadline for provision
advice shall not be given to the Office until the Office has obtained the information it has requested for the purposes
prior consultation.
(4) Other processing operations for the competent authority that are subject to the obligation to carry out
prior consultation pursuant to paragraph 1, shall establish a generally binding piece of legislation which:
issued by the Office.
§ 71
Security of personal data processing
Competent authority or intermediary of the competent authority for automated processing
personal data, take measures on the basis of a risk assessment
(a) control of access to facilities to prevent unauthorized access to facilities on
processing of personal data used for processing,
(b) control of personal data carriers in order to prevent unauthorized reading of personal data carriers
data, copying of personal data carriers, modification of personal data carriers or
removal of personal data carriers,
(c) control of the retention of personal data in order to prevent the unauthorized input of personal data
data into the information system and unauthorized browsing of personal data
in the information system, alteration of personal data in the information system or
deleting personal data from the information system,
d) control

user

information

system,

to

in

prevented

use

systems

automated processing by unauthorized persons using a transmission device
personal data,
(e) control of access to personal data to ensure that persons authorized to use the system
automated processing will only have access to the personal data to which they are processed
covered by their right of access,

Page 37
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 37

(f) control of data transmission in order to ensure that it is possible to verify and identify the
have transferred personal data or have provided personal data, or to verify and identify the entities to which they have been subjected
may transfer personal data, or provide personal data through a device to
transfer of personal data,
(g) checking the input of data into the information system to ensure that it can be verified
and find out what personal data has been entered into the automated processing system and when and by whom
put in there
h) control of the transport of personal data in order to prevent unauthorized reading of personal data,
copying personal data, modifying personal data or deleting personal data
data during their transmission or during the transport of a personal data medium,
(i) recovery of personal data to ensure that installed systems are recovered if they occur
interruption,
(j) ensuring the reliability of the information system to ensure that the functions of that system
function and errors in its functions are reported,
k) ensuring the integrity of the information system so that stored personal data cannot be compromised
damage if this system fails.
§ 72
Report a privacy violation
(1) The competent authority is obliged to notify the information pursuant to § 40 para. 4
the authority of the Member State competent to carry out the tasks for the purposes of criminal proceedings, if the infringement
protection of personal data includes personal data transmitted by an authority of a Member State
competent for the performance of tasks for the purposes of criminal proceedings or which have been delegated to such a body.
(2) The competent authority may postpone the notification of a breach of personal data protection, limit
notification of a personal data breach or waive the notification of a breach
personal data of the data subject according to § 41, if
(a) there may be an effect on or obstruction of an official or judicial procedure; or
savings,
b) the performance of tasks for the purposes of criminal proceedings could be endangered,
(c) it is necessary to ensure the protection of public policy or public security; or
(d) it is necessary to protect the rights of others.
TITLE FOUR
TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANIZATION
§ 73
(1) The procedure of the competent authorities in the processing of personal data for the performance of tasks for the purposes of
criminal proceedings, § 48 par. 1 and § 50 as well.
(2) Transfer of personal data between the competent authorities and the competent authorities of the Member States
for the performance of tasks for the purposes of criminal proceedings shall be guaranteed if such a transfer is required under
a special regulation or international agreement by which the Slovak Republic is bound.
§ 74
General principles for the transfer of personal data
(1) Transfer of personal data which are processed or are intended to be processed after transfer to

Page 38
Page 38

Collection of Laws of the Slovak Republic

18/2018 Coll.

third country or international organization, including subsequent transfer to another third country
or another international organization, the competent authority may take action only if
a) the transfer is necessary for the performance of tasks for the purposes of criminal proceedings,
(b) personal data are transferred to a controller in a third country or an international organization,
which is the body competent to perform tasks for the purposes of criminal proceedings, unless it is in § 77
par. 1 provided otherwise,
(c) the transfer authorization has been granted by the Member State in accordance with its national law, if
transfer personal data or provide personal data from another Member State before
performing the transfer,
d) The Commission has adopted a decision on adequacy pursuant to § 48 par. 1 or have been provided or
there are adequate guarantees according to § 75 or exceptions apply for special situations according to § 76,
e) on subsequent transfer to another third country or international organization, the competent authority,
who made the original transfer or another competent authority in the Slovak Republic
authorization for subsequent transmission, after due consideration of relevant factors, including
the seriousness of the offense, the purpose for which the personal data were originally transferred and the level of protection
personal data in a third country or international organization to which personal data are transferred
subsequently transmitted.
(2) Transmission without the prior authorization of a Member State pursuant to paragraph 1 (a) c) possible
take place only if the transmission is necessary to prevent immediate and serious
threats to the public security of a Member State or a third country, or to essential interests
Member State and prior authorization cannot be obtained in time; authority responsible for
the issue of a prior authorization must be notified without undue delay.
(3) If the competent authority carries out the transfer of personal data on which the processing is carried out in accordance with
special processing conditions shall apply to the conditions
and the requirement to comply with them, to inform the recipient. When transferring personal data to a recipient in another
Member State or an agency, office or body of the European Union may not be
apply other conditions than those applicable to the transfer of personal data within Slovakia
of the Republic.
§ 75
Reasonable guarantees
(1) If there is no Commission decision on adequacy pursuant to § 48 par. 1, the competent authority may
transfer personal data to a third country or international organization only if
a) a special regulation or international agreement by which the Slovak Republic is bound provides
adequate safeguards for the protection of personal data, or
(b) the competent authority has assessed the circumstances of the transfer of personal data and concluded that they exist
adequate guarantees for the protection of personal data.
(2) The competent authority shall inform the Office of the categories of transfers pursuant to paragraph 1 letter. b).
(3) If the competent authority carries out the transfer pursuant to paragraph 1 letter. (b), such transmission must take place
document; the documentation shall be provided to the Authority upon request. It must be stated in the documentation
date and time of the transfer, information on the receiving competent authority, justification for the transfer
personal data and transmitted personal data.
(4) By a decision of the Commission revoking, amending or suspending its decision on adequacy
according to § 48 par. 1 does not affect the transfer of personal data pursuant to paragraph 1 and § 76.

Page 39
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 39

§ 76
Exceptions for special situations
(1) If there is no Commission decision on adequacy pursuant to § 48 par. 1 or reasonable warranties
pursuant to § 75, the transfer of personal data to a third country or international organization may
competent authority only if the transfer is necessary
a) for the protection of the life, health or property of the person concerned or of another natural person,
(b) to safeguard the legitimate interests of the person concerned, where a special regulation so provides
or an international agreement by which the Slovak Republic is bound,
(c) to prevent an immediate and serious threat to the public security of a Member State; or
third country,
(d) in special cases for the performance of tasks for the purpose of criminal proceedings; or
(e) in specific cases, for the exercise of a legal right related to the performance of tasks for the purposes of
criminal proceedings.
(2) The transfer of personal data pursuant to paragraph 1 may not take place if the competent authority which:
determines that the rights of the data subject outweigh the public interest in the transfer
pursuant to paragraph 1 (a) d) and e).
(3) If the transfer of personal data is carried out in accordance with paragraph 1, such transfer must take place
document; the documentation shall be provided to the Authority upon request. It must be stated in the documentation
date and time of the transfer, information on the receiving competent authority, justification for the transfer
personal data and transmitted personal data.
§ 77
Transfer of personal data to a recipient from a third country
(1) The competent authority may, in special cases, transfer personal data to the recipient
with its registered office, place of business, organizational unit, establishment or permanent residence
in a third country, if, in addition to the other conditions for the transfer of personal data laid down therein
by law
(a) the transfer is necessary for the performance of a task for the purpose of criminal proceedings of a competent authority which:
the transfer takes place,
(b) the competent authority making the transfer determines that no rights of the person concerned prevail
over the public interest which necessitated the transfer in the present case,
(c) the competent authority making the transfer considers that the transfer to the third party authority
country responsible for carrying out tasks for the purposes of criminal proceedings is ineffective or inappropriate,
in particular because the transfer cannot be achieved in a reasonable time,
(d) the authority competent in the third country to carry out tasks for the purposes of criminal proceedings is without
informed without undue delay, unless such action is ineffective or
inappropriate, and
(e) the competent authority making the transfer informs the recipient of the specific purpose; or
for the purposes for which the recipient is to process such personal data exclusively, if such processing is
necessary.
(2) The transfer to a recipient from a third country pursuant to paragraph 1 shall not affect an international agreement,
by which the Slovak Republic is bound in the field of judicial cooperation in criminal matters
and police cooperation.

Page 40
Page 40

Collection of Laws of the Slovak Republic

18/2018 Coll.

(3) A competent authority which carries out a transfer pursuant to paragraph 1 must inform the Office thereof.
(4) If the competent authority carries out the transfer pursuant to paragraph 1, it is obliged to document it.
PART FOUR
SPECIAL SITUATIONS OF THE LEGAL PROCESSING OF PERSONAL DATA
§ 78
(1) The operator may process personal data without the consent of the data subject even if
the processing of personal data is necessary for academic, artistic or literary purposes
purpose; this does not apply if the controller infringes the law by processing personal data for such a purpose
the person concerned to protect his or her personality or the right to privacy or such
the processing of personal data without the consent of the data subject precludes a special regulation or
international agreement by which the Slovak Republic is bound.
(2) The operator may process personal data without the consent of the data subject even if
processing

personal

data

is a

necessary

for

needs

information

the public

by mass media and if the personal data are processed by the controller to whom it is processed
results from the subject of the activity; this does not apply if the processing of personal data for such a purpose
the operator infringes the right of the data subject to the protection of his or her personality or the right to protection
privacy or such processing of personal data without the consent of the data subject precludes special
a regulation or international agreement by which the Slovak Republic is bound.
(3) The operator, who is the employer of the affected person, is entitled to provide him
personal data or disclose her personal data in the range of title, name, surname, work
classification, job classification, functional classification, personal number of the employee or employee
employee number, professional department, place of work, telephone number, fax number, address
e-mail to the workplace and the identification data of the employer, if necessary
in connection with the performance of duties, duties or functions
the person concerned. The provision of personal data or the disclosure of personal data must not be disrupted
the seriousness, dignity and safety of the person concerned.
(4) When processing personal data, it may be used for the purposes of identifying a natural person
a generally applicable identifier according to a special regulation ) only if its use is
22

necessary to achieve that processing purpose. Consent to processing in general
the usable identifier must be explicit and must not be precluded by a specific rule, if any
for its processing on the legal basis of the consent of the person concerned. Publish in general
the usable identifier is prohibited; this does not apply if the generally applicable identifier is published itself
the person concerned.
(5) The operator may process genetic data, biometric data and data related to
health also on the legal basis of a special regulation or international agreement, which is
Slovak Republic bound.
(6) Personal data on the data subject may be obtained from another natural person and processed
in the information system only with the prior written consent of the person concerned; this does not apply
if another natural person provides personal data about the data subject to the information system
protects its rights or legally protected interests, it shall state the facts which it justifies
the application of the legal liability of the data subject, or personal data are processed on the basis of
special law according to § 13 par. 1 letter c) and e). The person who processes such personal data must
be able to prove to the Office, at its request, that it has obtained them in accordance with this Act.
(7) If the person concerned does not live, the consent required under this Act or a special regulation )
2

Page 41
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 41

can be provided by a close person. ) Consent is not valid if only one close person writes
23

disagreed.
(8) When processing personal data for the purpose of archiving, for scientific purposes, for historical purposes
research or for statistical purposes, the operator and the intermediary are obliged to take appropriate
guarantees for the rights of the person concerned. These guarantees include the establishment of adequate and effective ones
technical and organizational measures, in particular to ensure compliance with the principle of minimization
data and pseudonymisation.
(9) If personal data are processed for a scientific purpose, the purpose of historical research or for
statistical purpose, the rights of the data subject may be under § 21, § 22, § 24 and 27 or under
special regulation ) limited by a special regulation or an international agreement, which is
24

The Slovak Republic is bound if adequate conditions and guarantees are accepted in accordance with paragraph 6, if
these rights are likely to have made it impossible or seriously difficult for the person concerned
the attainment of these objectives and such a restriction of the rights of the person concerned is necessary to achieve them
for these purposes.
(10) If personal data are processed for the purpose of archiving, the rights of the data subject may be subject to
§ 21, § 22 and § 24 to 27 or according to a special regulation ) limited by a special regulation, if they are
25

appropriate conditions and guarantees have been accepted in accordance with paragraph 6, if these rights of the person concerned
likely to make it impossible or seriously difficult to achieve those objectives and such
the restriction of the rights of the person concerned is necessary to achieve those objectives.
(11) Operator and intermediary in taking safety measures and in assessing
impact on the protection of personal data is in line with international standards
and safety standards.
Silence
§ 79
(1) The operator and the intermediary are obliged to maintain the confidentiality of personal data,
which it processes. The duty of confidentiality continues even after the processing of personal data has ended.
(2) The operator and the intermediary are obliged to keep confidential about personal data
natural persons who come into contact with personal data at the controller or intermediary.
The duty of confidentiality under the first sentence must continue even after the termination of the employment relationship,
civil service, employment or similar employment relationship
natural person.
(3) The duty of confidentiality pursuant to paragraphs 1 and 2 shall not apply if it is necessary for the performance of tasks
court and bodies active in criminal proceedings according to a special law; they are not affected
confidentiality provisions under special regulations. )
26

(4) Provisions on the duty of confidentiality pursuant to paragraphs 1 and 2, § 45 par. 5 shall not apply to
relation to the Office in the performance of its tasks under this Act or a special regulation. )
2

Page 42
Page 42

Collection of Laws of the Slovak Republic

18/2018 Coll.

PART FIVE
OFFICE
TITLE ONE
STATUS, SCOPE AND ORGANIZATION OF THE OFFICE
§ 80
The position of the office
(1) The Office is a state administration body with nationwide competence, which participates in protection
fundamental rights of natural persons with regard to the processing of personal data and which supervises
protection of personal data, including supervision of the protection of personal data processed
competent authorities in the performance of tasks for the purposes of criminal proceedings, unless in § 81 para. 7 and 8
provided otherwise.
(2) The seat of the Office is Bratislava.
(3) The Office for the fulfillment of the tasks of the supervisory body over the protection of personal data may establish
and abolish detached workplaces outside their headquarters and determine the territorial area of ​their competence.
(4) In exercising its powers, the Office shall act independently and shall be governed by the constitution, constitutional ones
laws, regulations, other generally binding legal regulations and international
agreements by which the Slovak Republic is bound.
(5) The Office is a budgetary organization. ) The draft budget shall be presented by the Office as part of the chapter
27

General treasury report. The approved budget of the Office may be reduced during the calendar year
year only the National Council of the Slovak Republic.
(6) Details on the organization of the Office shall be regulated by the organizational rules of the Office issued by the Chairman
office.
§ 81
Tasks of the Office
(1) The Office is a supervisory body pursuant to this Act or a special regulation ) and performs tasks
28

and exercises the powers entrusted to him under this Act and under a special regulation. )
29

(2) Office
a) monitors the application of this Act,
b) comments on draft laws and draft other generally binding legal regulations
regulations governing the processing of personal data,
c) provides consultations in the field of personal data protection,
d) methodically guides operators and intermediaries in the processing of personal data,
(e) raise public awareness, in particular of the risks and rights associated with the processing of personal data
data,
(f) raise the awareness of operators and intermediaries of their obligations under this Directive
of the law,
(g) upon request, provide information to the data subject in relation to the exercise of his rights under
of this Act and for this purpose cooperates with the supervisory authorities of other Member States, )
30

h) when supervising the protection of personal data, verifies the lawfulness of the processing of personal data
data by the competent authority in the exercise of the right by the person concerned pursuant to § 63 par. 5 and informs

Page 43
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 43

the person concerned of the result of the verification within 30 days of the date of the request for verification, or
the reasons why the verification did not take place and the possibility of exercising the right of the person concerned to
filing a motion to initiate proceedings pursuant to Section 100 and for other legal protection pursuant to a special
regulation, )
19

(i) monitor the development of, in particular, information and communication technologies and business practices;
has an impact on the protection of personal data,
j) cooperates with the European Data Protection Board in the field of personal data protection, )
31

k) submits a report on the status of personal data protection to the National Council of the Slovak Republic
at least once a year; the report on the status of personal data protection is published by the Office on its
website and provide it to the European Data Protection Board and the Commission,
(l) cooperate with the supervisory authorities of other Member States, including the exchange of information
and provides mutual assistance in order to ensure a common approach to the protection of personal data
data pursuant to this Act and a special regulation. )
32

(3) The Office is entitled to perform its tasks
(a) order the operator and the intermediary, and, where applicable, the operator 's representative; or
intermediary, if authorized to provide the information necessary for performance
his tasks,
(b) to obtain from the controller and the intermediary access to personal data and information which
are necessary for the performance of its tasks; this is without prejudice to the provisions on confidentiality under
special regulations, )
26

(c) enter the premises of the operator and the intermediary, as well as of any facility
and the means of processing personal data, to the extent necessary for the performance of his personal data
tasks, if this does not require a permit under a special regulation, )
33

(d) notify the controller or intermediary that the planned processing operations
are likely to violate the provisions of this Act or a special regulation, )
2

e) impose remedial measures, a fine pursuant to Section 104 or a disciplinary fine pursuant to Section 105, if
operator, intermediary, monitoring body or certification body
provisions of this Act or a special regulation, )
2

(f) order the operator or intermediary to comply with the request of the person concerned
for the exercise of its rights under this Act or a special regulation, )
2

(g) order the controller or intermediary to carry out its processing operations
bring it into line with the provisions of this Directive, as necessary and within a specified period
law or special regulation, )
2

(h) order the controller to report the personal data breach to the data subject;
(i) order a temporary restriction on the processing of personal data or a permanent restriction
processing of personal data,
(j) summon the operator or intermediary to provide an explanation in case of suspicion
from a breach of obligations imposed by this Act, a special regulation or an international regulation
the agreement by which the Slovak Republic is bound,
(k) recommend protection measures to the operator or intermediary
personal data in information systems,
(l) order the suspension of the transfer of personal data to the recipient in a third country or internationally
organizations.
(4) In addition to performing the tasks under paragraphs 1 and 2, the Office shall continue
a) fulfills the notification obligation towards the Commission in the field of personal data protection,

Page 44
Page 44

Collection of Laws of the Slovak Republic

18/2018 Coll.

