Page 1

COLLECTION LAWS
SLOVAK REPUBLIC
Volume 2018
Announced: June 7, 2018

Time version of the regulation effective from: 15. 6.2018
The content of the document is legally binding.
158
DECREE

Office for Personal Data Protection of the Slovak Republic
of 29 May 2018
on the procedure for assessing the impact on the protection of personal data

The Office for Personal Data Protection of the Slovak Republic (hereinafter referred to as the “Office”) pursuant to § 108 par. 2
Act no. 18/2018 Coll. on Personal Data Protection and on Amendments to Certain Acts
(hereinafter referred to as the “Act”) provides:
§1
This decree regulates the operator's procedure for assessing the impact of planned
processing operations for the protection of personal data (hereinafter referred to as “impact assessment”) pursuant to Section 42
par. 1 and 3 of the Act.
§2
The impact assessment dossier contains
a) a description of the planned processing,
(b) an assessment of the necessity and proportionality in conjunction with the measures to demonstrate compliance with
by law,
c) risk assessment for the rights of the natural person in connection with risk management measures,
d) documentation according to § 6,
(e) monitoring and review.
§3
(1) The description of the planned processing is a systematic description of the processing operations
focused on the nature, scope, context and purposes of the processing of personal data it contains
in particular
a) the purposes of processing personal data,
b) if personal data are processed on the basis of § 13 par. 1 letter f) of the Act, a description of processing
operations also contains a specific characteristic of the legitimate interest of the operator; or
third parties, including
1. a description of the assessment of the legitimacy of the interest of the operator or a third party,
2. a description of the relationship between the operator and the persons concerned,
3. the conditions under which the person concerned may reasonably expect processing
operations with personal data concerning him,

Page 2
Page 2

Collection of Laws of the Slovak Republic

158/2018 Coll.

4. an assessment of the adequacy of the processing operations and the justification for the predominance of the interest
operator or a third party over the rights of a natural person,
c) a list or scope of personal data which are the subject of processing,
d) a list or circle of recipients to whom personal data are provided,
e) definition of the retention period of personal data.
(2) If the processing of personal data is subject to an approved code of conduct pursuant to Section 85
of the Act, the description of processing operations includes references to those parts of the Code of Conduct which
the controller has been taken into account in the personal data protection impact assessment.
(3) If a valid certificate issued pursuant to Section 86 of the Act applies to the processing of personal data,
the description of the processing operations shall include references to those parts of the application for a certificate and its
annexes that demonstrate the compliance of the processing of personal data with the law and the existence
adequate safeguards for the protection of personal data.
§4
(1) In order to ensure compliance with the law, the processing operation must be in relation to the purpose
necessary and proportionate personal data processing. The necessity of the processing operation is
demonstrates its assessment in relation to the intended purpose of the processing of personal data.
The adequacy of a processing operation shall be demonstrated by an assessment of its nature, scope and context,
which must correspond to the purpose of the processing of personal data.
(2) In assessing the necessity and proportionality of the processing operation, it shall be taken into account and justified
any measures taken to comply with the law, in particular
a) application of the principle of legality pursuant to Section 6 of the Act,
b) application of the purpose limitation principle pursuant to Section 7 of the Act,
c) application of the principle of minimization of personal data pursuant to Section 8 of the Act,
d) application of the principle of correctness according to § 9 of the Act,
e) application of the principle of minimization of storage according to § 10 of the Act,
f) application of the principle of integrity and confidentiality pursuant to Section 11 of the Act,
g) compliance with the procedures for exercising the rights of the persons concerned pursuant to Sections 19 to 28 of the Act,
(h) compliance

procedures

on the security

legal

processing

personal

data

mediator according to § 34 of the Act,
(i) adequate safeguards related to the transfer of personal data to a third country or internationally
organization according to § 47 to 51 of the Act,
j) appropriate technical and organizational measures pursuant to Section 32 of the Act,
(k) the views of the persons concerned or organizations representing the interests of the persons concerned on
processing of personal data obtained according to § 42 par. 6 of the Act.
§5
(1) The operator shall take into account in particular when assessing the risk to the rights of a natural person
a) a description of the planned processing according to § 3,
b) the necessity and adequacy of the processing operation according to § 4,
c) a description of the conditions for the processing of personal data pursuant to § 39 para. 1 of the Act, including the existing ones
security measures taken pursuant to Section 39 of the Act.

Page 3
158/2018 Coll.

