Page 1

SELF - GOVERNANCE AND NEW LEGISLATION
IN THE FIELD OF PERSONAL DATA PROTECTION
In accordance with Art. 22 par. 1 of the Constitution of the Slovak Republic „ Letter secret, secret of transported messages
and other documents and the protection of personal data are guaranteed . ".
In the environment of the Slovak Republic at that time, the regulation of personal data protection is regulated by Act no.
122/2013 Coll. on Personal Data Protection (hereinafter referred to as “Act No. 122/2013 Coll.”) 1 and two decrees
office; Decree of the Office for Personal Data Protection of the Slovak Republic no. 164/2013 Coll.
on the scope and documentation of security measures 2 and a decree of the Office for the Protection of Personal Data
data of the Slovak Republic no. 165/2013 Coll. laying down the details of the test
natural person to perform the function of responsible person 3 . The above law and decrees are
result of the process of transposition of Directive 95/46 / EC of the European Parliament and of the Council of 24
October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of persons
these data 4 .
It is logical that the 1995 Directive cannot be up-to-date in all ways
how the processing of personal data is carried out in 2018. It was only a matter of time before
new legislation has been adopted to move the processing and protection of personal data to the third
Millennium Development Goals and at the same time unify the processing of personal data in the European Union.
The result of these efforts is a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU)

1

2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on
free movement of such data, repealing Directive 95/46 / EC (General Regulation
on Data Protection) (hereinafter the “Regulation”) 5 , which provides a comprehensive framework for the protection of data
personal data, supplemented in each Member State by partial adjustments via
national laws on personal data protection. It will be in the environment of the Slovak legal order
from 25.5.2018 such Act no. 18/2018 Coll. on the protection of personal data and on amendments
of certain Acts 6 (hereinafter referred to as “Act No. 18/2018 Coll.”).
Both the regulation and Act no. 18/2018 Coll. will enter into force on 25 May 2018 and the current Act no.
122/2013 Coll. and his two decrees will become ineffective. In accordance with the above article
of the Constitution of the Slovak Republic, every natural person has the right to the protection of personal data
guaranteed, and of course this also applies if it processes personal data
self-government in the performance of its activities, whether it is the delegated performance of state administration or the performance
its original powers.

1 https://www.slov-lex.sk/pravne-predpisy/SK/ZZ/2013/122/20140415
2 https://www.slov-lex.sk/static/pdf/2013/164/ZZ_2013_164_20140501.pdf
3 https://www.slov-lex.sk/static/pdf/2013/165/ZZ_2013_165_20130701.pdf
4 http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A31995L0046
5 https://dataprotection.gov.sk/uoou/sites/default/files/nariad_2016_679_text_sk.pdf
6 https://www.slov-lex.sk/static/pdf/2018/18/ZZ_2018_18_20180525.pdf

Page 2

What will this legislative change bring to local governments? How to respond to it?
First of all, it is necessary to deal with both texts, both the regulation and Act no. 18/2018 Coll.
acquaint. As the Regulation does not apply to the processing of personal data under
activities which do not fall within the scope of Union law, it was also necessary to legislate for
activities which do not fall within the scope of Union law 7 , or to regulate certain areas
processing for which the Regulation, as a Member State, has authorized us, which has been done by adoption
Act no. 18/2018 Coll. The regulation also reflects technological progress, so it was not appropriate to
was Act no. 122/2013 Coll. only amended, the current solution is more appropriate when so
national legislation on the processing of personal data, as well as European legislation, is in its own right
essentially identical and thus does not create disharmony in the performance of obligations for the operator.
What needs to be done?
The basic unit of territorial self-government is the municipality. The municipality in the position of the operator processes
personal data, in particular on the basis of special laws, in compliance with which it performs its tasks
and part of this is the processing of personal data of its employees as well as residents or others
natural persons.
The legal basis on which personal data is processed is in the environment of municipalities
in particular special laws where such consent is not required for such processing of personal data
the person concerned (employee or resident of the municipality). Special law as a legal basis
processing of personal data remains the same with the advent of Regulation or Act no.
18/2018 Coll. Also for the processing of personal data on a contractual basis, ie without consent
the person concerned, if one of the parties is the person concerned (for example, an employee)
nothing changed.