(b) adopt measures for the implementation of Commission decisions in the field of personal data protection
data,
(c) cooperate with the supervisory authorities of others in the exercise of personal data protection supervision
Member States and similar supervisory authorities outside the territory of the Member States.
(5) Disputes arising from contractual relations or are not the subject of supervision over the protection of personal data
pre-contractual relations between the operator or intermediary and the person concerned
or other persons whose courts or other authorities are competent to hear and determine
according to special regulations.
(6) The Office may charge a reasonable fee corresponding to the administrative costs, or
may refuse to act on a request if the request is manifestly unfounded; or
disproportionate, especially due to its repetitive nature. Manifest unfoundedness or disproportionate
applications shall be proved by the Office.
(7) If personal data are processed by courts in the exercise of their jurisdiction, supervision pursuant to Sections 90 to 98
over the protection of personal data is performed by the Ministry of Justice of the Slovak Republic.
(8) If personal data are processed by the National Security Office according to a special regulation, ) supervision
5

according to § 90 to 98 on the protection of personal data is performed by the National Council of the Slovak Republic
according to a special regulation. )
34

§ 82
President of the Office
(1) The Office is headed by a Chairman, who is elected and recalled by the National Council of the Slovak Republic to
proposal of the Government of the Slovak Republic.
(2) The term of office of the President of the Office shall be five years and he may be elected for a maximum of two consecutive years
subsequent terms of office. The President of the Office shall remain in office after the expiry of his term of office
period until the National Council of the Slovak Republic elects a new chairman.
(3) A citizen of the Slovak Republic who is eligible for election to the National Office may be elected as the Chairman of the Office
of the Council of the Slovak Republic, has a university degree in the second degree, has at least two years
experience in the field of personal data protection and is of good repute.
(4) For the purposes of this Act, a person who has not been lawfully convicted of an innocent person shall be considered innocent
intentional offense or for an offense for which he was not serving a custodial sentence
conditionally postponed if it is not considered by a court decision or by law,
as if he had not been convicted or had not been cleared. Integrity is proven
a documented extract from the criminal record not older than three months.
(5) The President of the Office must be independent in the performance of his function and may not be in the performance of his duties
tasks and the exercise of their powers under this Act under external influence, whether directly or
indirect, and may not seek or take instructions from anyone.
(6) The President of the Office is obliged to refrain from any action incompatible with his
obligations under this Act and under a special regulation. )
35

(7) The Chairman of the Office is a civil servant according to a special regulation. ) The President of the Office
7

includes a salary equal to four times the average nominal monthly wage of the employee in the national
economy of the Slovak Republic for the previous calendar year rounded to the nearest euro
up. The salary and other requirements of the President of the Office are determined by the Government of the Slovak Republic.
(8) Termination of the office of the President of the Office shall occur upon the expiry of his term of office or

Page 45
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 45

by electing a new President after the expiry of the term of office of the President of the Office pursuant to paragraph 2.
(9) Before the expiration of the term of office, the term of office expires
a) resignation,
b) loss of eligibility to the National Council of the Slovak Republic,
(c) the entry into force of a judgment which has convicted him of an intentional criminal offense; or
which he was convicted of a criminal offense and the execution of his sentence was not conditional
postponed,
(d) by carrying out an activity which is incompatible with his obligations under paragraph 6; or
e) by death or by a final decision of a court declaring the President of the Office dead.
(10) The President of the Office may be removed from office if
(a) his state of health does not allow him to exercise properly for a long time, but at least for one year
duties arising from his function,
(b) has violated the obligation of independence under paragraph 5; or
(c) breached the obligation of professional secrecy with regard to the facts of which he became aware in connection with the enforcement
his function according to § 84.
§ 83
Vice-President of the Office
(1) The Chairman of the Office shall be represented by the Deputy Chairman of the Office, who shall be appointed and removed by the Government
Of the Slovak Republic on the proposal of the President of the Office. The Vice-President of the Office is a civil servant
according to a special regulation. )
7

(2) The term of office of the Vice-President of the Office shall be five years and he may be appointed for a maximum of two years
consecutive terms of office. The Vice-President of the Office shall remain in office after expiry
term of office until the Government of the Slovak Republic appoints a new Deputy Prime Minister.
(3) For the performance of the function of the Vice-Chairman of the Office, § 82 par. 3 to 6 and para. 8 to 10 apply equally.
§ 84
Duty of secrecy
(1) The President of the Office, the Vice-President of the Office and the employees of the Office are obliged to maintain confidentiality
on the facts of which they learned during the performance of tasks under this Act or special
regulation, ) even after the termination of the performance of his function, civil service, employment
2

relationship or a similar employment relationship.
(2) The duty of confidentiality pursuant to paragraph 1 shall not apply if it is necessary for the performance of the tasks of the court
and law enforcement authorities under a special regulation; ) are not affected by this
36

confidentiality provisions according to a special regulation. )
37

(3) From the duty of confidentiality pursuant to paragraph 1, the Vice-Chairman of the Office and the employees of the Office may
release the President of the Office. From the obligation of professional secrecy pursuant to paragraph 1, the President of the Office may
in a specific case, release the National Council of the Slovak Republic.

Page 46
Page 46

Collection of Laws of the Slovak Republic

18/2018 Coll.

TITLE TWO
CODE OF CONDUCT, CERTIFICATE AND ACCREDITATION
§ 85
Code of conduct
(1) Association representing the category of operators or intermediaries or other
an entity representing a category of operators or intermediaries may adopt a code
conduct, in particular for the purpose of specifying the application of this Act or a special regulation )
2

in connection with the subject of the code of conduct according to a special regulation. )
38

(2) The approval of the code of conduct by the Office shall not affect the responsibility of the operator
or the intermediary's responsibility to comply with this law or a special regulation. )
2

(3) Application for approval of a draft code of conduct, draft amendment to an approved code of conduct
or a proposal to extend an approved code of conduct shall be submitted to the Authority by an association or other body
pursuant to paragraph 1 (hereinafter referred to as "the applicant").
(4) The application for approval of the code of conduct must contain
a) identification data of the applicant,
b) name and surname of the statutory representative or person authorized to act on behalf of the applicant,
(c) an indication of whether it is a draft code of conduct, a draft amendment to an approved code of conduct; or
a proposal to extend the agreed code of conduct,
d) the procedure of the association, by which the member of the association undertakes to comply with the approved code of conduct,
(e) an undertaking by the operator or intermediary to monitor compliance

(e) an undertaking by the operator or intermediary to monitor compliance
approved code of conduct in accordance with monitoring rules and procedures
compliance with the code of conduct,
(f) a description of the rights and obligations of the operator or intermediary in carrying out monitoring
compliance with an approved code of conduct,
(g) an indication of the subject matter of the draft code of conduct, a proposal to amend the approved code
conduct or a proposal to extend an approved code of conduct applies,
(h) the purpose of the processing of personal data for which the personal data are intended, as well as the legal basis
processing of personal data,
i) categories of personal data,
j) the categories of persons concerned,
k) identification of the recipient or category of the recipient of personal data, if any,
(l) a description of the processing activities, information on the existence of an automated individual
decisions and information on the existence of profiling,
m) a description of the applicant's procedure for exercising the rights of the person concerned,
(n) whether the draft code of conduct applies to more than one processing operation
Member States,
(o) the identification of the third country or international organization in the transfer of personal data
and information on the adequate guarantees received for this transmission,
(p) the rules and procedures adopted to monitor compliance with the code of conduct.
(5) The applicant must attach to the application for approval of the code of conduct pursuant to paragraph 4
(a) a draft code of conduct, a proposal to amend an approved code of conduct or a proposal for extension

Page 47
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 47

approved code of conduct, including in English, as far as processing standards are concerned
activities in several Member States,
b) confirmation of payment of the administrative fee,
(c) other information and supporting documents necessary to assess the conformity of the draft code of conduct
with this Act or a special regulation. )
2

(6) If the application for approval of the code of conduct does not meet the requirements under paragraphs 4 and 5 or if
in the procedure for approving the code of conduct, doubts will arise as to the demonstration of compliance with this
by law or a special regulation, ) the Office shall invite the applicant to supplement the documents within the time limit,
2

which may not be less than 15 days; during this period the time limit in the procedure for approving the code
behavior does not follow.
(7) The participant in the procedure for the approval of the code of conduct is the applicant who submitted the application pursuant to
paragraph 4.
(8) If, during the procedure for the approval of the Code of Conduct, the Office finds non - compliance with this Act, or
special regulation, ) invite the applicant to eliminate the detected non-compliance within a specified period, which
2

must not be less than 30 days; during the period for elimination of the detected non-compliance does not follow
deadline for the procedure for approving the code of conduct. At the reasoned request of the applicant, the Office designated
the period may be extended by a maximum of 60 days.
(9) The Office shall terminate the procedure for the approval of the Code of Conduct if the applicant
(a) fails to remedy the deficiencies of the application within the period specified in accordance with paragraph 6;
(b) fail to remedy the deficiencies found by the Office within the period determined in accordance with paragraph 8.
(10) The Office shall decide on the approval of a code of conduct, on the amendment of an approved code of conduct or
on the extension of the approved code of conduct within 90 days from the date of commencement of the proceedings.
(11) If it is necessary to submit a draft code of conduct, a proposal to amend the approved code
conduct or a proposal to extend the agreed code to the European Data Protection Board
according to a special regulation, ) the period pursuant to paragraph 10 shall not expire from the date of submission of the draft code
39

a proposal to amend an approved code of conduct or a proposed extension to an approved
Code of Conduct to the European Data Protection Board until the date of receipt of the opinion
European Data Protection Board pursuant to a special regulation ) of the Office.
40

(12) The Office, after examining the application for approval of the code of conduct pursuant to paragraphs 4 and 5
and related documentation shall issue a decision approving the code of conduct, a decision
approving a change to an approved code of conduct or a decision approving an extension
approved code of conduct, if a draft code of conduct, a proposal to amend the approved code
behavior or a proposal to extend an approved code of conduct is consistent and provides sufficient
adequate guarantees of personal data protection pursuant to this Act or a special regulation. )
2

(13) Against a decision approving a code of conduct, a decision amending an approved code
conduct or a decision to extend an approved code of conduct is not admissible.
(14) Against a decision not to approve a code of conduct, a decision not to approve an amendment
approved code of conduct or a decision not to approve the extension of an approved code
conduct, the decision of the President of the Office shall be admissible.
(15) The Office shall publish a list of approved codes of conduct on its website.
(16) Association representing the category of operators or intermediaries or other
an entity representing a category of operators or intermediaries approved by the Authority
Code of Conduct, approved a proposal to amend the approved Code of Conduct or approved the proposal

Page 48
Page 48

Collection of Laws of the Slovak Republic

18/2018 Coll.

extension of the approved code of conduct shall be required no later than 15 days from the date of the finding
notify the Office in writing of any changes pursuant to paragraph 4 (a). a) and d).
§ 86
Certificate
(1) The issuance of a certificate, renewal of a certificate or revocation of a certificate shall be performed by an entity to which
accreditation has been granted pursuant to Section 88 in accordance with this Act (hereinafter referred to as the “certification body”),
or office.
(2) Operator or intermediary for the purposes of proving the conformity of personal processing
data and the existence of adequate guarantees of personal data protection under this Act, or
special regulation ) may request the authority or certification body to issue a certificate or
2

certificate renewal. The certificate shall be issued or renewed for a maximum period of three years.
(3) The Office or the certification body shall assess the compliance of the processing of personal data and the existence
adequate safeguards for the protection of the personal data of the controller or processor under
paragraph 2 on the basis of certification criteria in accordance with this Act. It is not a certificate
the liability of the operator concerned or the liability of the intermediary for compliance
of this Act and a special regulation ) nor are the powers of the Office under this Act affected.
2

(4) The certificate is a public document.
(5) The Office shall publish the issued certificates on its website.
(6) An application for the issuance of a certificate or an application for the renewal of a certificate by the Office must contain
a) identification data of the applicant,
(b) the name of the applicant's statutory body or of a person authorized to act on behalf of the applicant
the applicant,
c) contact details of the responsible person, if specified,
d) the subject of the certificate for which the certificate is to be issued,
e) the purpose of the processing of personal data,
f) the legal basis for the processing of personal data,
g) the categories of persons concerned,
h) categories of personal data,
(i) the identification of the recipient or category of recipient of the personal data, if any;
(j) a description of the processing activities, including information on the existence of an automated individual
decision making, including profiling,
k) a description of the applicant's procedure for exercising the rights of the person concerned,
(l) the identification of the third country or international organization in the transfer of personal data.
(7) The applicant shall attach to the application pursuant to paragraph 6
a) the technical and safety documentation necessary for issuing the certificate,
b) the result of the personal data protection audit is not older than six months,
c) documents proving the fulfillment of certification criteria,
(d) a description of the adequate safeguards for the transfer of personal data to a third country or internationally
organizations,
e) confirmation of payment of the administrative fee,

Page 49
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 49

(f) other information and documentation necessary to assess compliance with this Act; or
special regulation ) and compliance with the certification procedure.
2

(8) If the application for the issue of a certificate or the application for renewal of a certificate does not meet the requirements under
paragraphs 6 and 7 or if they arise in the procedure for issuing the certificate or in the procedure for renewal of the certificate
doubts about proving the fulfillment of certification criteria or conditions for issuing a certificate,
the Office shall invite the applicant to supplement the documents within a period which may not be less than 15 days; During
during this period, the time limit in the procedure for issuing a certificate or in the procedure for renewal of a certificate shall not expire.
(9) If the Office finds non-compliance during the procedure for issuing a certificate or the procedure for renewing a certificate
with this Act or a special regulation, ) invite the applicant to eliminate the identified non-compliance
2

within a specified period, which may not be less than 30 days; during this period the time limit for extradition proceedings
certificate or in the certificate renewal procedure. At the reasoned request of the applicant, the Office
extend the specified period by a maximum of 60 days.
(10) The Office shall stop the procedure for issuing a certificate or the procedure for renewing a certificate if the applicant
will not be removed
(a) shortcomings in the application and any doubts raised pursuant to paragraph 8 within a specified period,
(b) deficiencies identified by the Office in accordance with paragraph 9 within a specified period.
(11) The Office shall decide on the issuance of a certificate or renewal of a certificate within 90 days from the date of commencement
proceedings.
(12) After examining the application for the issue of a certificate or the application for renewal of a certificate pursuant to
paragraphs 6 and 7 and related documentation shall issue a decision on the issuance of the certificate if the applicant complies
certification criteria, meets the conditions of the certification process, if its processing activities are
in accordance with this Act or a special regulation ) and if security measures taken by it
2

provide sufficient reasonable guarantees for the protection of personal data under this Act; or
special regulation. )
2