Collection of Laws of the Slovak Republic

Page 3

(2) The operator shall perform a risk assessment for the rights of a natural person in terms of impacts on
natural person, taking into account in particular the risk associated with accidental or illegal
damage, destruction, loss, alteration, unauthorized access and provision; or
disclosure of personal data as well as any other inadmissible method of processing,
while identifying
a) threats and the probability of their occurrence,
b) vulnerabilities exploitable by threats,
c) the risks and the probability of their occurrence and severity,
d) and assess the extent of the impact on the rights of the natural person due to loss of integrity, confidentiality
and data availability,
(e) a high risk to the rights of the natural person if he does not take risk mitigation measures.
(3) The operator may also proceed in accordance with the assessment of risks of processing operations
international standards. )
1

(4) The operator shall take appropriate risk mitigation measures, including guarantees,
security measures and mechanisms to ensure the protection of personal data and to
demonstration of compliance with the law.
(5) The operator shall take appropriate measures to ensure regular monitoring
all the conditions for the processing of personal data which it has taken into account in the risk assessment for
rights of a natural person according to § 2 letter (a) to (d), including the control of established procedures.
The operator can also follow international standards. )
2

(6) The operator shall proceed when taking measures to mitigate risks to the rights of a natural person
to an appropriate extent in accordance with the Annex.
§6
(1) To prove compliance with the law pursuant to § 31 par. 1 of the Act, the operator
documents the impact assessment to the extent pursuant to § 2 letter a) to c) and e).
(2) Documentation in the impact assessment pursuant to § 2 shall also be understood as documentation pursuant to a special
Regulation, ) if it shows the end of the paragraph 1 as in this Order.
3

§7
This Decree shall enter into force on 15 June 2018.

Soňa Pőtheová vr

Page 4
Page 4

Collection of Laws of the Slovak Republic

158/2018 Coll.
Side dish
to Decree no. 158/2018 Coll.

RISK ELIMINATION MEASURE FOR NATURAL PERSONS 'RIGHTS
1. Technical measures
1.1 Technical measure implemented by means of a physical nature
1.1.1 Securing the building by mechanical means (eg
lockable doors, windows, grilles) and also with the help of technical security
means (eg electrical security system of the building, electric fire
signaling).
1.1.2 Securing the protected area by separating it from other parts of the building (eg
walls, grilles or glazing).
1.1.3 Placing important means of information technology in a protected area
and protection of the information infrastructure against physical access by unauthorized persons
and adverse environmental effects.
1.1.4 Secure storage of physical media, including secure storage
paper documents.
1.1.5 Measures to prevent accidental reading of personal data from imaging data
units (e.g., appropriate placement of display units).
1.2 Protection against unauthorized access
1.2.1 Cryptographic protection of stored and transmitted data, rules for cryptographic measures.
1.2.2 Rules for third party access to the information system, and to such access
occurs.
1.3 Managing the access of authorized persons
1.3.1 Access control and measures to guarantee valid access control policies (eg
identification, authentication and authorization of persons in the information system).
1.3.2 Management of privileged access in the information system.
1.3.3 Recording the access and activities of authorized persons in the information system.
1.4 Vulnerability management
1.4.1 Measures to detect and remove malicious code and remedy the consequences of malicious software
code.
1.4.2 Protection against unsolicited electronic mail.
1.4.3 Use of Legal and Operator-Approved Software.
1.4.4 Measures to ensure that operating systems and software are regularly updated
application equipment.
1.4.5 Rules for downloading files from a publicly accessible computer network and how to
verification. Network communication filtering.
1.4.6 Collection of information on technical vulnerabilities of information systems,
assessing the level of risks and implementing measures to mitigate those risks.
1.5 Network Security
1.5.1 Controlling, restricting or preventing the interconnection of the information system in which they are located
personal data processed with a publicly accessible computer network.
1.5.2 Protection of the external and internal environment through network tools
security (eg firewall), computer network segmentation.
1.5.3 Rules of access to the publicly accessible computer network, measures to prevent
connections to certain addresses, rules for using network protocols.

Page 5
158/2018 Coll.

Collection of Laws of the Slovak Republic

Page 5

1.5.4 Protection against other threats originating from a publicly accessible computer network
(eg hacker attack).
1.5.5 Updating the operating system and software application equipment.
1.6 Backup
1.6.1 Functional test of backup data carriers.
1.6.2 Creating backups with a preselected periodicity.
1.6.3 Determining the retention period of advances and checking compliance with it.
1.6.4 Information System Restore Test from Backup.
1.6.5 Secure backup storage.
1.7 Disposal of personal data and data carriers
1.7.1 Technical measures for the secure erasure of personal data from data carriers.
1.7.2 Equipment for the mechanical destruction of personal data carriers (eg
for shredding documents and data media).
2. Organizational arrangements
2.1 Personnel measures
2.1.1 Authorization of the person by the operator or intermediary who has access
to personal data.
2.1.2 Instructions of the controller for the processing of personal data, in particular
2.1.2.1 the definition of the personal data to which a particular person should have access to
performance of its duties or tasks,
2.1.2.2 determination of the procedures which the authorized person is obliged to apply during processing
personal data,
2.1.2.3 definition of basic procedures or operations with personal data,
2.1.2.4 definition of liability for violation of the law.
2.1.3 Instruction of authorized persons on procedures related to automated devices
processing and related rights and obligations (at the operator 's premises)
and outside these areas).
2.1.4 Designation of the responsible person according to § 44 of the Act.
2.1.5 Training of delegates (eg legal, information technology).
2.1.6 Procedure for terminating an employment or similar employment relationship or similar
the ratio of the authorized person (eg transfer of assigned assets, cancellation of access
rights, information on the consequences of a breach of a legal or contractual obligation
confidentiality).
2.1.7 Remote work and rules of mobile data processing.
2.2 Asset Management
2.2.1 Keeping an inventory of assets and updating it regularly.
2.2.2 Records of all network interconnections, including connections to the public one
computer network.
2.2.3 Determining ownership of assets and liability for risks.
2.2.4 Rules and procedures for classifying information.
2.2.5 Rules and procedures for marking and handling information in accordance with applicable law
classification scheme.
2.2.6 Rules for the acceptable use of information and assets related to funds for
information processing.
2.2.7 Measures for the return of assets (eg means of personal data processing)