2

In the context of the transition to the new legislation, it is necessary that one of the first steps it should take
The operator - the municipality / city to perform, is asking what personal data as a municipality / city
I process on what legal basis (special law, contract, consent of the person concerned ...) it is
this processing is "based" and whether the personal data processed are based on law or consent
correspond to those that I process for the given purpose. It is also necessary if processing is based
check, with the consent of the person concerned, that the consents are valid or meet the requirements of
Act no. 122/2013 Coll. and if not, obtain these, if necessary. Me too
necessary to confront consents under Act no. 122/2013 Coll. and the requirements for consents under
Act no. 18/2018 Coll. and regulations to ensure that those obtained now comply with current law
and were applicable, also applicable to the new legislation 8 . In case the municipality intends to acquire
consents only from 25.5.2018 it is necessary to "set" them according to the new regulation. The result of this
activities should be a transparency of the flow of personal data at the operator, municipality / city,
and the liquidation of those personal data on the processing of which the municipality has no legal basis.
The result of this activity will be a clear structure of what personal data the municipality / city as
the operator processes and on what legal basis the processing is based.

7 For

example, resolving complaints under Act no. 9/2010 Coll. on complaints or arrangements for economic mobilization.

8 See

§ 110 par. 11 of Act no. 18/2018 Coll.

Page 3

Another important aspect is the supervision of how personal data is set up in a community / city environment
the operator process, ie management and knowledge of how the municipality obtains personal data,
who comes into contact with them within the municipality (in the environment of a municipal or city office), such as
processes them (for example, whether the letter of the law is observed, if it also stipulates the method of processing).
You need to know who has what access rights, such as personal data separated by appearance
for their purpose and in the context of the job classification or job description and instructions
employees. It is not right if the employees of the municipality or city have access to personal
data for which it does not follow them on the basis of the job description. They should only perform those
processing operations with personal data of which they have been instructed. If this is not the case,
this authorization and access control structure needs to be set up correctly, thus eliminating it
the possibility of security breaches and unauthorized access to personal data. In context
Act no. 122/2013 Coll. processing of personal data by the operator, municipality or city,
performed by instructed authorized persons. In the context of the regulation, this will be similar after the content
on the formal side of the instruction, replace the operator's credentials with instructions,
describing how the person having access and authorization to the personal data has the personal data
process. 9
Everyone has the right to know who processes their personal data and why
information on who the operator is, why he has an obligation or may have his personal data
to process them from where they are not provided to him by the person concerned himself. In the current legal
regulation, this information obligation was regulated by § 15 par. 1 to 3 of Act no. 122/2013 Coll. whereas
the basic and well-known exception was that if the operator, the municipality / city, whoever processed it
personal data on the basis of the law, to fulfill this information obligation towards the person concerned
did not have to (Section 15, Paragraph 3 of Act No. 122/2013 Coll.). Regulation and Act no. 18/2018 Coll. in order
transparency and information of the data subject abolish this exemption from the information obligation,
therefore, even if any operator, including a municipality / city, will process personal data on
under the law (on an employee, on a local taxpayer ... or on another person) will be obligatory
inform the person concerned. It is necessary to prepare for this change and to implement and process it
"Privacy policy" in order to put the municipality / city in a position
the operator fulfilled these obligations and was able to prove their fulfillment. 10

3

Another novelty, which will not be so "dramatic" in the environment of municipalities, is the obligation of the municipality to have
designated responsible person 11 , this means that even municipalities that do not currently have a responsible person
they must identify it and communicate its contact details to the Office. It is possible if the municipalities recognize it
for an appropriate solution that will be enforceable in terms of the responsibilities of the responsible person to
several municipalities have jointly designated one responsible person. The possibility of that remained unchanged
the responsible person can be both the employee of the operator (employee of the municipality), as well as
external person. 12

9 Compare

§ 21 of Act no. 122/2013 Coll. and Art. 32 par. 4 of the Regulation

10 Compare
11 See

§ 15 par. 1 to 3 of Act no. 122/2013 Coll. and Art. 13 and 14 of the Regulation.

guideline WP29 / Working Group according to Art. 29 to the responsible person:

https://dataprotection.gov.sk/uoou/sites/default/files/usmernenia_tykajuce_sa_zodpovednych_osob.pdf .
12 Compare

§ 23 to § 27 of Act no. 122/2013 Coll. and Art. 37 to 39 of the Regulation.