(13) On the basis of a decision on the issuance of a certificate or a decision on the renewal of a certificate, the Office
issue the applicant with a certificate for a period of three years, which it contains
a) identification data of the Office,
b) identification data of the applicant,
c) the subject of the certificate,
d) an indication of the certification criteria on the basis of which the certificate is issued,
e) certificate number,
(f) the date of issue of the certificate; in the case of renewal of the certificate, also the date of earlier issue of the certificate,
g) the period of validity of the certificate,
h) the imprint of the stamp of the Office and the signature of the person authorized to act on behalf of the Office, stating his name,
last name and function.
(14) It is not against a decision to issue a certificate or a decision to renew a certificate
permissible decomposition.
(15) It is against a decision not to issue a certificate or a decision not to renew a certificate
admissible appeal, to be decided by the President of the Office.
(16) If an operator or intermediary to which a certificate has been issued or renewed
certificate (hereinafter referred to as the "certified person"), continues to meet the certification criteria and conditions of issue
certificate under this Act, the Office on the basis of a request from a certified person submitted no later than

Page 50
Page 50

Collection of Laws of the Slovak Republic

18/2018 Coll.

six months before the expiry of a certificate previously issued or renewed
on the renewal of the certificate for a further period of three years. For the procedure of renewal of the certificate
they shall apply the provisions on the issue of the certificate accordingly.
(17) If the certified person submits an application for renewal of the certificate within less than six
months before the expiry of the certificate, the Office shall disregard such a request. The team is not
the authority of that certified person to apply for a certificate under
paragraphs 6 and 7.
(18) The certified person is obliged during the validity of the certificate
(a) meet the requirements laid down in this Act and the requirements for issuing a certificate in accordance with
with the decision to issue the certificate,
(b) not later than 15 days from the date on which the change occurs, notify the Authority in writing of any changes concerning
the decision to issue the certificate,
c) enable the Office to carry out supervision pursuant to this Act,
d) archive the documentation related to the performance of the certification procedure according to a special
prescription. )
41

(19) Certification criteria, conditions of the certification procedure, technical content
and security documentation and the conditions for carrying out a personal data protection audit, including
the conditions of expertise of the auditor performing the personal data protection audit
generally binding legal regulation issued by the Office.
§ 87
Monitoring body
(1) Monitoring the compliance of the processing of personal data pursuant to this Act or a special one
Regulation ) with a code of conduct shall be performed by an entity that meets the criteria and conditions for award
2

accreditation pursuant to this Act or a special regulation ) and has been granted accreditation by the Office
2

in accordance with this Act (hereinafter referred to as the “monitoring entity”).
(2) Codes of conduct approved by the Office for Public Authorities and Public Institutions
are not subject to the activities of the monitoring entity under this Act; this does not affect performance
supervision by the Office pursuant to this Act.
(3) The monitoring entity may be a legal entity or a natural person - an entrepreneur who
has created the technical and organizational conditions for carrying out the monitoring of the Code
conduct and which has been granted accreditation.
(4) The monitoring body is authorized
a) monitor the compliance of the processing of personal data pursuant to this Act or a special regulation )
2

an operator or intermediary who is a member of the association who has undertaken
adhere to an approved code of conduct,
(b) take appropriate action in cases of breaches of the code of conduct by the operator; or
intermediaries,
(c) temporarily suspend the binding of an approved code of conduct for the operator; or
an intermediary who has undertaken to comply with an approved code of conduct,
d) cancel the binding nature of the approved code of conduct for the operator or intermediary,
which has undertaken to comply with the approved code of conduct.
(5) It shall monitor the measures pursuant to paragraph 4, including the reasons for taking such measures
the entity is obliged to inform the Office in writing within 15 days of their receipt. The team is not affected

Page 51
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 51

the responsibility of the operator or intermediary subject to code monitoring
comply with this law or a special regulation. )
2

(6) The application for granting accreditation must contain
a) identification data of the applicant,
(b) the name and surname of the applicant 's statutory representative or of a person authorized to act on behalf of
the applicant,
(c) an indication of the subject of the code of conduct. )
38

(7) The applicant shall attach to the application pursuant to paragraph 6
a) the technical and safety documentation necessary for monitoring the code of conduct,
b) documents proving the independence of the applicant,
(c) the procedure and manner for dealing with conflicts of interest between the applicant and the entity
subject to monitoring which could undermine the objectivity of the monitoring of the Code
restrict the objectivity of monitoring the Code of Conduct or violate the principle of
transparency for the person concerned and the public; a conflict of interest includes, in particular, a situation where:
an applicant who may influence the outcome or conduct of the monitoring of the code of conduct
direct financial interest or indirect financial interest, economic interest or other personal interest
interest which may be considered a threat to its independence in relation to monitoring
code of conduct,
(d) documents setting out the qualification requirements in relation to the monitoring of the code of conduct
the persons of the applicant who will carry out the monitoring,
(e) rules and procedures for the conduct of activities, in particular processes for monitoring compliance with the Code
conduct by the operator or intermediary, method of demonstrating implementation
code of conduct by the operator or intermediary, the method of demonstrating compliance
processing activities of the operator and the intermediary in relation to the subject matter of the Code
behavior, frequency of compliance monitoring,
(f) documents demonstrating that the rules and procedures for monitoring the Code of Conduct are:
transparent to the person concerned and the public,
g) the result of the audit of the performance of the monitoring of the code of conduct,
h) confirmation of payment of the administrative fee,
(i) other information and documents necessary to assess compliance with this Act; or
special regulation ) and for the assessment of the application for accreditation.
2

(8) If the application for the granting of accreditation does not meet the requirements pursuant to paragraphs 6 and 7 or if in proceedings
doubts will arise as to the granting of accreditation as to the fulfillment of the criteria or conditions for
granting accreditation, the Office shall invite the applicant to remedy the deficiencies within a time limit which shall not be available
less than 15 days; during this period, the time limit in the accreditation procedure does not expire.
(9) If, during the proceedings pursuant to paragraph 11, the Office finds non-compliance with this Act or a special one
regulations, ) invite the applicant to eliminate the detected non-compliance within a specified period, which may not be
2

less than 30 days; during this period, the period provided for in paragraph 11 shall not expire. Upon reasoned request
the Office shall extend the specified period by a maximum of 60 days.
(10) The Office shall suspend the proceedings pursuant to paragraph 11 if the applicant does not remove them
(a) shortcomings in the application and any doubts raised pursuant to paragraph 8 within a specified period,
(b) deficiencies identified by the Office in accordance with paragraph 9 within a specified period.
(11) The Office shall decide on the granting of accreditation within 90 days from the day of the commencement of the proceedings.

Page 52
Page 52

Collection of Laws of the Slovak Republic

18/2018 Coll.

(12) The Office, after examining the application for accreditation pursuant to paragraphs 6 and 7 and related
the documentation shall issue a decision on the granting of accreditation, if the applicant meets the requirements, has
an adequate level of expertise in relation to the subject matter of the code of conduct and meets the criteria
and conditions for granting accreditation under this Act.
(13) On the basis of the decision to grant accreditation, the Office shall issue to the monitoring body
the accreditation certificate it contains
a) identification data of the Office,
b) identification data of the applicant,
c) subject of accreditation,
d) the number of the accreditation certificate,
e) date of issue of the certificate of accreditation,
f) the imprint of the stamp of the Office and the signature of the person authorized to act on behalf of the Office, stating his name,
last name and function.
(14) The accreditation certificate is a public document.
(15) An appeal is not admissible against a decision to grant accreditation.
(16) An appeal against a decision not to grant accreditation shall be admissible, to be decided by the chairman
office.
(17) The Office shall publish the issued certificates of accreditation on its website.
(18) If it is demonstrated that the monitoring body monitors the code of conduct
in violation of this Act or a special regulation, ) good morals, a certificate of award
2

accreditation or no longer meets the requirements for accreditation, the Office shall suspend the validity
accreditation for three months and at the same time oblige the monitoring body to carry out the
remedy. If the monitoring body does not take the measures imposed within the specified time limit, the Office shall:
accreditation by decision. A monitoring body whose accreditation has been withdrawn may
reapply for accreditation.
(19) The monitoring body is obliged
(a) meet

requirements

established

hereby

by law

and accreditation

requirements

in accordance

with the decision to grant accreditation,
b) notify the Office in writing of any changes to the granted accreditation within 15 days from the date of the change,
(c) inform the operator or intermediary concerned of the power to monitor
compliance with the code of conduct and the subject of the monitored code of conduct, in detail
and understandable

to inform

on security

measures

rules

and on procedures

monitoring of the code of conduct and to inform about the possible legal consequences of monitoring
compliance with the subject matter of the code of conduct before monitoring the approved code
behavior,
(d) inform the operator or intermediary concerned without undue delay
on the measures taken if a breach of the code of conduct has been identified
operator or intermediary in accordance with paragraph 4,
e) respect the principle of independence,
(f) archive documentation related to the monitoring of the Code of Conduct according to a specific
prescription. )
42

Page 53
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 53

(20) Criteria for granting accreditation, conditions of the accreditation procedure, content requirements
technical and safety documentation and the conditions for carrying out a code monitoring audit
conduct, including the conditions of the auditor's expertise, shall establish a generally binding legal
a regulation issued by the Office.
§ 88
Certification body
(1) The issuance of a certificate, renewal of a certificate or revocation of a certificate shall be performed by the certification body
an entity that meets the criteria and conditions for granting accreditation under this Act, or
special regulation ) and has been granted accreditation by the Office in accordance with this Act.
43

(2) The certification entity may be a legal entity or a natural person - an entrepreneur who
has an adequate level of expertise in relation to the protection of personal data and has established
technical and organizational conditions for the certification process and which has been granted accreditation.
(3) The certification body is responsible for assessing the compliance of personal data processing
and the existence of adequate safeguards for the protection of personal data under this Act or special
regulation ) of the operator or intermediary on the basis of which it will grant the certificate
2

certificate or we will revoke the certificate.
(4) The application for granting accreditation must contain
a) identification data of the applicant,
(b) the name of the applicant's statutory body or of a person authorized to act on behalf of the applicant
the applicant,
(c) an indication of the subject of the certification criteria.
(5) The applicant must attach to the application pursuant to paragraph 4
a) technical and safety documentation necessary for the certification process,
(b) the procedure and manner to deal with conflicts of interest between the applicant and the operator
or an intermediary who has requested the issue or renewal of a certificate which:
could impair or restrict the objectivity of the issuance or renewal of the certificate
objectivity of the issuance or renewal of the certificate or violate the principle of transparency
for the person concerned and the public; a conflict of interest includes, in particular, a situation where an applicant who:
may affect the outcome or progress of the issuance or renewal of the certificate, has a direct financial
interest or indirect financial interest, economic interest or other personal interest which
may be considered a threat to his independence in connection with the extradition or renewal
certificate,
(c) documents setting out the qualification requirements in relation to the certification process of persons
applicants who will carry out the certification process,
d) rules and procedures for the performance of the certification procedure, including the procedure for issuing the certificate,
regular examination of the certificate, renewal of the certificate and withdrawal of the certificate,
e) a statement on compliance with the certification criteria for the certification process,
(f) documents demonstrating the procedures and rules for handling complaints concerning infringements
the certificate issued or the way in which the privileges of the certificate are affected
performed by the operator or intermediary,
(g) documents demonstrating that the rules and procedures for handling complaints in relation to an issued complaint
certificates are transparent to the public,
h) the result of the audit of the performance of the certification procedure,

Page 54
Page 54

Collection of Laws of the Slovak Republic

18/2018 Coll.

i) confirmation of payment of the administrative fee,
(j) other information and documents necessary to assess compliance with this Act; or
special regulation ) for the purposes of assessing the application for accreditation.
2

(6) If the application for the granting of accreditation does not meet the requirements pursuant to paragraphs 4 and 5 or if in proceedings
pursuant to paragraph 9, doubts arise as to whether compliance with the award criteria or conditions has been met
accreditation, the Office shall invite the applicant to remedy the deficiencies of the application within a time limit which shall not be available
less than 15 days; during this period, the period provided for in paragraph 9 shall not expire.
(7) If, during the proceedings pursuant to paragraph 9, the Office finds non-compliance with this Act or a special one
regulations, ) invite the applicant to eliminate the detected non-compliance within a specified period, which may not be
2

less than 30 days; during this period, the deadline for the accreditation procedure does not expire. On the
the Office shall, at the reasoned request of the applicant, extend the specified time limit by a maximum of 60 days.
(8) The Office shall stop the procedure for granting accreditation if the applicant does not remove it
(a) shortcomings in the application and any doubts raised pursuant to paragraph 6 within a specified period,
(b) deficiencies identified by the Office in accordance with paragraph 7 within a specified period.
(9) The Office shall decide on the granting of accreditation within 90 days from the day of the commencement of the proceedings.
(10) After examining the application for accreditation pursuant to paragraphs 4 and 5 and related
the documentation shall issue a decision granting accreditation and approve the certification criteria if the applicant
meets the requirements for an adequate level of expertise in relation to data protection and meets
criteria and conditions for granting accreditation under this Act.
(11) On the basis of the decision to grant accreditation, the Office shall issue a certificate to the certification body
on the granting of accreditation for a period of five years, which it contains
a) identification data of the Office,
b) identification data of the applicant,
c) subject of accreditation,
d) the number of the accreditation certificate,
(e) the date of issue of the accreditation certificate; in the case of renewal of accreditation, etc.
date of earlier issue of accreditation,
f) the period of validity of the accreditation certificate,
g) the stamp of the Office and the signature of the person authorized to act on behalf of the Office, indicating his name,
last name and function.
(12) The accreditation certificate is a public document.
(13) No appeal is admissible against the decision to grant accreditation.
(14) An appeal against a decision not to grant accreditation shall be admissible, to be decided by the chairman
office.
(15) The Office shall publish the list of certification bodies and the approved certification criteria on its own
website.
(16) If the certification body meets the requirements for an adequate level of expertise in
in relation to the protection of personal data, meets the criteria and conditions for granting accreditation under this
of the Act, the Office on the basis of the application of the certification body for the renewal of accreditation submitted
no later than six months before the expiry of the accreditation certificate

Page 55
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 55

on the renewal of accreditation for a further period of five years. For the procedure for renewal of accreditation
they shall apply the provisions of the accreditation procedure accordingly.
(17) If the certification body submits an application for renewal of accreditation within less than six
months before the expiry of the accreditation certificate, the Authority shall, at such request
does not take into account. This is without prejudice to the authority of that body to submit an application under paragraphs 4
and 5.
(18) If it is demonstrated that the certification body carries out the certification process, including the award
certificate and withdrawal of the certificate in violation of this Act or a special regulation, )
2

morals, with an accreditation certificate issued or no longer meets the requirements for
accreditation, the Office shall suspend the accreditation for three months and at the same time impose
the certification body to take remedial action. If the certification body within the specified period
does not accept the imposed measures, the Office shall revoke its accreditation by a decision. The subject to whom it was
accreditation is revoked, it may reapply for accreditation.
(19) Accreditation criteria, conditions for the certification process, certification criteria,
the content of the technical and safety documentation and the conditions of the audit
certification process, including the conditions of the auditor's expertise
binding legal regulation issued by the Office.
§ 89
Obligations of the certification body
(1) The certification body is entitled to issue a certificate within the scope of the accreditation certificate
or renew the certificate to the operator or intermediary for a period of three years.
(2) The certification body is obliged to notify before issuing the certificate or renewing the certificate
office
a) its identification data,
b) the number of the certificate issued to him,
c) identification data of the operator or intermediary applying for the issuance of a certificate,
or a certified person requesting the renewal of a certificate,
d) the subject of the certificate,
e) indication of certification criteria,
(f) the reasons for issuing or renewing the certificate.
(3) If the notification does not meet the requirements pursuant to paragraph 2, the Office shall invite the certification body to
rectification of deficiencies within a period which may not be less than 15 days; during this period
pursuant to paragraph 4 does not follow.
(4) The Office shall decide on the permission to issue a certificate or on the permission to renew the certificate
certification body within 60 days from the date of commencement of the procedure.
(5) In proceedings pursuant to paragraph 4, the Office shall not assess the fulfillment of certification criteria, conditions for
issuing a certificate or renewing a certificate.
(6) With the permission of the Office for the issuance of a certificate or with the permission of the Office for the renewal of a certificate
the certification body is without prejudice to the responsibility of the operator concerned; or
intermediary for compliance with this law and a special regulation. )
2