Page 6
Page 6

Collection of Laws of the Slovak Republic

158/2018 Coll.

belonging to the operator after the termination of employment, after the expiration of the concluded
agreements or contracts, when changing jobs or jobs, etc.
2.3 Managing access to personal data
2.3.1 Rules of physical entry into the building and protected areas of the operator.
2.3.2 Management of access means and equipment to buildings (individual allocation
keys, electronic keys, access cards and the secure storage of their reserves).
2.3.3 Rules for assigning access rights and access levels (roles) to authorized persons.
2.3.4 Password policy and rules for the use of authorization and authentication means.
2.3.5 Rules for mutual representation of authorized persons (eg in case of accident, temporary accident)
incapacity for work, termination of employment or a similar relationship).
2.3.6 Rules for the removal or change of access rights of authorized persons and facilities on
processing information on termination of employment, contract or agreement, or
adapting to role changes.
2.4 Organization of personal data processing
2.4.1 Rules for processing personal data in a protected area.
2.4.2 Continuous presence of the authorized person in the protected area, if they are located in it
also other than authorized persons.
2.4.3 Regime of maintenance and cleaning of protected areas.
2.4.4 Rules for the processing of personal data outside the protected area, if any
processing presupposes
2.4.4.1 rules for the handling of physical media (eg documents,
photographs) outside protected areas and the definition of responsibilities,
2.4.4.2 rules
use
automated
resources
laptops) outside protected areas and the definition of responsibilities,

processing

(e.g.

2.4.4.3 rules for the use of portable data carriers outside protected areas
and definition of responsibilities.
2.5 Disposal of personal data
2.5.1 Determination of procedures for the destruction of personal data with the definition of related liability
individual authorized persons (secure deletion of personal data from data carriers,
disposal of data carriers and physical carriers of personal data).
2.6 Breaches of personal data protection
2.6.1 Procedure for reporting a personal data breach to the Office and to the data subject on
timely adoption of preventive or corrective measures.
2.6.2 Regular review of event logs, user activity logs,
exception records.
2.6.3 Records of breaches of personal data protection and solutions used.
2.6.4 Procedure for identifying and resolving individual types of personal data breaches.
2.6.5 Procedure for dealing with the consequences of personal data breaches.
2.6.6 Procedures to ensure continuity in the event of an accident or other emergency.
2.6.7 Procedure for failure, maintenance or repair of automated processing equipment.
2.7 Control activity
2.7.1 Inspection activity aimed at compliance with the adopted security measures
determining the method, form and periodicity of its implementation (eg regular inspections
approaches).
2.7.2 Informing persons about the control mechanism, )
if the operator or
the intermediary has in place (scope of control and methods of its implementation).
4

2.7.3 Procedures for monitoring the compliance of personal data processing according to § 42 par. 7 of the Act.

Page 7
158/2018 Coll.

Collection of Laws of the Slovak Republic

Page 7

2.8 Supplier Relationships
2.8.1 Procedure for verifying sufficient guarantees.
2.8.2 Incorporating data protection requirements into the requirements of new systems and into
rules for the development and purchase of systems.
2.8.3 Incorporating data protection requirements into contractual relations with suppliers
and third parties.
2.8.4 Testing of safety functions during system development.
2.8.5 Monitoring and regular review of the level of security of the services provided
suppliers.

Page 8
Page 8

Collection of Laws of the Slovak Republic

158/2018 Coll.

1) For example ISO / IEC 29134 Information technology - Security techniques - Guidelines for privacy
impact assessment (ISO / IEC 29134: 2017), International Organization for Standardization (ISO);
LINDDUN (privacy threat analysis methodology), STRIDE (Threat Model).
2) For example STN ISO / IEC 27005 Information Technology. Security methods. Risk management
information security (ISO / IEC 27005: 2011).
3) For example § 20 of Act no. 69/2018 Coll. on cyber security and amending
certain laws.
4) Art. 11 and § 13 of the Labor Code; Art. 9 and § 5 of Act no. 55/2017 Coll. on civil service and on change
and amendments to certain laws as amended.

Page 9
Page 9

Collection of Laws of the Slovak Republic

Publisher of the Collection of Laws of the Slovak Republic, content administrator and legal and information operator
of the Slov-Lex portal available on the website www.slov-lex.sk is
Ministry of Justice of the Slovak Republic, Župné námestie 13, 813 11 Bratislava,
phone: 02 888 91 137, fax: 02/52442853, e-mail: helpdesk@slov-lex.sk.

158/2018 Coll.