Page 4

Regarding the issue of declaring security and protection of personal data in the environment
specific operator (municipality / city), Act no. 122/2013 Coll. demanded a declaration
security by documenting in the form of a security project only if
the operator complied with Act no. 122/2013 Coll. stated criteria. Regulation and Act no.
18/2018 Coll. they approach security in terms of its provision in the same way, only from a formal point of view
abandons the strict formalized approach that followed for the operator in the case of
if he had to draw up a security project, the details of which were set out in detail in
decree. Regulation or law no. 18/2018 Coll. they are no longer so strict with documents
describing the security measures taken formally, and it is up to the operator to
how to deal with a formal description of the security measures taken by him, but which is
always obliged to prove at the request of the Office, as such an obligation is stipulated by a regulation
also Act no. 18/2018 Coll. 13
Regulation and Act no. 18/2018 Coll. they understand the processing of personal data more in line
description of general standards for the processing of personal data and no longer
how the processing of personal data is carried out, therefore, for example, it is not in both texts
individually specified adjustment of personal data processing by camera systems, such as
this was the case in Act no. 122/2013 Coll. It will therefore be necessary for operators to do these
processing operations were re-evaluated and they found the legal basis for monitoring most often
in the legitimate interest or in the public interest, or carry out monitoring, if any
provides for a special law on the basis of this special law.
The above are just the basic features of some of the "processing" habits
personal data from 25.5.2018 will need to be seen as an opportunity to start
processing of personal data "again" and use this option for "major cleaning"
personal data. Of course, this change requires detailed work and preparation to be done
the Office will do much to facilitate its guidance and disclosure on
its website 14 .

13 Compare
14 Website

§ 19 of Act no. 122/2013 Coll. and Art. 32 of the Regulation.

of the Office, information on the regulation: https://dataprotection.gov.sk/uoou/sk/main-content/nariad-gdpr.

4

---

Page 1

Ensuring the conduct of elections and protection of voters' personal data
Office for Personal Data Protection of the Slovak Republic (hereinafter referred to as the "Office")
with regard to the upcoming elections to municipal self-government bodies
the need to protect the personal data of voters.
The conditions for the exercise of the right to vote and the organization of elections are regulated by law
no. 180/2014 Coll. on the conditions for the exercise of the right to vote and on amendments
certain laws (hereinafter referred to as “Act No. 180/2014 Coll.”). This law also imposes
municipalities a number of obligations for which it is necessary to process personal data.
Introduction
The operator, in this case municipality 1 , is obliged to take measures to:
with personal data for the purposes of exercising the right to vote and its security
treated in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council
(hereinafter referred to as the "Regulation") and Act no. 18/2018 Coll. on the protection of personal data
a
addition
some
laws
(further
len
"the law
and change
no. 18/2018 Coll. ”). The municipality is primarily obliged to identify and describe all
processes in connection with the electoral agenda, in which personal data are processed
data subjects and the processing of personal data in accordance with the principles of:
• legality - the controller in order to be able to process personal data
legally, must have an adequate legal basis in accordance with Art. 6
par. 1 Regulations / § 13 par. 1 of Act no. 18/2018 Coll.,
• fairness and transparency - especially in terms of information provision
obligations in relation to the persons concerned who are entitled to be
informed of the processing of their personal data,
• purpose limitation - personal data can only be obtained for specific, explicit
stated and legitimate purpose and may not be further processed in a way that does not
is compatible with this purpose,
• minimization of personal data - the operator has a duty to consistently
comply with the processing of only those personal data which he has for the purpose of enforcement
the right to vote is enabled by Act no. 180/2014 Coll. It is necessary that the municipality
it processed only personal data according to the law on documents and sheets
no. 180/2014, it is also desirable that the one who produces the forms for performance
elections to ensure that personal entries are not made arbitrarily
data beyond the scope of Act no. 180/2014 Coll .; for non-disclosure and non-acquisition
personal data beyond the scope of the law, it is appropriate to teach in this direction as well
"Entitled persons" ensuring the conduct of elections,

Operators of the permanent list of voters are in the context of § 9 par. 1 of Act no. 180/2014 Coll. village.
"The permanent list of voters (hereinafter referred to as the" permanent list ") is compiled and maintained by the municipality, in the capital of Slovakia.
1

of the Republic of Bratislava and in the city of Košice the city district (hereinafter referred to as the “municipality”). He writes to the permanent list
village voters who have a permanent residence in the village. A voter can only be registered in one permanent list. "

Page 2

• principle of correctness - the operator is obliged to process correctly
and updated personal data. In this context, particular mention may be made
the obligation of the municipality to continuously ascertain the facts that are the reason
to change the permanent list of voters,
• minimization of personal data retention - the operator is
authorized to keep personal data in a form that allows identification
the persons concerned only for the time necessary to achieve the purpose
processing,
• integrity and confidentiality - proper security of personal data.
1. Records of processing activities
Records of processing activities according to Art. 30 Regulations / § 37 of the Act
no. 18/2018 Coll. (sample here: https://dataprotection.gov.sk/uoou/node/484) is necessary
update the purpose of the processing of personal data, which is to ensure performance
and the conduct of the elections, for example according to procedure 2 below :
Purpose of processing: Ensuring the course of elections, the agenda of elections, ensuring the agenda of the municipality
according to law no. 180/2014 Coll.
Legal basis: Act no. 180/2014 Coll .; The indication of the legal basis is optional.
Categories of persons concerned: voters, members of the local and precinct election commission, candidates
Categories of personal data: ordinary personal data; the municipality may optionally complete this field
also to provide an exact list of personal data.
Categories of beneficiaries: to be filled in by the municipality
Planned period for deletion: to be filled in by the municipality in accordance with special regulations and the registry
order
Precautions: to be completed by the municipality ; for example, a link to the documentation received will suffice
security measures, or describe in detail the individual organizational and technical
measures - election documentation is stored in locked rooms, access
to electronic data files is secured with passwords and in accordance with the settings
access rights, the data shall be made available only to authorized persons who act in accordance with
with the instructions given by the operator and others.
2. Information obligation
Above all, the municipality must be prepared to fulfill the information obligation towards
concerned. With regard to the information obligation, it should be noted that
municipalities must already have, in accordance with Art. 13 or 14 of the Regulation / § 19 or § 20 of Act no.
Applies only to municipalities that do not have the given purpose of processing in their records of processing
activities already defined.
2