(7) If the Office during the procedure for permitting the issuance of a certificate or during the procedure for permitting renewal
certificate by the certification body finds non-compliance with this Act or a special regulation )
2

Page 56
Page 56

Collection of Laws of the Slovak Republic

18/2018 Coll.

does not allow the certification body to issue the certificate or renew the certificate, which it shall issue
decision.
(8) Against a decision to grant a certificate or a decision to grant renewal
certificate by the certification body, no decomposition is allowed.
(9) Against a decision not to allow the issuance of a certificate or a decision not to allow renewal
certificate by the certification body is an admissible dismissal decided by the President of the Office.
(10) The certification body is obliged within 15 days from the issuance of the certificate, renewal of the certificate or
withdraw the certificate from the Office:
a) its identification data,
b) the number of the certificate issued to him,
c) the identification data of the operator or intermediary concerned,
d) the subject of the certificate,
e) certificate number,
(f) the reasons for issuing, renewing or withdrawing the certificate.
(11) The certificate issued by the certification body contains in particular:
a) identification data of the certification body, including the number of the accreditation certificate,
b) identification data of the applicant,
c) the subject of the certificate,
d) an indication of the certification criteria on the basis of which the certificate is issued,
e) certificate number,
(f) the date of issue of the certificate; in the case of renewal of the certificate, also the date of earlier issue of the certificate,
(g) the stamp of the certification body and the signature of the person authorized to act on behalf of the
certification body with its name, surname.
(12) The certification body is obligatory
(a) meet

requirements

established

hereby

by law

and accreditation

requirements

in accordance

with the decision to grant accreditation,
b) notify the Office in writing of any changes to the granted accreditation within 15 days at the latest,
c) enable the Office to carry out supervision pursuant to this Act,
d) respect the principle of independence,
e) archive the documentation related to the performance of the certification procedure according to a special
prescription. )
41

TITLE THREE
CONTROL
§ 90
Start of inspection
(1) Control of personal data processing, control of compliance with the code of conduct
approved by the Office pursuant to Section 85, control of the compliance of the processing of personal data with the issued
certificate according to § 86 and control of compliance with the issued certificate of granting accreditation according to
§ 87 and § 88 (hereinafter referred to as “inspection”) are performed by the Office through an inspection body composed of
staff of the Office (hereinafter referred to as the "control body").

Page 57
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 57

(2) Each member of the inspection body shall perform the inspection on the basis of a written authorization
manager; if the manager is a member of the supervisory body, the members
the inspection body shall carry out the inspection on the basis of a written authorization from the President of the Office.
(3) A member of the inspection body must be an employee of the Office who is of good character and has the appropriate authority
professional education and experience in the field belonging to the supervisory activity of the Office.
(4) The written authorization to perform the inspection contains
a) identification data of the Office,
b) identification data of the inspected person,
c) title, name and surname of the member of the inspection body who is to perform the inspection,
(d) official stamp and signature.
(5) The Office shall publish a model of the authorization to perform the inspection on its website.
(6) The inspection shall begin on the day of delivery of the notification of inspection to the operator or
intermediary, the operator's representative or the intermediary's representative, if any
authorized, or to the monitoring body according to § 87, or to the certification body according to § 88
(hereinafter referred to as the "inspected person").
(7) The inspection body shall perform the inspection on the basis of the inspection plan or on the basis of suspicion
from a breach of obligations in the processing of personal data provided for by this Act, or
special regulation ) or in the framework of personal data protection proceedings.
2

(8) When performing an inspection, the inspection body is obliged to proceed in such a way that the rights are not affected
and the legally protected interests of the inspected person.
§ 91
Bias of the inspection body
(1) Member of the inspection body who learned of the facts giving rise to doubts
of his impartiality or doubts of the impartiality of another member of the inspection body is obligated
to notify these facts in writing without undue delay to the person who authorized him / her pursuant to § 90 par. 2.
(2) If the inspected person has doubts about the impartiality of the inspection body or its member
with regard to its relationship to the subject of the inspection or to the inspected person, it is entitled to file
written objections stating the reason no later than 15 days from the date of the fact
she learned. The filing of an opposition shall not have suspensory effect; the inspection body is in accordance with the first sentence
authorized to perform only such actions during the inspection that cannot be postponed.
(3) On objections of bias of the inspected person and on notification of bias of a member of the inspected person
body shall be decided by the person who authorized the control body pursuant to § 90 par. 2 within ten working days
days from their application and a written evaluation of the decision shall be delivered to the person who raised the objection.
Against a decision on objections to bias and against a decision on notification of a member's bias
the inspection body cannot be appealed.
§ 92
Responsibilities of the inspection body
The inspection body is obliged
(a) notify the inspected person in writing in advance of the subject of the inspection; if the notification of inspection
prior to the commencement of the inspection may have frustrated the purpose of the inspection or

Page 58
Page 58

Collection of Laws of the Slovak Republic

18/2018 Coll.

the subject of the inspection may be notified immediately before the performance
controls,
(b) notify in writing the date and time of the inspection at least ten days before the inspection
controls; if the notification of the commencement of the inspection could lead to the failure of the purpose of the inspection
or a significant impediment to the inspection, it may announce the commencement of the inspection
immediately before the inspection,
(c) be proved before the start of the inspection and at any time at the request of the inspected person
inspection mandate and service card,
d) draw up minutes on the course of the inspection,
e) draw up an inspection report setting out the inspection findings (hereinafter referred to as "the report"),
or a record of the inspection,
f) state the statements of the inspected person according to § 95 letter a) in the inspection report or record,
g) prepare a record of the submission of an explanation pursuant to § 93 letter j) and § 94 letter e),
h) submit to the inspected person one copy of the minutes on the course of the inspection,
minutes of the explanation, protocol or inspection record provided,
i) confirm in writing to the inspected person the receipt of the original documents or copies of documents,
written documents, copies of storage media and other materials and evidence and secure them
proper protection against loss, destruction, damage or misuse,
(j) assess the merits of objections to the audit findings set out in the Protocol and take into account
the merits of the objections in the addendum to the protocol and to inform the inspected person thereof,
k) discuss the report with the inspected person and draw up minutes of its discussion.
§ 93
Authorizations of the inspection body
The inspection body is authorized
(a) enter the land and premises of the inspected person if permission is not required
according to a special regulation, )
33

(b) have access to means and equipment which can be used or are being used, or are intended to be used for
processing of personal data by a controlled person,
(c) have access to data in automated means of processing up to the administrator level
system, including to the extent necessary to carry out the inspection,
(d) verify the identity of natural persons who act or provide on behalf of the inspected person
cooperation with the inspection body,
(e) require the person inspected to provide the original to the inspection body within a specified period
documents or a copy of documents, other documents, statements and information, personal data
processed on storage media, including technical carriers of personal data, extracts
and source codes of the programs, if owned or available in accordance with their terms
acquisition, and other materials or documents necessary for the performance of the inspection and in
in some cases, it allowed him to take the originals or copies outside the premises of the inspected person,
(f) to request, within a reasonable time, a complete and true oral and written statement from the inspected person
information, statements and explanations on the facts audited and related to the audit
facts
g) document the evidence related to the performance of the inspection by making photographic documentation,
audio, video or audiovisual recording, even without the consent of the person concerned
persons

Page 59
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 59

h) require other co-operation of the inspected person within the scope of the subject of the inspection,
(i) require the provision of co-operation at the place of inspection also by a person other than the inspected,
in particular from the intermediary of the inspected person and his staff, or other persons if any
reason to believe that their activities are related to the subject matter of the inspection or, if necessary, to
clarification of the facts related to the subject of the inspection,
(j) summon the inspected person, as well as the non-inspected person, at a specified time and place
a person to provide an explanation of the subject of the inspection,
(k) carry out joint operations with the supervisory authorities of other Member States in accordance with
special regulation. )
44

§ 94
Obligations of the inspected person
The inspected person is obliged
(a) to tolerate the exercise of control and to create appropriate conditions for the inspection body to carry out inspections
and processing of audit findings,
(b) to provide the inspection body with the cooperation necessary for the proper performance of the inspection, in particular in the case of:
documenting an adequate level of safety in view of the risks it poses
processing of personal data in the conditions of the controller and the intermediary,
(c) ensure accessible and secure access to the inspection body at the time of the inspection
equipment, resources and information systems,
d) to provide the control body with the required co-operation in accordance with its powers pursuant to Section 93
and to refrain from any action which might frustrate the exercise of control,
e) appear at the summons of the inspection body in order to provide explanations on the subject of the inspection,
(f) provide the inspection body with the original or a copy of the documents, other, within a specified period
documents, statements and information, personal data processed on storage media, including
technical media, extracts and source codes of programs, if any; or
has

available,

and others

materials

or

documents

necessary

on the power

controls

and, in justified cases, to allow originals or copies to be taken off-premises
the inspected person,
(g) provide the inspection body with complete and truthful oral and written information, statements
and explanations of controlled and control-related facts,
(h) to appear at the request of the inspection body to discuss the protocol.
§ 95
Authorizations of the inspected person
The inspected person is authorized
a) comment on the facts found during the inspection on an ongoing basis,
(b) to acquaint himself with the contents of the report and to submit written objections after being
findings in the protocol,
c) require the inspection body to prove the facts pursuant to § 92 letter b) and c),
d) require the invited person to prove himself / herself by a written authorization of the President of the Office pursuant to Section 96
par. 2,
(e) require the inspection body to acknowledge receipt of the original documents or a copy of the documents
according to § 93 letter e).

Page 60
Page 60

Collection of Laws of the Slovak Republic

18/2018 Coll.

§ 96
Invited person
(1) The inspection body may invite another natural person or a representative to carry out the inspection
supervisory authority from another Member State (hereinafter collectively referred to as the "invited person"), if justified
the specific nature of the control. The participation of the invited person in the performance of the inspection shall be considered as another act in
general interest.
(2) The invited person shall participate in the inspection on the basis of a written authorization of the President of the Office;
the inspection body shall notify the inspected person of the invitation pursuant to § 92 letter a).
(3) At the latest at the beginning of the inspection, the invited person shall prove his / her authorization to
performing an inspection of the inspected person by a written authorization to perform the inspection pursuant to Section 90
par. 2 and § 92 letter c).
(4) The invited person is obliged to maintain secrecy about the facts of which he / she learned
during the inspection, even after its completion. He may release the invited person from the duty of secrecy
President of the Office. There is no representative of the supervisory authority from a Member State other than the invited person
bound by the obligation of professional secrecy with regard to the sending supervisory authority of another Member State
to the extent necessary for the performance of the tasks associated with its participation in the inspection.
(5) The invited person may not perform tasks pursuant to this Act or a special regulation, ) if
2

doubts may be given with regard to its relationship to the subject of the inspection or to the inspected person
about her impartiality. An invited person who knows the facts that cast doubt on him or her
they shall notify the President of the Office without undue delay.
(6) The inspected person may raise reasoned objections in writing about the bias of the invited person.
The invited person may, pending the decision on objections to bias, carry out only such checks as part of the inspection
acts which cannot be postponed.
(7) On the notification of bias by the invited person pursuant to paragraph 5 and on objections to bias
of the inspected person pursuant to paragraph 6 shall be decided by the President of the Office within ten working days
days from their delivery. No appeal may be lodged against a decision of the President of the Office.
§ 97
Completion of the inspection
(1) The result of the inspection is a report or record of the inspection.
(2) If the inspection revealed deficiencies in the processing of personal data, the inspection body
draw up a report containing it
a) identification data of the Office,
b) identification data of the inspected person,
c) date of commencement of the inspection,
d) the subject of the inspection,
e) proven control findings with their justification,
f) title, name and surname of the member of the inspection body who performed the inspection,
g) the date of preparation of the protocol,
(h) the imprint of the official stamp of the Office and the signatures of the members of the inspection body.
(3) If the report pursuant to paragraph 2 contains annexes proving control findings, these shall form

Page 61
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 61

part of the protocol.
(4) The inspected person is entitled, after getting acquainted with the inspection findings in the protocol
to submit written objections within 21 days from the date of delivery of the protocol. Objections submitted later
the inspection body does not take it into account.
(5) If objections are filed against the inspection findings pursuant to paragraph 4 or new ones have come to light
facts concerning the subject of the inspection, the inspection body shall assess their content in terms of them
and shall draw up an addendum thereto, which shall form an integral part of the Protocol. if
the inspection body does not accept the objections of the inspected person, it is obliged to justify it in the appendix; at
its elaboration shall be carried out in accordance with paragraph 2.
(6) The inspection body shall inform the inspected person in writing of the result of the examination of objections
within 15 working days from the date of receipt of the objections.
(7) The inspection body shall invite the inspected person in writing to discuss the protocol after delivery
the result of the examination of the objections of the inspected person pursuant to paragraph 6 or after the expiration of the waste
the time limits for lodging objections by the inspected person pursuant to paragraph 4; the inspection body shall draw up
minutes of the discussion of the protocol, which is part of the protocol.
(8) If the inspection does not reveal a breach of the obligations stipulated by this Act or a special one
regulations, ) supervisory authority shall prepare a record of the inspection. It is being processed
2

appropriately in accordance with paragraphs 2 and 3.
(9) The inspection is completed
a) the date of signing the minutes of the discussion of the protocol,
(b) on the date of refusal, sign the minutes of the discussion of the minutes, of which the inspection body shall
a record in the minutes of the discussion of the protocol,
(c) the date of failure to appear for the discussion of the protocol at the written request of the inspection body in accordance with
paragraph 7, of which the inspection body shall draw up a record in the minutes of the discussion of the minutes, or
(d) the date of receipt of the inspection record referred to in paragraph 8.
§ 98
There is no special regulation for the performance of inspections. )
45

TITLE FOUR
PERSONAL DATA PROTECTION PROCEDURE
§ 99
Personal data protection proceedings
(1) The purpose of proceedings on the protection of personal data (hereinafter referred to as "proceedings") is to determine whether they have occurred
the rights of natural persons in the processing of their personal data have been violated or have been violated
Act or a special regulation ) in the field of personal data protection, and in the event of a finding
2

deficiencies, if justified and expedient, to impose remedial measures, or a fine for
violation of this Act or a special regulation ) for the area of ​personal data protection.
2

(2) The proceedings are not public.
(3) A party to the proceedings may be
a) the person concerned who has filed a motion to initiate proceedings pursuant to Section 100,
b) the operator,

Page 62
Page 62

Collection of Laws of the Slovak Republic

18/2018 Coll.

c) intermediary,
d) certification body,
(e) the monitoring body.
(4) If the proposal of the person concerned pursuant to § 100 concerns the operator or intermediary, at
which is the competent supervisory authority of the principal establishment or sole establishment
operator or intermediary for cross-border processing carried out by
operator or intermediary according to a special regulation (hereinafter referred to as the “chief supervisor
authority ”), ) the Office shall proceed in accordance with a special regulation. )
46

47

(5) The Office shall inform the person concerned of the decision of the head of the supervisory body. If the leader
the supervisory authority shall reject or refuse the proposal or decide not to deal with it
according to a special regulation, ) the Office shall initiate proceedings pursuant to Section 100.
47

(6) If the processing of personal data pursuant to paragraph 4 concerns the controller or
intermediary who processes personal data on a legal basis according to § 13 par. 1 letter c)
or letter (e), the Office shall be deemed to have substantive jurisdiction and the procedure under paragraph 4 shall not apply.
§ 100
Initiation of proceedings
(1) Proceedings shall be initiated on the motion of the person concerned or a person who claims to be directly concerned
on their rights established by this Act (hereinafter referred to as the “petitioner”), or without a petition.
(2) The Office shall initiate proceedings without a proposal also on the basis of the findings of the Office in the exercise of supervision over
compliance with the obligations stipulated by this Act or a special regulation. )
2