Page 3

18/2018 Coll. fulfilled the complex information obligation they usually have
published on the official notice board or on the website of the municipality. Comprehensive information
the obligation means that it involves and informs the persons concerned of any purpose of processing
personal data performed by the municipality, it is therefore necessary to rely on records
on processing activities, where the individual purposes of processing are to be defined
and continuously updated.
We recommend that despite the existence of a comprehensive information obligation, which
should already include the purpose of securing elections, in accordance with the principle of
transparency, the municipalities have taken appropriate measures to provide the person concerned
all information referred to in Art. 13 or 14 of the Regulation / § 19 or § 20 of the Act
no. 18/2018 Coll., Which relate to the processing of personal data for a defined purpose,
which is to ensure the conduct of elections under Act No. 180/2014 Coll., Namely
in a concise, transparent, comprehensible and easily accessible form, worded clearly
and simply, especially in the case of information specifically for the elderly who
we place it in a more vulnerable category of affected persons. This makes the village easier to prepare as well
to address a possible situation envisaged by Regulation / Act no. 18/2018
Z. z., When the person concerned requests that his information be provided orally. So the goal
can only be the elaboration of an "excerpt" from the complex information obligation, while
within this document it is possible to subsequently provide a link, for example in the wording - more
information on the processing of personal data is available on the official notice board / website
municipality / on the notice board or in person at the employee of the first contact office.
What, for example, can this information obligation to voters look like?

Information for voters on the processing of personal data
Operator
Responsible person - contact

Indicate the municipality
Contact the responsible person shall be provided

Rights of the person concerned
the right of access to personal data

Yes
Yes

the right to correct personal data
the right to delete personal data

not

the right to restrict the processing of personal data yes
the right to the transfer of personal data

not

the right to object to the processing of personal data

not
the right to file a motion to initiate proceedings pursuant to Section 100
Act no. 18/2018 Coll.
Yes
Information on the data processed
purpose of processing

ensuring the conduct of elections

Page 4

legal basis
retention period
recipients
legitimate interests

Act no. 180/2014 Coll. on performance conditions
electoral law and amending
certain laws
to be filled in by the municipality
to be filled in by the municipality
not

transfer to a third country
not
automated
individually
decision-making, including profiling, no
Provision of personal data, in particular in relation to the voter 's obligation to prove his or her identity
identity with an identity card or other official document that it contains
the image of a voter and all the information about him in the voter list is legal
requirement in accordance with Act no. 180/2014 Coll. on the conditions for the exercise of the election
law and amending certain laws.
It should also be pointed out that the operator only demonstrates compliance
its obligation to inform the person concerned within the meaning of Article 13 or 14 of the Regulation / § 19
or 20 of Act no. 18/2018 Coll. and not whether the person concerned has actually become acquainted
with the content of the information obligation by reading it, ie there is no obligation to, for example
the document by which the operator fulfills the information obligation was also itself
signed by the person concerned or would even be required to be signed.
Equally important and necessary is to deal with the provision of information in the language
national minority / in a form intended for the blind and partially sighted in municipalities
according to a special regulation.
The municipality must not forget that it is obliged to fulfill the information obligation according to
Art. 13 or 14 of the Regulation / § 19 or 20 of Act no. 18/2018 Coll. also internally, in
relationship with members of the local and precinct election commission whose personal data
as well as in relation to individual candidates for
council and the mayor, where the purpose of the processing is different from the above
situation, this purpose of processing is the registration of candidates for municipal elections
council or for the election of the mayor of the municipality. As a way of fulfilling this form
the obligation to provide information orally is also possible
form, or in the form of a separate document. If personal information
have not been obtained directly from the candidate as the person concerned (Article 14 of the Regulation / § 20 of the Act
no. 18/2018 Coll.) We pay attention to exceptions from the information obligation according to
par. 5 of the provision in question.
How the operator can fulfill the information obligation in the relationship
to voters?
There are several options, especially the need for operators to think
also on the adequacy and suitability of individual measures, for example from a point of view
administrative complexity. An example is the publication of information on the bulletin board

Page 5

in the polling station, on the municipality's website, placement of information boards,
possibly the possibility of fulfilling the information obligation at the same time as publishing the information
on the conditions of the right to vote and the right to be elected on the official board of the municipality and on the website
the seat of the municipality, if it has been established, according to § 21 par. 1 of Act no. 180/2014 Coll. or simultaneously
with delivery of the notification according to § 21 par. 3 of Act no. 180/2014 Coll., Which are intended for
each household, and in which the municipality states the time of the elections, the constituency,
polling station, brief method of adjusting the ballot paper and the obligation of the voter
to prove oneself before voting with an identity card.
3. Security measures
In conjunction with Art. 25 and Art. 32 Regulations / § 32 and § 39 of Act no. 18/2018 Coll. is a
the controller is obliged to assess the risks in the processing of personal data
and taking into account the seriousness of the possible interference with the rights and freedoms of the persons concerned
adequate security measures, by which we mean technical measures
and organizational.
Part of security measures is, in particular, to ensure the obligation to
that any person acting under the authority of the operator; or
intermediary and has access to personal data processed only on the basis of
instructions of the operator ( obligation to instruct in the context of Article 32 (4) of the Regulation
and Art. 29 Regulations / § 39 par. 4 of Act no. 18/2018 Coll. and § 36 of Act no. 18/2018 Coll.),
or in accordance with a special regulation or international agreement which is
Slovak Republic bound. In practice, an authorization may also mean an authorization for
performance of an act or a similar document, of which they may or may not be attached
be at the same time instructions for the processing of personal data.
According to § 11 par. 4 of Act no. 180/2018 Coll. anyone who is eligible
to get acquainted with the data in the voter list, he is obliged to keep about them
secrecy . This obligation is also reflected in Act no. 18/2018 Coll. in § 79, which imposes
the obligation of the operator and the intermediary to be bound by confidentiality
on the personal data of natural persons who come into contact with personal data
at the operator or intermediary. In case they are in the polling station
present in addition to members of the precinct election commission, its recorder and others
other persons who have expressed an interest in observing the conduct of the elections, and
the counting of votes must be such that, in particular, those persons cannot inspect the
list of voters, or made extracts, write-offs, photographic records or
videos.
In connection with the fulfillment of obligations pursuant to § 24 par. 2 of Act no. 180/2014 Coll.,
specifically with the obligation of the voter to sign the takeover of the ballot paper by hand
and envelopes in the voter list will need to be individual district members
election commissions proceeded with this act in such a way as to prevent unauthorized use
making personal data available to other voters whose personal data are contained
on the same page of the relevant voter list. This can be achieved

Page 6

for example, by translating blank papers into the personal data of other voters located
on the list of voters, which will allow the voter concerned to see only his or her signature when signing
personal information. In the case of voting outside the polling station, seconded members
the district election commission shall take the same measures when signing the voter
protection of personal data of other voters registered on the electoral roll
As part of its activities, the Office also met with suggestions from citizens who objected
non-compliance with the discrete zone. The situation can be solved, for example, by marking discrete
zone by marking its contours on the floor, or correcting by members
the Electoral Commission that voters come to the polling station on an ongoing basis and to take over
ballots took place gradually, thus ensuring the confidentiality of the data
voters.
4. Selected application problems in securing elections
Something has changed about the processing of the birth number in the conditions of the new legal
privacy adjustments?
Birth number is no longer a special category of personal data (not included
to Art. 9 Regulations / § 16 of Act no. 18/2018 Coll.); birth number processing adjustment is
defined in § 78 par. 4 of Act no. 18/2018 Coll. " When processing personal data
a universally applicable identifier may be used for the purpose of identifying a natural person
according to a special regulation22 ) only if its use is necessary to achieve
for the purpose of processing. Consent to processing generally applicable
the identifier must be explicit and must not be precluded by a specific regulation in the case of his
processing on the legal basis of the consent of the data subject. Publish in general
the usable identifier is prohibited; this does not apply if the universally applicable identifier
published by the person concerned himself. “. Publish a universally applicable identifier
continues to prohibit, nor does the consent of the person concerned, this prohibition on the publication of a personal identification number
can't break.
In order for the controller to be able to process personal data in a lawful manner
the persons concerned must have a so-called legal authorization resp. relevant legal basis.
In this case, the processing of the birth number is carried out on a legal basis, which
is a special law. According to § 9 par. 3 of Act no. 180/2014 Coll. about the voter in permanent
the list shall contain the following information: a) name and surname, b) birth number , if it is an alien,
date of birth, unless birth number assigned, c) nationality, d) name
municipality, street name, if the municipality is divided into streets, inventory number and reference number of the house
permanent residence.
Obtaining the consent of the data subject with the processing of his personal data is
in such cases redundant and confusing for the person concerned, as
the controller has a relevant legal basis for the processing in question
in accordance with Art. 6 par. 1 letter c) Regulations / § 13 par. 1 letter c) of Act no. 18/2018 Coll.,
in connection with Act no. 180/2014 Coll.