(3) The motion to initiate proceedings pursuant to paragraph 1 (hereinafter referred to as the “motion”) must contain
a) name, surname, correspondence address and signature of the petitioner,
(b) an indication of the person against whom the application is directed, giving his name, surname, permanent residence; or
name, registered office and identification number, if assigned,
c) the subject of the proposal with an indication of the rights which should have been violated during the processing of personal data,
d) evidence in support of the claims made in the proposal,
(e) a copy of the document or other evidence proving the exercise of the right under the second part of Title II
of this Act or a special regulation, ) if such a right has been exercised by the person concerned, or
2

an indication of the reasons worthy of special consideration for not applying the law in question, if the proposal
filed by the person concerned.
(4) The Office shall publish a model of the proposal on its website.
(5) The Office shall postpone the proposal if
a) the proposal is manifestly unfounded,
b) the matter to which the application relates is heard by a court or a body active in criminal proceedings,
(c) the applicant has not provided the Office, at its request, with the necessary cooperation, without being active
participation cannot be settled; the Office shall notify the applicant of the possibility of postponing the application,
(d) more than three years have elapsed since the event to which the proposal relates on the date of its receipt.
(6) If the proposal does not contain a requirement to keep the identity of the petitioner confidential, the Office shall process the proposal without
confidentiality of personal data referred to in the proposal. If there is a request for confidentiality in the proposal,
but the nature of the proposal does not allow it to be processed without giving some information about the person who

Page 63
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 63

the Office shall, upon finding this fact, notify the applicant, while at the same time
points out that the petition will continue only if the petitioner gives his consent to the Office within the specified time limit
stating the data or data of his person needed to complete the proposal.
(7) If the proposal is delivered to the Office by a person other than the person concerned, the proposal shall be deemed to be an initiative for
initiation of proceedings without a motion (hereinafter "initiative").
(8) The Office shall assess the complaint within 30 days from the date of delivery of the complaint to the Office, and if the complaint is not postponed in accordance with
paragraph 5, the proceedings shall be initiated and the matter shall be decided in accordance with § 102.
(9) The Office shall inform the applicant within 30 days from the date of the manner of handling the complaint pursuant to paragraph 8
service of the Office's complaint.
§ 101
Deadlines
(1) The Office shall decide in the proceedings within 90 days from the day of the commencement of the proceedings. In justified cases, the Office
this period shall be extended accordingly, but by a maximum of 180 days. The Office shall inform in writing about the extension of the time limit
parties to the proceedings.
(2) If it is necessary to carry out an inspection during the proceedings, the time limit for issuing a decision pursuant to paragraph
1 shall not run from the date of commencement of the inspection until the date of completion of the inspection.
(3) If, during the proceedings, the Office finds that the conditions for suspending the proceedings have been met in accordance with a special
regulation ) the Office shall suspend the proceedings and informs the parties.
48

§ 102
Decision
(1) If the Office finds a violation of the rights of the data subject or a failure to fulfill obligations during processing
personal data established by this Act or a special regulation ) for the field of protection
2

personal data by a party to the proceedings, the decision may
(a) impose remedial measures and a time limit for implementing the ordered measure pursuant to paragraph 3, if any
reasonable and expedient,
b) cancel the binding nature of the approved code of conduct for the operator or intermediary,
who has undertaken to comply with an approved code of conduct,
c) withdraw the certificate,
d) order the certification body to withdraw the certificate,
e) withdraw the certificate of accreditation,
f) impose a fine pursuant to Section 104.
(2) If the Office does not decide in the proceedings pursuant to paragraph 1, unless a violation of rights is proved in the proceedings
the data subject or if failure to prove the personal data processing obligations is not demonstrated
provided for by this Act or a special regulation ) by the participants in the proceedings, the Office proceedings
2

stops.
(3) The Office is entitled to impose an obligation on the operator or intermediary, in particular
to order
a) elimination of the identified deficiencies and the causes of their occurrence within the period specified by the Office,
(b) the adoption of technical and organizational measures to ensure an adequate level of security
risks to the rights of individuals,

Page 64
Page 64

Collection of Laws of the Slovak Republic

18/2018 Coll.

(c) an assessment of the impact of processing operations on the protection of personal data in accordance with this Directive
by law or special regulation. )
2

(4) If the violation of the rights of the data subject or the failure to fulfill obligations in the processing of personal data
data cannot be postponed, the Office shall issue an interim measure.
(5) The operator or intermediary is obliged to inform the Office in writing about the fulfillment
measures imposed within a period specified by the Office.
§ 103
(1) An appeal may be filed against a decision pursuant to Section 102, which shall be decided by the President of the Office.
(2) The petitioner may extend the filed appeal or supplement the filed appeal with another proposal
or other points only within the time limit set for filing an appeal.
TITLE FIVE
ADMINISTRATIVE OFFENSES
§ 104
(1) The Office may impose a fine of up to EUR 10,000,000 or, in the case of an undertaking, up to 2% of the total
world annual turnover for the preceding financial year, whichever is the greater,
(a) to the operator, including public authorities and public bodies, for non-compliance
or breach of any of the obligations under § 15, § 18, § 31 to 35, § 37, § 39 to 45, § 79 and
§ 109 or according to Art. 8, Art. 11, Art. 25 to 39, Art. 42 and Art. 43 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data
data and on the free movement of such data, repealing Directive 95/46 / EC (General
Data Protection Regulation) (OJ L 119, 4.5.2016) (hereinafter referred to as “Regulation (EU)
2016/679 "),
b) to the competent authority for non-fulfillment or breach of any of the obligations pursuant to Sections 67 to 72,
(c) an intermediary, including a public authority and a body governed by public law
intermediary, for non-fulfillment or breach of any of the obligations under § 34 to 37, § 39,
§ 40 par. 3, § 44, § 45, § 69 par. 3, § 71, § 79 and § 109 or according to Art. 27 to 33, Art. 37 to 39, Art.
42 and Art. 43 of Regulation (EU) 2016/679,
d) to the certification body for non-fulfillment or breach of any of the obligations pursuant to Sections 88 and 89
or according to Art. 42 and 43 of Regulation (EU) 2016/679,
e) to the monitoring entity for non-fulfillment or breach of any of the obligations pursuant to § 87 par. 5
and 19 or according to Art. 41 par. 4 of Regulation (EU) 2016/679.
(2) The Office may impose a fine of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of the total
worldwide annual turnover for the preceding financial year, whichever is the greater,
who
(a) has not complied with or infringed any of the basic principles of personal data processing, including
conditions of consent according to § 6 to 14, § 16 and § 52 to 58 or according to Art. 5 to 7 and Art. 9 of the Regulation
(EU) 2016/679,
b) has not fulfilled or violated any of the rights of the person concerned pursuant to Sections 19 to 29 and Sections 59 to 66 or pursuant to
Art. 12 to 22 of Regulation (EU) 2016/679,
(c) has not fulfilled or breached any of the obligations regarding the transfer of personal data to the recipient in a third party
country or international organization according to § 49 to 51 and § 73 to 77 or according to Art. 44 to 49
Regulation (EU) 2016/679,

Page 65
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 65

(d) has not fulfilled or breached any of the obligations of lawful processing of personal data pursuant to
§ 78,
(e) has not complied with an order or has not complied with a temporary or permanent restriction on the processing of personal data
or suspension of the transfer of personal data ordered by the Office pursuant to § 81 par. 3 or
according to Art. 58 par. 2 of Regulation (EU) 2016/679 or in violation of Art. 58 par. 1 of Regulation (EU)
2016/679 did not provide access.
(3) To a person who has not complied with the measure imposed by the Office pursuant to § 102 par. 1 letter a) or Art. 58 par. 2
Regulation (EU) 2016/679, the Office may impose a fine of up to EUR 20 000 000 or, in the case of an
4% of the total world annual turnover for the preceding financial year, whichever is
higher.
§ 105
(1) The Office may impose a disciplinary fine of up to EUR 2,000 on a person who is not an operator or
intermediary, for failure to provide the required co-operation of the Office in the exercise of supervision pursuant to
§ 109 or a special regulation. )
2

(2) The Office may impose a disciplinary fine on the operator or intermediary, or
to the operator's or intermediary's representative
a) up to EUR 2,000, if it does not ensure adequate conditions for the performance of control according to § 94 letter a),
b) up to EUR 10,000, if the performance of the inspection pursuant to § 94 let. b) to h).
§ 106
(1) The Office shall impose fines and disciplinary fines depending on the circumstances of each individual
case. When deciding on the imposition of a fine and determining its amount pursuant to Section 104, the Office shall take into account in particular:
(a) the nature, gravity and duration of the infringement, the nature, extent or purpose of the processing of personal data;
data, as well as the number of data subjects affected and the extent of the damage, if any,
(b) possible fault of a personal data breach
(c) the measures taken by the operator or intermediary to mitigate the damage caused by
the persons concerned have suffered,
(d) the degree of responsibility of the operator or intermediary with regard to technical
and organizational measures taken pursuant to § 32, § 39 and § 42,
(e) previous breaches of personal data protection by the controller; or
intermediary,
(f) the degree of cooperation with the Office in remedying breaches of personal data protection and mitigation
possible adverse consequences of a personal data breach,
g) the category of personal data concerned by the personal data breach,
(h) the manner in which the Office became aware of the personal data breach, and in particular whether:
the controller or intermediary has notified the personal data breach and, if so,
to what extent
(i) compliance by the operator or intermediary, if earlier
on the protection of personal data imposed such measures pursuant to § 102 par. 1,
j) compliance with approved codes of conduct pursuant to Section 85 or certificates issued pursuant to Section 86,
(k) aggravating or mitigating circumstances, in particular financial advantages or losses which
directly or indirectly in connection with a personal data breach.

Page 66
Page 66

Collection of Laws of the Slovak Republic

18/2018 Coll.

(2) If the operator or intermediary intentionally or through negligence does the same
processing operations or related processing operations
provisions of this Act or a special regulation, ) the total amount of the fine may not exceed
2

the amount established for the most serious breach of personal data protection pursuant to Section 104.
(3) A fine pursuant to Section 104 may be imposed within two years from the date on which the Office breaches the duty
found, but no later than five years from the date on which the breach occurred.
(4) The Office shall impose a disciplinary fine pursuant to Section 105 repeatedly if the obligation has not been fulfilled in the specified
period.
(5) A disciplinary fine pursuant to Section 105 may be imposed within 6 months from the day on which the violation occurred
obligations have occurred.
(6) Fines and disciplinary fines are revenue of the state budget.
PART SIX
COMMON, TRANSITIONAL AND FINAL PROVISIONS
§ 107
Common provisions
(1) The Administrative Procedure Code shall apply to proceedings under this Act, unless paragraph 2 provides otherwise.
(2) The Administrative Procedure Code shall not be used to decide on the bias of the control body pursuant to Section 91,
for deciding on the bias of the invited person according to § 96 par. 5 to 7 and for the performance of control according to
the fifth part of Title III, except for the service of documents in the course of the inspection.
§ 108
(1) The Office shall issue a generally binding legal regulation for the implementation of § 29 par. 9, § 70 par. 4, § 86
par. 19, § 87 par. 20 and § 88 par. 19.
(2) Other cases of processing operations subject to a protection impact assessment
personal data and the procedure for personal data protection impact assessments pursuant to this
of the Act shall establish a generally binding legal regulation issued by the Office.
§ 109
Synergies
Everyone is obliged to provide the Office with the necessary cooperation in the performance of its tasks and powers
and to enable the Office to supervise compliance with the obligations under this Act or special
Regulation ) and decisions issued on the basis of this Act. This is without prejudice to the provisions
2

§ 81 par. 7 and 8.
§ 110
Transitional provisions
(1) According to the existing law, the Office for Personal Data Protection of the Slovak Republic is an office
under this Act and the supervisory authorities under a special regulation. )
2

(2) The Chairman of the Office for Personal Data Protection of the Slovak Republic elected to the position according to
of the existing Act, he is the Chairman of the Office pursuant to this Act; this does not affect the flow of it
term of office.

Page 67
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 67

(3) Deputy Chairman of the Office for Personal Data Protection of the Slovak Republic appointed to
the function under the current law is the vice-president of the office under this law; this is not the case
the relevant term of office.
(4) Execution of the function of the chief inspector of the Office, who was appointed to the position according to
of the current Act shall expire on the date of entry into force of this Act.
(5) If the chief inspector of the Office whose performance has ended in accordance with paragraph 4,
civil servants in the permanent civil service according to a special regulation, ) is considered from the date
7

effectiveness of this Act as a civil servant in the permanent civil service according to the special
prescription. ) If the chief inspector of the Office whose performance has ended in accordance with paragraph 4,
7

a civil servant in the temporary civil service according to a special regulation, ) his / her
7

civil service relationship on the day of entry into force of this Act.
(6) Execution of the function of an inspector of the Office, who has been appointed to the position according to the previous one
of the Act shall end on the date of entry into force of this Act.
(7) An inspector of the Office whose function has terminated pursuant to paragraph 6 shall, from the effective date of this
of the Act considers a civil servant according to a special regulation. )
7

(8) An inspection commenced pursuant to the existing Act shall be completed pursuant to the existing Act.
(9) Proceedings on the protection of personal data pursuant to the existing Act and proceedings on fines pursuant to
of the existing law started and validly not completed by 24 May 2018 will be completed according to
existing law.
(10) The competent authority is obliged to ensure the keeping of logs pursuant to Section 69 in information systems
personal data established under existing regulations since 6 May 2023; if it caused it seriously
problems for the functioning of the given personal data information system so the competent authority is
obliged to ensure the keeping of logs according to § 69 no later than 6 May 2026.
(11) Consent to the processing of personal data is granted in accordance with the existing law, which is
in accordance with this Act or a special regulation, ) is considered as consent to processing
2

personal data in accordance with the rules in force since 25 May 2018.
(12) A responsible person authorized under the existing law who meets the conditions under this
of a Act or a special regulation, ) is considered a responsible person according to the effective regulations
2

from 25 May 2018.
§ 111
This Act transposes the legally binding acts of the European Union listed in the Annex.
§ 112
Repeal provision
The following are canceled:
1. Act no. 122/2013 Coll. on Personal Data Protection and on Amendments to Certain Acts
as amended by Act No. 84/2014 Coll.,
2. Decree of the Office for Personal Data Protection of the Slovak Republic no. 164/2013 Coll. about the scope
and documentation of security measures as amended by Decree no. 117/2014 Coll.,
3. Decree of the Office for Personal Data Protection of the Slovak Republic no. 165/2013 Coll., Which
lay down the details of the examination of a natural person to perform the function of a responsible person.

Page 68
Page 68

Collection of Laws of the Slovak Republic

18/2018 Coll.