Page 7

My personal data is made available to the members of the election commission, I am a voter
worried they might be abused?
According to § 11 of Act no. 180/2014 Coll. list of voters for each election
the district is prepared by the municipality from a permanent list. This voter list will be submitted by the municipality
the district election commission no later than one hour before the start of the voting and whoever is
authorized to become acquainted with the data in the voter list, is obliged to maintain about them
confidentiality and processes them only in accordance with the instructions (instructions) of the operator.
Processing of personal data of voters, including birth number for enforcement purposes
electoral law and in connection with its disclosure to members of the electoral commission
contrary to Regulation / Act no. 18/2018 Coll. Every operator, in this
In this case, the municipality is responsible for the security of personal data and is obliged to comply
security measures to ensure the protection of personal data.
What if a candidate list of an independent candidate or a candidate list
political party contains personal data that is not a local election commission
entitled in accordance with the exhaustively defined list of personal data in law
no. 180/2014 Coll. process?
Act no. 180/2014 Coll. defines a particular situation in which it occurs
to the processing of personal data and at the same time determines the list of personal data that is
the operator obliged to process may process them only to the extent that for
it is established by a generally binding legal regulation and it is not appropriate to extend it
a list of personal data beyond what is provided by a special law.
First and foremost, the operator should ensure that to provide personal
data beyond the list of personal data defined in Act no. 180/2014 Coll.
did not occur, for example by creating uniform candidate lists, which would
did not allow the data subjects to provide optional data / enter data beyond
those stipulated by law, the so-called providing personal data "for safety".
In the case of obtaining personal data, which is not stipulated by law
no. 180/2014 Coll. In order to ensure the conduct of the elections, the operator would have to
further processing have a relevant legal basis in accordance with Art. 6 par. 1
Regulations / § 13 par. 1 of Act no. 18/2018 Coll., For example with the consent of the person concerned.
The deletion of that part of the candidate list which goes beyond the scope of the law seems to be a suitable solution
contains "unnecessary" personal data, unnecessary for the given purpose of processing. This
the approach is also appropriate in terms of compliance with one of the basic principles of processing,
namely the principles of data minimization.
If the registration authority receives a list of candidates for registration, of which it is a part
there is also a voter list to support the candidate in the election, which contains the data
beyond the requirements of a special law, how should such data be handled?
The situation is similar to the previous case. In the signature in question
In the document, each voter shall state the name and surname, date of birth, permanent residence
means the name of the municipality, the name of the street, if the municipality is divided into streets, and the house number. On everyone

Page 8

the name, surname, title, date of birth and address shall be given on the signature sheet
permanent residence of the candidate. The operator, in this case the candidate
to the deputy, resp. the mayor of the municipality, who processes personal data for the purpose of obtaining
the required number of signatures of voters supporting his candidacy is hereby bound
the list of personal data defined by Act no. 180/2014 Coll. Beyond this as follows
may receive additional personal data, such as telephone number, e-mail
address only if it has an adequate legal basis for such a purpose
the consent of the person concerned. In terms of the new legislation on personal data protection is
it should be noted that the institute of consent is strictly formalized. Consent must be free
granted, specific, unambiguous and informed, to which the obligation relates in particular
inform the data subject of the right to withdraw consent to the processing of personal data.
It is necessary to inform those who will spread the petition to the public to be affected
persons have drawn attention to the provision of data only to the extent provided by law.

---

Page 1

PERSONAL DATA PROTECTION OFFICE OF THE SLOVAK REPUBLIC
Hraničná 12, 820 07 Bratislava 27
_______________________________________________________________________________________________________________

no. 00204/2018-Op-1

Methodological guideline no. 1/2018
Institute of the responsible person in the conditions of municipalities and cities

According to § 81 par. 2 letter d) of Act no. 18/2018 Coll. Office for Personal Data Protection
Of the Slovak Republic (hereinafter referred to as the "Office") issues this methodological guideline.