Art. II
Act no. 124/1992 Coll. on the Military Police as amended by Act no. 422/2002 Coll., Act
no. 240/2005 Coll., Act no. 393/2008 Coll., Act no. 491/2008 Coll., Act no. 192/2011 Coll.,
Act no. 220/2011 Coll., Act no. 313/2011 Coll. and Act no. 96/2012 Coll. is amended as follows:
1. In § 35b, paragraph 6 is deleted.
The former paragraphs 7 to 9 are renumbered as paragraphs 6 to 8.
2. In § 35c, paragraph 4 is deleted.
The former paragraphs 5 and 6 are renumbered as paragraphs 4 and 5.
3. In § 35c par. In Article 5, the words "paragraphs 1 to 4" are replaced by the words "paragraphs 1 to 3".
4. In § 35gb, paragraphs 1 and 2 are deleted.
The former paragraphs 3 to 8 are renumbered as paragraphs 1 to 6.
5. In § 35gb par. 3, the words “§ 35gd par. 3 "are replaced by the words" § 35ga par. 3 “.
6. In § 35gb par. 6, the words “§ 35b par. 8 and 9 "are replaced by the words" § 35b par. 7 and 8 ”.
7. In Section 35gc, paragraphs 3 to 5 are deleted.
8. In § 35gd, paragraphs 1 to 3 and 5 to 11, including footnotes to references 5l, 5m, are deleted.
and 5n.
At the same time, the designation of paragraph 4 is deleted.
9. Section 35ge is deleted.
Art. III
Act of the National Council of the Slovak Republic no. 171/1993 Coll. on the Police Force as amended
Of the National Council of the Slovak Republic no. 251/1994 Coll., Act of the National Council of the Slovak Republic
no. 233/1995 Coll., Act of the National Council of the Slovak Republic no. 315/1996 Coll., Act
no. 353/1997 Coll., Act no. 12/1998 Coll., Act no. 73/1998 Coll., Act no. 256/1998 Coll.,
Act no. 116/2000 Coll., Act no. 323/2000 Coll., Act no. 367/2000 Coll., Act
no. 490/2001 Coll., Act no. 48/2002 Coll., Act no. 182/2002 Coll., Act no. 422/2002 Coll.,
Act no. 155/2003 Coll., Act no. 166/2003 Coll., Act no. 458/2003 Coll., Act
no. 537/2004 Coll., Act no. 69/2005 Coll., Act no. 534/2005 Coll., Act no. 558/2005 Coll.,
Act no. 255/2006 Coll., Act no. 25/2007 Coll., Act no. 247/2007 Coll., Act no. 342/2007
Coll., Act no. 86/2008 Coll., Act no. 297/2008 Coll., Act no. 491/2008 Coll., Act
no. 214/2009 Coll., Judgment of the Constitutional Court of the Slovak Republic no. 290/2009 Coll., Act
no. 291/2009 Coll., Act no. 495/2009 Coll., Act no. 594/2009 Coll., Act no. 547/2010 Coll.,
Act no. 192/2011 Coll., Act no. 345/2012 Coll., Act no. 75/2013 Coll., Act no. 307/2014
Coll., Judgment of the Constitutional Court of the Slovak Republic no. 139/2015 Coll., Act no. 397/2015 Coll.,
Act no. 444/2015 Coll., Act no. 125/2016 Coll. and Act no. 82/2017 Coll. is amended
as follows:
1. In § 69, paragraphs 5, 7 and 8 are deleted.
The former paragraphs 6 and 9 to 16 are renumbered as paragraphs 5 to 13.
2. In § 69a par. 1, the words "including protection against threats to the public" shall be inserted after the word "proceedings"
order and the prevention of such a threat ’.
3. In § 69a par. 3, the words “personal data revealing racial or ethnic origin, political
opinions, religious beliefs or worldviews, membership of political parties or political parties
movements, trade union membership and health or sexual data
life (hereinafter referred to as "special categories of personal data") "are replaced by the words" special categories
personal data ) ’.
28l

The footnote to reference 28l reads:
" 28l ) Act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain laws. "

Page 69
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 69

4. In § 69a, paragraphs 4 and 6 are deleted.
The former paragraphs 5 and 7 are renumbered as paragraphs 4 and 5.
5. In § 69a par. 5, in the first sentence and the second sentence, the words "paragraphs 1 and 6" are replaced by the words "paragraph
1 “.
6. Section 69c, including the title, reads:
„§ 69c
Disclosure of personal data
(1) The police force is entitled to request the person to whom it has provided or made available personal data
according to a special regulation, not to inform without the prior consent of the Police Force
the data subject on the processing of personal data provided or made available.
(2) If the Police Force is requested to provide information on personal data pursuant to
special regulation and personal data have been provided or made available to the authorities of a Member State

special regulation and personal data have been provided or made available to the authorities of a Member State
State of the European Union (hereinafter referred to as the "authority of a Member State") entitled to prevent
and detecting crime, identifying perpetrators of crime, prosecuting crimes
or for the enforcement of decisions in criminal proceedings, including protection against threats to the public
order and the prevention of such a threat or from an authority of a Member State,
that the data subject is not informed of the processing of personal data without his or her consent,
The police force shall provide such a person with information on the personal data processed only
with the prior consent of the authority of the Member State which provided the personal data, or
made available.
(3) The police force is entitled to process copies of documents and papers affected
provided to the Police Force in the exercise of its rights under a special regulation. ".
Footnote 27da is deleted.
7. Section 69f is deleted.
Art. IV
Act of the National Council of the Slovak Republic no. 145/1995 Coll. on administrative fees, as amended
Act of the National Council of the Slovak Republic no. 123/1996 Coll., Act of the National Council of Slovakia
Republic No. 224/1996 Coll., Act no. 70/1997 Coll., Act no. 1/1998 Coll., Act no. 232/1999
Coll., Act no. 3/2000 Coll., Act no. 142/2000 Coll., Act no. 211/2000 Coll., Act
no. 468/2000 Coll., Act no. 553/2001 Coll., Act no. 96/2002 Coll., Act no. 118/2002 Coll.,
Act no. 215/2002 Coll., Act no. 237/2002 Coll., Act no. 418/2002 Coll., Act
no. 457/2002 Coll., Act no. 465/2002 Coll., Act no. 477/2002 Coll., Act no. 480/2002 Coll.,
Act no. 190/2003 Coll., Act no. 217/2003 Coll., Act no. 245/2003 Coll., Act
no. 450/2003 Coll., Act no. 469/2003 Coll., Act no. 583/2003 Coll., Act no. 5/2004 Coll.,
Act no. 199/2004 Coll., Act no. 204/2004 Coll., Act no. 347/2004 Coll., Act
no. 382/2004 Coll., Act no. 434/2004 Coll., Act no. 533/2004 Coll., Act no. 541/2004 Coll.,
Act no. 572/2004 Coll., Act no. 578/2004 Coll., Act no. 581/2004 Coll., Act
no. 633/2004 Coll., Act no. 653/2004 Coll., Act no. 656/2004 Coll., Act no. 725/2004 Coll.,
Act no. 725/2004 Coll., Act no. 5/2005 Coll., Act no. 8/2005 Coll., Act no. 15/2005 Coll.,
Act no. 93/2005 Coll., Act no. 171/2005 Coll., Act no. 308/2005 Coll., Act no. 331/2005
Coll., Act no. 341/2005 Coll., Act no. 342/2005 Coll., Act no. 468/2005 Coll., Act
no. 473/2005 Coll., Act no. 491/2005 Coll., Act no. 538/2005 Coll., Act no. 558/2005 Coll.,
Act no. 572/2005 Coll., Act no. 573/2005 Coll., Act no. 610/2005 Coll., Act no. 14/2006
Coll., Act no. 15/2006 Coll., Act no. 24/2006 Coll., Act no. 117/2006 Coll., Act
no. 124/2006 Coll., Act no. 126/2006 Coll., Act no. 224/2006 Coll., Act no. 342/2006 Coll.,
Act no. 672/2006 Coll., Act no. 693/2006 Coll., Act no. 21/2007 Coll., Act no. 43/2007

Page 70
Page 70

Collection of Laws of the Slovak Republic

18/2018 Coll.

Coll., Act no. 95/2007 Coll., Act no. 193/2007 Coll., Act no. 220/2007 Coll., Act
no. 279/2007 Coll., Act no. 295/2007 Coll., Act no. 309/2007 Coll., Act no. 342/2007 Coll.,
Act no. 342/2007 Coll., Act no. 343/2007 Coll., Act no. 344/2007 Coll., Act
no. 355/2007 Coll., Act no. 358/2007 Coll., Act no. 359/2007 Coll., Act no. 460/2007 Coll.,
Act no. 517/2007 Coll., Act no. 537/2007 Coll., Act no. 548/2007 Coll., Act
no. 571/2007 Coll., Act no. 577/2007 Coll., Act no. 647/2007 Coll., Act no. 661/2007 Coll.,
Act no. 92/2008 Coll., Act no. 112/2008 Coll., Act no. 167/2008 Coll., Act no. 214/2008
Coll., Act no. 264/2008 Coll., Act no. 405/2008 Coll., Act no. 408/2008 Coll., Act
no. 451/2008 Coll., Act no. 465/2008 Coll., Act no. 495/2008 Coll., Act no. 514/2008 Coll.,
Act no. 8/2009 Coll., Act no. 45/2009 Coll., Act no. 188/2009 Coll., Act no. 191/2009
Coll., Act no. 274/2009 Coll., Act no. 292/2009 Coll., Act no. 304/2009 Coll., Act
no. 305/2009 Coll., Act no. 307/2009 Coll., Act no. 465/2009 Coll., Act no. 478/2009 Coll.,
Act no. 513/2009 Coll., Act no. 568/2009 Coll., Act no. 570/2009 Coll., Act
no. 594/2009 Coll., Act no. 67/2010 Coll., Act no. 92/2010 Coll., Act no. 136/2010 Coll.,
Act no. 144/2010 Coll., Act no. 144/2010 Coll., Act no. 514/2010 Coll., Act
no. 556/2010 Coll., Act no. 39/2011 Coll., Act no. 119/2011 Coll., Act no. 200/2011 Coll.,
Act no. 223/2011 Coll., Act no. 254/2011 Coll., Act no. 256/2011 Coll., Act
no. 258/2011 Coll., Act no. 324/2011 Coll., Act no. 342/2011 Coll., Act no. 363/2011 Coll.,
Act no. 381/2011 Coll., Act no. 392/2011 Coll., Act no. 404/2011 Coll., Act
no. 405/2011 Coll., Act no. 409/2011 Coll., Act no. 519/2011 Coll., Act no. 547/2011 Coll.,
Act no. 49/2012 Coll., Act no. 96/2012 Coll., Act no. 251/2012 Coll., Act no. 286/2012
Coll., Act no. 336/2012 Coll., Act no. 339/2012 Coll., Act no. 351/2012 Coll., Act
no. 439/2012 Coll., Act no. 447/2012 Coll., Act no. 459/2012 Coll., Act no. 8/2013 Coll.,
Act no. 39/2013 Coll., Act no. 40/2013 Coll., Act no. 72/2013 Coll., Act no. 75/2013
Coll., Act no. 94/2013 Coll., Act no. 96/2013 Coll., Act no. 122/2013 Coll., Act
no. 144/2013 Coll., Act no. 154/2013 Coll., Act no. 213/2013 Coll., Act no. 311/2013 Coll.,
Act no. 319/2013 Coll., Act no. 347/2013 Coll., Act no. 387/2013 Coll., Act
no. 388/2013 Coll., Act no. 474/2013 Coll., Act no. 506/2013 Coll., Act no. 35/2014 Coll.,
Act no. 58/2014 Coll., Act no. 84/2014 Coll., Act no. 152/2014 Coll., Act no. 162/2014
Coll., Act no. 182/2014 Coll., Act no. 204/2014 Coll., Act no. 262/2014 Coll., Act
no. 293/2014 Coll., Act no. 335/2014 Coll., Act no. 399/2014 Coll., Act no. 40/2015 Coll.,
Act no. 79/2015 Coll., Act no. 120/2015 Coll., Act no. 128/2015 Coll., Act no. 129/2015
Coll., Act no. 247/2015 Coll., Act no. 253/2015 Coll., Act no. 259/2015 Coll., Act
no. 262/2015 Coll., Act no. 273/2015 Coll., Act no. 387/2015 Coll., Act no. 403/2015 Coll.,
Act no. 125/2016 Coll., Act no. 272/2016 Coll., Act no. 342/2016 Coll., Act
no. 386/2016 Coll., Act no. 51/2017 Coll., Act no. 238/2017 Coll., Act no. 242/2017 Coll.,
Act no. 276/2017 Coll., Act no. 292/2017 Coll., Act no. 293/2017 Coll., Act
no. 336/2017 Coll. and Act no. 17/2018 Coll. is amended as follows:
In the Tariff of Administrative Fees of Part XXIII. PROTECTION OF PERSONAL DATA item 273
reads:
'Item 273
a) Procedure for the approval of a code of conduct ........................................... ................... 1,000 euros
b) Procedure for amending the code of conduct ........................................... ....................... 1 000 eur
c) Proceedings on the extension of the code of conduct ........................................... .................... 1,000 euros
d) Certificate issuance procedure ............................................ ................................. 5,000 euros
e) Certificate renewal procedure ............................................ ............................... 5,000 euros
Accreditation procedure .............................................. .............................. 7,000 euros
g) Authorization procedure for the certification body .......................................... ............... EUR 250. '

Page 71
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 71

Art. IN
Act no. 4/2001 Coll. on the Prison and Judicial Guard Corps, as amended by Act no. 422/2002 Coll.,
Act no. 166/2003 Coll., Act no. 537/2004 Coll., Act no. 581/2004 Coll., Act
no. 475/2005 Coll., Act no. 491/2008 Coll., Act no. 59/2009 Coll., Act no. 192/2011 Coll.,
Act no. 220/2011 Coll., Act no. 372/2013 Coll., Act no. 307/2014 Coll., Act
no. 176/2015 Coll., Act no. 386/2015 Coll., Act no. 444/2015 Coll., Act no. 125/2016
Z. z. and Act no. 255/2016 Coll. is amended as follows:
1. Section 65b, including the title, reads:
„§ 65b
Checking, correcting and deleting information or personal data
(1) If the circumstances allow, the choir shall assess them each time personal data is provided
accuracy; if necessary, it shall supplement the available information to enable the accuracy to be assessed
data.
(2) In case of finding out incorrect personal data or information stored in information
systems, the Corps shall immediately rectify or delete them. If such data have been provided,
the church is obliged to inform all recipients.
(3) If the data stored in the information system of the church are no longer established for fulfillment
tasks, or if there is another legal reason to do so, the church will delete this data.
(4) If the deletion of personal data could jeopardize rights or legally protected interests
the data subject, such data shall be limited. ) Such limited data may only be processed on
17i

purpose which prevented their deletion.
(5) The choir shall check at least once every three years whether the need to keep processed processes persists
personal data. ".
Footnote 17i reads:
„ 17i ) § 5 let. f) of Act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain
laws. ”.

2. In Section 65d, paragraphs 4 and 5 are deleted.
The former paragraphs 6 and 7 are renumbered as paragraphs 4 and 5.
Footnote 18b is deleted.
3. In § 65d par. In Article 5, the words "paragraph 6" are replaced by the words "paragraph 4".
Art. VI
Act no. 153/2001 Coll. on the Prosecutor's Office as amended by Act no. 458/2003 Coll., Act no. 36/2005
Coll., Act no. 59/2009 Coll., Judgment of the Constitutional Court of the Slovak Republic no. 290/2009 Coll.,
Act no. 291/2009 Coll., Act no. 102/2010 Coll., Act no. 403/2010 Coll., Act
no. 192/2011 Coll., Act no. 220/2011 Coll., Act no. 436/2013 Coll., Judgment of the Constitutional Court
Of the Slovak Republic no. 217/2014 Coll., Act no. 401/2015 Coll. and Act no. 125/2016 Coll. in
is amended as follows:
1. The current text of § 55aa is referred to as paragraph 1 and is supplemented by paragraphs 2 and 3, which read as follows:
"(2) The General Prosecutor's Office, in cooperation with other prosecutor's offices, at least once every 12
months to verify that the personal data processed are still necessary for the performance of the tasks
prosecutor's office. If the Prosecutor General's Office examines or during the processing of personal
data find that such personal data are not immediately necessary for the performance of the tasks of the prosecution

Page 72
Page 72

Collection of Laws of the Slovak Republic

18/2018 Coll.

deletes or anonymizes.
(3) If the deletion or anonymisation of personal data pursuant to paragraph 2 could endanger the rights
and the legitimate interests of the data subject, the processing of personal data may be restricted,

35a

)

however, they may be processed only for the purpose which prevented their erasure. ".
In the footnote to reference 35, the words “Act no. 428/2002 Coll. as amended
regulations ”are replaced by the words“ Act no. 18/2018 Coll. on the protection of personal data and on change
amending certain laws ’.
Footnote 35a reads:
"( 35a ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
persons in the processing of personal data and on the free movement of such data, repealing the Directive
95/46 / EC (General Data Protection Regulation) (OJ L 119, 4.5.2016),
Act no. 18/2018 Coll. protection of personal data and amending certain laws. ".

2. In Section 55ac, paragraphs 2 and 3 are deleted.
At the same time, the designation of paragraph 1 shall be deleted.
Footnote 36 reads:
" 36 ) Act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain laws. ".

3. In § 55ad, paragraph 1 is deleted.
The former paragraphs 2 to 4 are referred to as paragraphs 1 to 3.
4. In § 55ad par. In paragraph 2, the words "paragraph 2" are replaced by the words "paragraph 1".
5. In § 55ae par. 1 letter (f) reference 36b and footnote to reference 36b are deleted.
6. Section 55af is deleted, including the footnote to reference 36c.
Art. VII
Act no. 483/2001 Coll. on Banks and on Amendments to Certain Acts, as amended
no. 430/2002 Coll., Act no. 510/2002 Coll., Act no. 165/2003 Coll., Act no. 603/2003 Coll.,
Act no. 215/2004 Coll., Act no. 554/2004 Coll., Act no. 747/2004 Coll., Act no. 69/2005
Coll., Act no. 340/2005 Coll., Act no. 341/2005 Coll., Act no. 214/2006 Coll., Act
no. 644/2006 Coll., Act no. 209/2007 Coll., Act no. 209/2007 Coll., Act no. 659/2007 Coll.,
Act no. 659/2007 Coll., Act no. 297/2008 Coll., Act no. 552/2008 Coll., Act
no. 552/2008 Coll., Act no. 66/2009 Coll., Act no. 186/2009 Coll., Act no. 186/2009 Coll.,
Act no. 276/2009 Coll., Act no. 492/2009 Coll., Act no. 492/2009 Coll., Act
no. 129/2010 Coll., Act no. 129/2010 Coll., Act no. 46/2011 Coll., Act no. 130/2011 Coll.,
Act no. 314/2011 Coll., Act no. 394/2011 Coll., Act no. 520/2011 Coll., Act
no. 547/2011 Coll., Act no. 234/2012 Coll., Act no. 352/2012 Coll., Act no. 132/2013 Coll.,
Act no. 352/2013 Coll., Act no. 213/2014 Coll., Act no. 213/2014 Coll., Act
no. 213/2014 Coll., Act no. 213/2014 Coll., Act no. 371/2014 Coll., Act no. 374/2014 Coll.,
Act no. 35/2015 Coll., Act no. 252/2015 Coll., Act no. 359/2015 Coll., Act no. 392/2015
Coll., Act no. 405/2015 Coll., Act no. 437/2015 Coll., Act no. 90/2016 Coll., Act
no. 91/2016 Coll., Act no. 125/2016 Coll., Act no. 292/2016 Coll., Act no. 298/2016 Coll.,
Act no. 299/2016 Coll., Act no. 315/2016 Coll., Act no. 386/2016 Coll., Act no. 2/2017
Coll., Act no. 264/2017 Coll. and Act no. 279/2017 Coll. is amended as follows:
1. In § 92a, paragraph 5 reads:
'(5) A client of a bank or a branch of a foreign bank who is not a natural person has the right
to become acquainted, free of charge, with information held about him or his trades
in the common banking register, has the right to request, at least once a year, free of charge from
the operator of the common banking register to provide a nominal list of persons to whom

Page 73
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 73

information on the relevant client was provided from the common bank register, which is not
is a natural person or its business and also has the right to request a free repair or
liquidation of incorrect, incomplete or out-of-date information kept in the joint
the bank register of the relevant non-natural client or of its transactions.
A client of a bank or a branch of a foreign bank who is a natural person has the right of access
to personal data according to a special regulation. ) “.
37

Footnote 37 reads:
" 37 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
persons in the processing of personal data and on the free movement of such data, repealing the Directive
95/46 / EC (General Data Protection Regulation). (OJ L 119, 4.5.2016).
Act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain laws. ".

2. In § 92b par. 1 and § 93a par. 2 to 4, the words "and information" are deleted.
3. In § 93a par. 1 letter (a) in the first point, the words "the type and number of the identity document" are inserted after the words "type and number of the identity document"
"And a photograph from the identity card".
Art. VIII
Act no. 395/2002 Coll. on Archives and Registries and on Amendments to Certain Acts, as amended
Act no. 515/2003 Coll., Act no. 216/2007 Coll., Act no. 335/2007 Coll., Act
no. 445/2008 Coll., Act no. 41/2011 Coll., Act no. 305/2013 Coll., Act no. 266/2015
Z. z. and Act no. 125/2016 Coll. is amended as follows:
1. Footnote 25 reads:
"( 25 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals
in the processing of personal data and on the free movement of such data, repealing the Directive
95/46 / EC (General Data Protection Regulation) (OJ L 119, 4.5.2016).
Act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain laws. ".

2. In § 13 par. 5 letter (a) the word "or" is deleted.
3. In § 13 par. 5 letter (b) the word "or" is added at the end.
4. In § 13, paragraph 5 is supplemented by letter c), which reads:
"(C) where the purpose of the use of the archival document is historical research or other scientific evidence
research. "
Art. IX
Act no. 417/2002 Coll. on the use of deoxyribonucleic acid analysis to identify individuals
is amended as follows:
1. In § 2, letter b) reads:
"(B) deoxyribonucleic acid analysis means the process of analyzing a sample by molecular methods
biology and genetics performed from non-coding regions of the deoxyribonucleic molecule
acids not containing information on specific hereditary characteristics; analysis
deoxyribonucleic acid also means the prediction of visible phenotypic manifestations, ".
2. § 2 is supplemented by letter f), which reads:
"(F) for predicting visible phenotypic manifestations, the process of analyzing a sample by methods
molecular
biology
and genetics
performed
of encoders
deoxyribonucleic acid, which contain information such as hair color, eye color
and skin pigmentation. ".

sections

molecules

3. Footnote 1 reads:
„ 1 ) § 155 par. 2, 3 and 5 and § 156 par. 1 and 2 of the Criminal Procedure Code.
§ 20a of the Act of the National Council of the Slovak Republic no. 171/1993 Coll. on the Police Force, as amended
subsequent regulations. ".

4. In § 3 par. 1 letter a) the words "proceedings, Police Corps ) and Railway Police, ) " are replaced by
the words "proceedings and the Police Force, ) ".
2

3

2

Page 74
Page 74

Collection of Laws of the Slovak Republic

18/2018 Coll.

Footnote 3 is deleted.
5. In § 3, paragraph 3 reads:
"(3) Sampling shall be performed by a member of the Police Force ) (hereinafter referred to as a“ police officer ”), a body
2

in criminal proceedings, ) or a court; collection can also be performed by a person himself in the presence of a police officer,
4

body involved in criminal proceedings or a court. Sampling according to paragraph 1 (a) b)
carried out at the written request of a police officer, law enforcement authority or
a court member of the Prison and Judicial Guard Corps; ) collection can also be performed by the person himself
5

in the presence of a member of the Prison and Judicial Guard Corps. In the case of a sample taken
the bodily integrity of a person is impaired or taken from the intimate part of the human body,
it is collected on the basis of a written request from a police officer, a body active in criminal proceedings
or a court medical professional with the relevant professional competence. ) Sampling is
5a

carried out in a manner which does not endanger the health of the person or impair his or her human dignity. ".
Footnotes to references 4 to 5a read as follows:
„ 4 ) § 10 par. 1 of Act no. 301/2005 Coll. as amended.
5

) Act no. 4/2001 Coll. on the Prison and Judicial Guard Corps, as amended.

) Section 33 of Act no. 578/2004 Coll. on health care providers, medical
workers, professional organizations in health care and on the amendment of certain laws
as amended.".
5a

6. In § 4, a new paragraph 2 is inserted after paragraph 1, which reads as follows:
'(2) Prediction of visible phenotypic manifestations may be made only from a sample obtained
in connection with a particularly serious crime, ) a crime against life and health, a criminal offense
5b

an act against freedom and human dignity, ) by identifying the corpse or separate parts
5c

human body if the identity of the person in the database is not established by deoxyribonucleic acid analysis
or in the national databases of deoxyribonucleic acid profiles of the Member States
European Union under a special regulation. ) “.
5d

The former paragraphs 2 to 7 are renumbered as paragraphs 3 to 8.
Footnotes to references 5b to 5d read as follows:
„ 5b ) § 11 par. 3 of the Criminal Code.
5c

) §144 to § 203 of the Criminal Code.

) Council Decision 2008/615 / JHA of 23 June 2008 on the stepping up of cross-border cooperation,
in the fight against terrorism and cross-border crime (OJ L 210, 6.8.2008). "
5d

7. In § 4 par. 3, the word "eight" is replaced by the word "twelve".
8. In § 4 par. 4 of the introductory sentence, the following words shall be added at the end: "accredited procedures".
9. In § 4 par. 4 letter (a) the words "in the list of institutes and other establishments specializing in
expert activity ) ”are replaced by the words“ as an expert institute in the list according to the special
Regulation ) ’.
6

6

Footnote 6 reads:
" 6 ) Act no. 382/2004 Coll. on experts, interpreters and translators and amending certain
laws as amended. ".

10. In § 4 par. 5 in the second sentence, the words "for the Railway Police" are replaced by the word "court.".
11. In § 4 par. 7, the words "paragraph 5" are replaced by the words "paragraph 6".
12. In § 4 par. In Article 8, the words "paragraph 3" are replaced by the words "paragraph 4".
13. In § 5 par. 3 letter (b) in the second point, the words "and place" are deleted.
14. Footnote 7 reads:
„ 7 ) Act of the National Council of the Slovak Republic no. 171/1993 Coll. as amended.
Act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain laws. ".

15. In § 8, paragraph 1 reads:

Page 75
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 75

"(1) The authorized department shall delete the data from the database
a) about the person
1. against whom the prosecution has been discontinued on the ground that it is common ground that it did not take place
an act for which criminal proceedings are being conducted or is not a criminal offense
and there is no reason to transfer the case, or there is no doubt that the act was not committed by the accused, )
8

2. who has been acquitted on the ground that it has not been proved that the act was committed,
for whom the accused is being prosecuted or that the act is not a criminal offense, )
9

b) on a convicted person, on a person against whom criminal prosecution is inadmissible, ) on a person against
10

whose prosecution was discontinued on the ground that the accused was not at the time of the offense for
insanity criminally liable, ) and of a person who has been acquitted
11

on the grounds that the accused is not criminally liable for insanity, ) after one hundred years
12

since her birth. "
Footnotes to references 8 to 12 read as follows:
„ 8 ) § 215 par. 1 letter a) to c) of the Criminal Procedure Code.
9

) § 285 letter a) and b) of the Criminal Procedure Code.

10

) § 9 par. 1 of the Criminal Procedure Code.

11

) § 215 par. 1 letter e) and f) of the Criminal Procedure Code.

12

) § 285 letter d) and e) of the Criminal Procedure Code. ".

16. In § 8, paragraph 3 reads:
"(3) A body active in criminal proceedings or a court which has terminated criminal proceedings concerning
A person whose deoxyribonucleic acid profile is stored in the database is required to do so
inform the facts in writing within three working days from the end of the criminal proceedings
authorized department. "
17. Annex no. 1, including the title, reads:
"Annex no. 1
to Act no. 417/2002 Coll.
POLYMORPHIC SYSTEMS
Deoxyribonucleic acid polymorphic systems in which analysis is performed
deoxyribonucleic acid:
D3S1358
VWA
D8S1179
D21S11
D18S51
HUMTH01
FGA
D1S1656
D2S441

Page 76
Page 76

Collection of Laws of the Slovak Republic

18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 77

D10S1248
D12S391
D22S1045 “.

18. Annex no. 2, including the title, reads:

Page 77
18/2018 Coll.

DynamicResources \ 8e2c93b1-0919-4352-a900-dc929caecebc_1.pdf

"Annex no. 2
to Act no. 417/2002 Coll.
RESULT OF DEOXYRIBONUCLEIC ACID ANALYSIS
Workplace performing the analysis (name and exact address):
.................................................. .................................................. .................................................. ...
Reason for analysis:
.................................................. .................................................. .................................................. ...
Biological sample: *
- secured

according to § 2 letter d) of Act no. 417/2002 Coll.,
- taken away according to § 3 of Act no. 417/2002 Coll., Which is a person listed in § 3 par. 1
letter a) / § 3 par. 1 letter b) / § 3 par. 1 letter c) of Act no. 417/2002 Coll. .
* Strike out what does not apply.
DNA profile **
Allele 1

Allele 2

Allele 3

Allele 4

D3S1358
VWA
D8S1179
D21S11
D18S51
HUMTH01
FGA
D1S1656
D2S441
D10S1248
D12S391
D22S1045
Details of the person whose biological sample has been seized or taken:
1. name and surname ............................................. .................................................. .......................
2. date of birth .............................................. .................................................. .........................
3. birth number; for foreigners travel document number ............................................. ......................
4. address of residence .............................................. ............................ ...................... ............................
5. nationality .............................................. .................................................. .......................
6. other data .............................................. .................................................. .....................................
Data on the biological sample seized according to § 2 letter d) of Act no. 417/2002 Coll.
.................................................. .................................................. .................................................. ...
For more information, please contact: .............................................. .................................................. ...........
(title, name, surname, telephone contact)
Date:
Name and surname
responsible worker
signature
Expert stamp '.

Page 78
Page 78

Collection of Laws of the Slovak Republic

18/2018 Coll.

Art. X
Act no. 586/2003 Coll. on Advocacy and on Amendments to Act No. 455/1991 Coll.
on Trade Licensing (Trade Licensing Act) as amended by later regulations as amended by Act
no. 8/2005 Coll., Act no. 327/2005 Coll., Act no. 331/2007 Coll., Act no. 297/2008 Coll.,
Act no. 451/2008 Coll., Act no. 304/2009 Coll., Act no. 136/2010 Coll., Act
no. 332/2011 Coll., Act no. 335/2012 Coll., Act no. 339/2013 Coll., Act no. 440/2015 Coll.,
Act no. 125/2016 Coll. is amended as follows:
1. In § 18, paragraphs 6 and 7 read:
'(6) A lawyer processes personal data of clients and other natural persons to the extent necessary
for the purposes of advocacy in accordance with this Act and a special regulation.

12b

) The lawyer has

the processing of personal data within the meaning of the first sentence of this paragraph
according to a special regulation.

12c

)

(7) A lawyer is entitled to obtain and process personal data necessary for the purposes of enforcement
advocacy by copying, scanning or otherwise recording official documents on a medium
information without the consent of the person concerned. ".
Footnotes to references 12b and 12c read as follows:
"( 12b ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
persons in the processing of personal data and on the free movement of such data, repealing the Directive
95/46 / EC (General Data Protection Regulation) (OJ L 119, 4.5.2016).
12c

) Art. 4 par. 7 of Regulation (EU) 2016/679. ".

2. Section 18 is supplemented by paragraphs 8 and 9, which read as follows:
'(8) A lawyer is not obliged to provide information on the processing of personal data, to allow
access or transfer of personal data according to a special regulation,

12d

) if it could lead to this

to breach the lawyer's obligation to maintain confidentiality under this Act.
(9) The Chamber may, by resolution, regulate other rights and obligations of the Chamber, lawyers
and the persons concerned by adopting a code of conduct in accordance with a special regulation.

12e

) “.

Footnotes to references 12d and 12e read as follows:
" 12d ) Art. 14 par. 5 letter d), Art. 15 par. 4 and Art. 20 par. 4 of Regulation (EU) 2016/679.
12e

) Art. 23, Art. 40 and Art. 90 of Regulation (EU) 2016/679. ".

Art. XI
Act no. 541/2004 Coll. on the Peaceful Uses of Nuclear Energy (Atomic Act) and on Amendment
and amendments to some laws as amended by Act no. 238/2006 Coll., Act no. 21/2007 Coll., Act
no. 94/2007 Coll., Act no. 335/2007 Coll., Act no. 408/2008 Coll., Act no. 120/2010 Coll.,
Act no. 145/2010 Coll., Act no. 350/2011 Coll., Act no. 143/2013 Coll., Act
no. 314/2014 Coll., Act no. 54/2015 Coll., Act no. 91/2016 Coll., Act no. 125/2016
Z. z. and Act no. 96/2017 Coll. is amended as follows:
1. In § 26, paragraph 6 reads:
'(6) The permit holder is obliged to ensure that for the authorization and control of nuclear inputs
identification of persons by means of an identity card or other means shall be used for the establishment
an identification document, such as a travel document or a UN travel document, which
contains in particular title, name and surname, date of birth, permanent residence, civil number
card or number of other identification document, nationality, biometric data,
birth number and photograph of the person and at the same time in the nuclear facilities in which they are located
nuclear materials classified in I. or II. category according to a special regulation,

37a

) is the holder

Page 79
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 79

permits must ensure that to permit and control the entry of persons into the guard
and interior space, the identification of persons through biometric data shall also be used.

37b

)

Persons entering or leaving a nuclear installation are
obligated to tolerate the identification according to the first sentence. If these people refuse to tolerate identification
according to the first sentence, the permit holder is obliged to prevent their entry into or exit from the nuclear power plant
devices. The authorization holder shall be entitled to process personal data pursuant to the first sentence in accordance with
with a special regulation.