INTRODUCTION
The institute of the responsible person in the conditions of the Slovak Republic is not new
institute. The legal regulation valid and effective until 24.05.2018 is the authorization of the responsible person
voluntary. According to the new legislation, which will apply from 25.05.2018, it will be
for municipalities and cities, the obligation to entrust the responsible person with the performance of protection supervision
personal data. The reason for issuing this methodological guideline is changes that
Regulation (EU) 2016/679 and Act no. 18/2018 Coll. (hereinafter "GDPR" and "the law")
and which will also affect municipalities and cities. This methodological guideline addresses in particular issues such as
organizationally ensure the fulfillment of obligations related to the designation of the responsible person
in the conditions of municipalities and cities.
1 LEGISLATION
Municipalities and cities must be understood as a public authority within the meaning of Art. 37 par. 1 letter
a) GDPR resp. § 44 par. 1 letter a) of the Act.
Conditions for determining the responsible person as well as his role and duties of the municipality / city in
relation to the responsible person is established by Art. 37 - Art. 39 GDPR resp. § 44 - § 46 of the Act.
1.1. CONDITIONS TO BE MET BY THE RESPONSIBLE PERSON
The responsible person must first and foremost have professional qualities . Under these
can be understood for example:
- sufficient knowledge and experience in the field of personal data protection,
- expertise in law - especially in GDPR, law and other regulations related to
protection of personal data,
- knowledge of the functioning of public administration as such,
- practical knowledge of the organization, operation and internal regulations of the municipality / city,

Page 2

- good knowledge of processing activities, processing operations performed
as well as systems, applications, means of processing and the needs of the municipality / city
concerning the protection of personal data,
- ability to perform the tasks of a responsible person, in particular providing advice,
including advice on impact assessment, monitoring of city / municipality compliance
with regulation, risk management.
The level of expertise is not precisely defined, it should be proportionate to the sensitivity,
complexity and amount of data that the municipality / city processes.
The municipality / city is responsible for ensuring that the responsible person mentioned above
meets the preconditions and these can be demonstrated, for example:
- evidence of the highest level of education attained in terms of expertise, focus,
- various certificates or attestations of completion of courses or training,
- documents proving that person's experience in the field of personal data protection
(eg recommendation from a previous employer, ...).
1.2 STATUS AND TASKS OF THE RESPONSIBLE PERSON
In the context of the new legislation, the responsible person has the status of:
- assistant and consultant in the system of personal data protection,
- the contact person for the Office and the persons concerned whose personal data are being processed
(eg villagers).
In order for it to have this status, it needs to be truly available - it must
be, if necessary, realistically reachable both for the municipality / city and for the persons concerned and the office.
If the responsible person performs in addition to tasks related to personal data protection, another
agenda, it must be ensured that it actually "pursues" all its agenda.
The minimum tasks of the responsible person under the new legislation include in particular 1 :
• monitoring compliance with the GDPR and the law - helps the municipality / city to comply,
therefore, for this purpose, it collects information to determine the processing activities of the municipality / city,
analyzes and verifies their compliance and provides advice and recommendations,
• Providing on-demand advice on protection impact assessments
data ,
• cooperation with the Office ,
• other tasks - e.g. keeping records of processing activities which
facilitate the monitoring of compliance with the GDPR resp. by law.
Other tasks and responsibilities that the municipality / city entrusts to the responsible person must not lead
to a conflict of interest . In practice, this means that the responsible person may not be in the municipality / city
to hold a position from which it would determine the purposes and means of the processing of personal data, such as

For a more detailed description of the individual tasks of the responsible person, we recommend see WP Guideline 29
concerning the responsible persons which the Office has published on its website also in Slovak here:
1

https://www.dataprotection.gov.sk/uoou/sites/default/files/usmernenia_tykajuce_sa_zodpovednych_osob.pdf