37c

) “.

Footnotes to references 37b and 37c read as follows:
" 37b ) Art. 9 par. 2 letter (g) Regulation (EU) No 182/2011 of the European Parliament and of the Council 2016/679 of 27 April 2016
on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which
Directive 95/46 / EC (General Data Protection Regulation) is repealed (OJ L 119, 4.5.2016).
) Art. 6 par. 1 letter (c) of Regulation (EU) 2016/679.
Act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain laws. ".
37c

2. Section 31 is supplemented by paragraph 17, which reads:
'(17) The Office is authorized to process personal data in accordance with special regulation

41a

)

inspectors, waiting inspectors, international inspectors and other persons invited to
inspection or international inspection in the course of inspection activities, as well as other persons on
the purpose of ensuring the control of the entry and exit of these persons to the nuclear installation
and from the nuclear facility in the scope of personal data specified in § 26 par. 6. The Office is
authorized to provide personal data pursuant to the first sentence to the authorization holder for the same purpose
and to the same extent as specified in the first sentence. ".
Footnote 41a reads:
" 41a ) Art. 6 par. 1 letter (e) Regulation (EU) 2016/679.
Act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain laws. ".

Art. XII
Act no. 652/2004 Coll. on state administration bodies in customs and on the amendment of some
laws as amended by Act no. 331/2005 Coll., Act no. 191/2007 Coll., Act no. 537/2007 Coll.,
Act no. 166/2008 Coll., Act no. 491/2008 Coll., Act no. 207/2009 Coll., Act
no. 305/2009 Coll., Act no. 465/2009 Coll., Act no. 508/2010 Coll., Act no. 192/2011 Coll.,
Act no. 256/2011 Coll., Act no. 331/2011 Coll., Act no. 546/2011 Coll., Act
no. 441/2012 Coll., Act no. 207/2014 Coll., Act no. 307/2014 Coll., Act no. 333/2014 Coll.,
Act no. 360/2015 Coll., Act no. 397/2015 Coll. and Act no. 298/2016 Coll. is amended as follows:
1. In § 52, paragraph 5 is deleted.
The former paragraphs 6 to 9 are renumbered as paragraphs 5 to 8.
2. In § 54, paragraph 6 is deleted.
3. In § 54b par. 4, the words “referred to in § 55 par. 4 "are replaced by the words" according to the special
prescription. ) “.
46ba

Footnote 46ba reads:
„ 46ba ) § 64 of Act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain
laws. ”.

4. In Section 54c, paragraphs 3 to 5 are deleted.
5. In § 55, the title under paragraph and paragraphs 1 and 4 to 11, including the footnote, are deleted.
to reference 46f.
The former paragraphs 2 and 3 are renumbered as paragraphs 1 and 2.
6. In § 58, paragraph 8 is deleted.

Page 80
Page 80

Collection of Laws of the Slovak Republic

18/2018 Coll.

Art. XIII
Act no. 757/2004 Coll. on Courts and on Amendments to Certain Acts, as amended
no. 517/2008 Coll., Act no. 59/2009 Coll., Judgment of the Constitutional Court of the Slovak Republic
no. 290/2009 Coll., Act no. 291/2009 Coll., Act no. 318/2009 Coll., Act no. 33/2011 Coll.,
Act no. 192/2011 Coll., Act no. 467/2011 Coll., Act no. 335/2012 Coll., Act
no. 195/2014 Coll., Judgment of the Constitutional Court of the Slovak Republic no. 216/2014 Coll., Act
no. 322/2014 Coll., Act no. 87/2015 Coll., Act no. 125/2016 Coll., Act no. 301/2016 Coll.,
Act no. 2/2017 Coll. and Act no. 152/2017 Coll. is amended as follows:
1. Footnote 34 reads:
" 34 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals
in the processing of personal data and on the free movement of such data, repealing the Directive
95/46 / EC (General Data Protection Regulation) (OJ L 119, 4.5.2016).
Act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain laws. ".

2. In § 79, paragraph 1 reads:
"(1) The Ministry and the courts shall process information in the public interest in the performance of their tasks,
personal data and other data (hereinafter referred to as "data") relating to civil proceedings
and criminal proceedings, as well as data obtained in the performance of their tasks arising from
regulations, ) including personal data related to the representation of the Slovak Republic
38

in proceedings before the Court of Justice of the European Union and in the stages preceding that
proceedings as well as staff matters relating to the Court of Justice of the European Union. ".
3. The current text of § 80 is referred to as paragraph 1 and is supplemented by paragraph 2, which reads:
"(2) Personal data related to the representation of the Slovak Republic in proceedings before the Court
Court of Justice of the European Union and in the pre-litigation stages, as well as with staff
matters relating to the Court of Justice of the European Union, the Ministry may, for the purposes of compliance
tasks under a special regulation ) to be provided to other public authorities or others
39

beneficiary. "
4. In § 81, paragraph 1 is deleted and at the same time the designation of paragraph 2 is deleted.
5. In Section 82d, above the word “regulation”, the reference “ ) ” is replaced by the reference “
34

Footnote 42c reads:
" 42c ) Act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain laws. ".

6. In § 82e, paragraph 1 is deleted.
The former paragraphs 2 to 5 are referred to as paragraphs 1 to 4.
7. In § 82e par. In paragraph 2, the words "paragraph 2" are replaced by the words "paragraph 1".
8. In § 82f par. 1 letter (f) reference 42d and footnote 42d are deleted.
9. Section 82g, including the footnote to reference 42e, is deleted.

42c

)”.

Art. XIV
Act no. 129/2010 Coll. on consumer credit and on other credit and loans for
consumers and on the amendment of certain laws as amended by Act no. 394/2011 Coll., Act
no. 352/2012 Coll., Act no. 132/2013 Coll., Act no. 102/2014 Coll., Act no. 106/2014 Coll.,
Act no. 373/2014 Coll., Act no. 35/2015 Coll., Act no. 117/2015 Coll., Act no. 389/2015
Coll., Act no. 438/2015 Coll., Act no. 90/2016 Coll., Act no. 91/2016 Coll., Act
no. 299/2016 Coll. and Act no. 279/2017 Coll. is amended as follows:
1. In § 1 par. 6, the words "up to 15" are replaced by the words "up to 14".
2. In § 7, paragraph 14 is deleted.
The former paragraphs 15 to 43 are referred to as paragraphs 14 to 42.

Page 81
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 81

3. In § 7 par. 4, the words "17 and 18" are replaced by the words "16 and 17".
4. In § 7 par. 21, after the word "paragraph", the number "21" is replaced by the number "20".
5. In § 7 par. In the introductory sentence of Article 24, the words "20 to 24" are replaced by the words "19 to 23".
6. In § 7 par. 25, the number "25" is replaced by the number "24" and the number "39" is replaced by the number "38".
7. In § 7 par. In the 26th introductory sentence, the number "20" is replaced by the number "19".
8. In § 7 par. In Article 27, the words "paragraph 20" are replaced by the words "paragraph 19".
9. In § 7 par. 29, the number "32" is replaced by the number "31".
10. In § 7 par. 30, the number "30" is replaced by the number "29".
11. In § 7 par. In the introductory sentence of Article 31, the words "30 and 31" are replaced by the words "29 and 30".
12. In § 7 par. In the introductory sentence of Article 33, the words "35, 36 and 38" are replaced by the words "34, 35 and 37" and the number "33"
is replaced by the number "32".
13. In § 7 par. 34 to 38, the number "34" is replaced by the number "33".
14. In § 7 par. 38, the number "26" is replaced by the number "25".
15. In § 7 par. In Article 40, the words "20 to 40" are replaced by the words "19 to 39" and the words "17 to 19" are replaced by the words
replaced by the words "16 to 18".
16. In § 7 par. 41 letter (a) the words "25 and 32" are replaced by the words "24 and 31".
17. In § 11 par. 2, the words "20 to 43" are replaced by the words "19 to 42".
18. In § 20a par. 3 letter (b) the words "information" shall be inserted before the words "instrument of incorporation"
and proof of identity pursuant to a special regulation, ) “.
32b

19. In § 20a par. 3 letter h) and § 20b par. 5 letter (e) the words "16 to 18" are replaced by the words "15 to
17 “.
20. In § 24 par. 1, the words "17 to 43" are replaced by the words "16 to 42".
21. In § 24 par. 6 letter (b) the words "name, surname, address of permanent residence, nationality
and date of birth "are replaced by" information and proof of identity under
special regulation ) “.
32b

22. In § 24 par. 7 letter (h) the words "17 to 19" are replaced by the words "16 to 18".
Art. XV
Act no. 39/2015 Coll. on Insurance and on Amendments to Certain Acts, as amended
no. 359/2015 Coll., Act no. 437/2015 Coll., Act no. 125/2016 Coll., Act no. 292/2016 Coll.,
Act no. 339/2016 Coll. and Act no. 282/2017 Coll. is amended as follows:
In § 72, paragraph 13 is deleted.
The current paragraph 14 is renumbered as paragraph 13.
Art. XVI
This Act shall enter into force on 25 May 2018.

Andrej Kiska vr
Andrej Danko vr
Robert Fico vr

Page 82
Page 82

Collection of Laws of the Slovak Republic

18/2018 Coll.

1) § 57 par. 2 of Act no. 351/2011 Coll. on electronic communications, as amended
regulations.
2) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on protection
natural persons in the processing of personal data and on the free movement of such data, which
repeals Directive 95/46 / EC (General Data Protection Regulation) (OJ L 119, 4.5.2016).
3) § 17 par. 9 of the Act of the National Council of the Slovak Republic no. 46/1993 Coll. on Slovakia
information service as amended by Act no. 192/2011 Coll.
4) § 17 par. 6 of the Act of the National Council of the Slovak Republic no. 198/1994 Coll. on Military
intelligence as amended by law
no. 444/2015 Coll.
§ 14 par. 7 of Act no. 281/2015 Coll. on the civil service of professional soldiers and on change
and amendments to certain laws.
5) Act no. 215/2004 Coll. on the protection of classified information and amending certain
laws as amended.
6) Act no. 552/2003 Coll. on the performance of work in the public interest, as amended.
7) Act no. 55/2017 Coll. on Civil Service and on Amendments to Certain Acts.
8) For example, the Act of the National Council of the Slovak Republic no. 171/1993 Coll. about the Police Force
as amended, Act no. 540/2001 Coll. on state statistics, as amended
regulations, Act no. 395/2002 Coll. on archives and registries and on the amendment of certain laws
as amended or Act no. 553/2002 Coll. on access to activity documents
security forces of the state 1939-1989 and on the establishment of the Institute of the Memory of the Nation and on the amendment
certain laws (the Act on the Memory of the Nation) as amended.
9) Act no. 22/2004 Coll. on Electronic Commerce and on Amendments to Act No. 128/2002
Z. z. on State control of the internal market in consumer protection matters and amending
certain laws as amended by Act no. 284/2002 Coll. as amended.
10) Act no. 36/2005 Coll. on the Family and on Amendments to Certain Acts, as amended
regulations.
11) For example, the Labor Code as amended, Act no. 461/2003 Coll. on social
insurance as amended or Act no. 5/2004 Coll. on employment services
and on the amendment of certain laws as amended.
12) For example, the Civil Code, the Commercial Code, Act no. 250/2007 Coll. on protection
consumer and amending the Act of the Slovak National Council no. 372/1990 Coll. on offenses as amended
later regulations as amended, Act no. 90/2016 Coll. on housing loans
and on the amendment of certain laws as amended.
13) Act no. 447/2008 Coll. on cash benefits to compensate for serious medical expenses
disability and on the amendment of certain laws as amended.
14) Act no. 328/2002 Coll. on the social security of police officers and soldiers and on the amendment
certain laws as amended.
15) For example, Act no. 576/2004 Coll. on health care, related services
with the provision of health care and on the amendment of certain laws as amended
later regulations.
16) Act no. 330/2007 Coll. on the Criminal Register and on Amendments to Certain Acts, as amended
later regulations.
17) § 2 par. 15 of Act no. 395/2002 Coll. as amended.
18) Section 20 of Act no. 395/2002 Coll. as amended.
19) For example, the Code of Civil Procedure, the Code of Administrative Procedure.
20) Civil Procedure Rules.
21) Act no. 757/2004 Coll. on Courts and on Amendments to Certain Acts, as amended
later regulations.
Criminal procedure.

Page 83
18/2018 Coll.

Collection of Laws of the Slovak Republic

Page 83

22) Act of the National Council of the Slovak Republic no. 301/1995 Coll. on birth number as amended by law
no. 515/2003 Coll.
23) Section 116 of the Civil Code.
24) Art. 15, 16, 18 and 21 of Regulation (EU) 2016/679.
25) Art. 15, 16, 18 to 21 of Regulation (EU) 2016/679.
26) For example, the Act of the National Council of the Slovak Republic no. 566/1992 Coll. about the National Bank
Of Slovakia, as amended, Act of the National Council of the Slovak Republic no. 46/1993
Z. z. as amended, Act of the National Council of the Slovak Republic no. 171/1993
Z. z. as amended, Act no. 215/2004 Coll. as amended, Act
no. 563/2009 Coll. on Motor Vehicle Tax and on Amendments to Certain Acts, as amended
later
regulations,
the law
no. 307/2014
Z. z. about some
measures
with the notification of anti-social activities and on the amendment of certain laws as amended
later regulations.

related

27) § 21 par. 1 and par. 5 letter a) of Act no. 523/2004 Coll. on public financial rules
report and on the amendment of certain laws as amended.
28) Art. 51 par. 1 of Regulation (EU) 2016/679.
29) Art. 57 par. 1 and Art. 58 par. 1 to 3 of Regulation (EU) 2016/679.
30) For example, Art. 56, 60 to 62 of Regulation (EU) 2016/679.
31) Art. 68 of Regulation (EU) 2016/679.
32) Art. 56, 60 and Art. 61 par. 1 to 8 of Regulation (EU) 2016/679.
33) For example, Act no. 215/2004 Coll. as amended.
34) Section 60 of the Act of the National Council of the Slovak Republic no. 350/1996 Coll. on the Rules of Procedure
Of the National Council of the Slovak Republic as amended by Act no. 215/2004 Coll.
35) Constitutional Act no. 357/2004 Coll. on the protection of the public interest in the exercise of public office
officials as amended by Act no. 545/2005 Coll.
§ 112 of Act no. 55/2017 Coll.
36) For example, the Criminal Procedure Code, the Administrative Judicial Code.
37) Sections 38 and 40 of Act no. 215/2004 Coll. as amended.
38) Art. 40 par. 2 of Regulation (EU) 2016/679.
39) Art. 40 par. 7 of Regulation (EU) 2016/679.
40) Art. 64 par. 1 letter (b) of Regulation (EU) 2016/679.
41) Act no. 395/2002 Coll. as amended.
42) Act no. 395/2002 Coll. as amended.
Art. 41 of Regulation (EU) 2016/679.
43) Art. 43 par. 2 and 3 of Regulation (EU) 2016/679.
44) Art. 62 of Regulation (EU) 2016/679.
45) Act of the National Council of the Slovak Republic no. 10/1996 Coll. on control in state administration as amended
later regulations.
46) Art. 56 par. 1 of Regulation (EU) 2016/679.
47) Art. 56 of Regulation (EU) 2016/679.
48) Act no. 71/1967 Coll. on administrative proceedings (administrative order) as amended.

Page 84
Page 84

Collection of Laws of the Slovak Republic

18/2018 Coll.
Side dish
to Act no. 18/2018 Coll.

LIST OF LEGAL BINDING ACTS OF THE EUROPEAN UNION TAKEN OVER
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
persons in the processing of personal data by the competent authorities for the purposes of crime prevention
their investigation, detection or prosecution or for the purpose of enforcing criminal sanctions
and on the free movement of such data and repealing Council Framework Decision 2008/977 / JHA
(OJ L 119, 4.5.2016).

Page 85
Page 85

Collection of Laws of the Slovak Republic

Publisher of the Collection of Laws of the Slovak Republic, content administrator and legal and information operator
of the Slov-Lex portal available on the website www.slov-lex.sk is
Ministry of Justice of the Slovak Republic, Župné námestie 13, 813 11 Bratislava,
phone: 02 888 91 137, fax: 02/52442853, e-mail: helpdesk@slov-lex.sk.

18/2018 Coll.