2

Page 3

e.g. the function of mayor / mayor, vice-mayor / vice-mayor or other, if filled
condition for deciding on the purposes and means of personal data processing (purpose
and the means of processing are determined by the operator, resp. person authorized to act on behalf of
operator). In order to avoid conflicts of interest, the Office recommends specifying in internal
regulations of the municipality / city positions that are incompatible with the function of the responsible person.
The municipality / city must ensure the independent performance of tasks by a responsible person. This
can be ensured, for example, by:
- the responsible person will not receive any instructions
• how does it have its tasks according to the GDPR resp. exercise the law,
• what result is to be achieved in compliance monitoring,
• how to resolve the complaint of the data subject, or
• how to consult the Office in matters of personal data protection, etc.
• The responsible person must not be dismissed or otherwise penalized by the operator
performance of tasks according to GDPR resp. of the law,
• The responsible person will provide all reports, information and proposals related to the performance of their
tasks directly to the person authorized to act on behalf of the operator (usually
mayor).
The Authority recommends documenting any operator opinion deviating
from the recommendations of the responsible person and justify this deviation, as the responsibility for compliance
borne by the operator.
The responsible person should have a direct obligation to notify
the mayor so that he can inform him of any findings
and recommendations regarding the protection of personal data. This must be ensured without
regardless of whether the responsible person is an employee of the municipality / city or an external entity.
The Office emphasizes that by appointing a responsible person, the municipality / city does not get rid of its own
responsibility for the processing of personal data in accordance with the law. if
the operator entrusts the responsible person, who is not sufficiently competent, has not checked
her expertise before her appointment, for possible failure to perform tasks (erroneous
opinion, incorrect recommendation e.g. in the impact assessment), is responsible
operator (municipality / city) in full, as it was the duty to take care of professional competence
(principle of operator responsibility); the responsible person is therefore not personally liable for
any non-compliance, the operator is responsible for the breach of the GDPR and the law, however
he may claim from the liable person the damage caused to him, within the framework of
employment law or similar relations resp. on the basis of the contract he has with this
by a responsible person closed in the case of an external entity.
1.3 OBLIGATIONS OF MUNICIPALITIES AND PLACES IN RELATION TO THE RESPONSIBLE PERSON
The municipality / city must ensure:

3

Page 4

(a) the involvement of the responsible person in a proper and timely manner in all matters
with the protection of personal data, for example:
• ensuring the presence of a responsible person in cases where they are admitted
decisions with an impact on the protection of personal data so as to provide appropriate
counseling (municipality / city should have a possible deviation from the opinion of the responsible person
substantiated by reasons),
• during immediate consultation in case of breach of personal data protection, etc.
b) support of the responsible person in performing his tasks according to the GDPR resp. of the law,
for example in the form of :
• provision of resources - finances, premises, equipment or facilities (eg computer)
and sufficient time, space to carry out its tasks properly and in a timely manner; in larger
municipalities / cities as well as staff, if necessary to create a team around the responsible
persons and adjust the structure and tasks of individual team members,
• providing access to personal data - to monitor compliance with the GDPR
and the law,
• continuous training of the responsible person - constantly increasing his / her level
expertise in the field through its participation in trainings, courses or
seminars, also due to the fact that the responsible person subsequently retrains as well
employees of the municipality / city who work with personal data, etc.
(c) publication of the contact details of the responsible person - on the website (if any)
established) and the official bulletin board, possibly also in municipal / city newspapers, etc.
• such information may be the e-mail address or telephone number at which it is located
the responsible person can be reached. The e-mail address can be e.g. in shape
responsible@personal name/mesta.sk, it is therefore not necessary to indicate the name
and the surname of the responsible person; the phone number can be a business mobile phone or
a line set up for this purpose. Contact information can also be correspondent
address e.g. municipal / municipal authority (or legal person responsible for
person), if the responsible person has an office here, or its door number, etc.
d) notification of the contact details of the responsible person of the Office - the Office shall publish for this purpose
a form for reporting the data in question on its website.
2 WHO CAN BE A RESPONSIBLE PERSON AND HOW TO DETERMINE IT
The responsible person can be a natural person as well as a legal entity. The Office recommends
in the case of the designation of a legal person as the responsible person in a contract concluded between
municipality / city and such a legal entity to designate a specific natural person who
will actually perform the function of the responsible person and will be reachable to the municipality / city as
also for the Office and the persons concerned.

4

Page 5

The responsible person can be an employee of the municipality / city or an externally cooperating
person. One municipality / city can also have several responsible persons, e.g. responsible person
for IT, the person responsible for human resources, etc., but each is responsible separately
and also for the performance of their tasks in the field. There may also be a situation that multiple
municipalities / cities share one responsible person.
The function of responsible person can also be performed by a deputy of the municipal / city council
council, but not by virtue of his function as a member of the council. As a member of parliament
municipal / city council is according to § 11 par. 2 letter b) of the Act on General Establishment
incompatible with the function of the employee of the municipality / city in which he was elected, would be the responsible person
could be in such a municipality / city only on the basis of a service contract.
In the conditions of municipalities / cities, we distinguish several ways of determining the responsible person:
(a) an employee
- on the basis of an employment contract
• we recommend concluding for an indefinite period of time, as the responsible person should know
internal operation and organization of the municipality / city in detail (probation clause by
not affected),
• must contain a confidentiality clause on personal data,
• if the performance of the function of the responsible person is not the only agenda of the person is appropriate
sign a statement with the employee that the employee does not have any
conflict of interest,
- the function of the responsible person may be the only activity he carries out or may have
also in charge of another agenda that is not related to the protection of personal data (in such a
in this case, it is necessary to ensure that there is no conflict of interest),
- he must perform the function of responsible person independently without any instructions
your superior or the mayor / mayor directly,
- reports directly on all its data protection findings
to the mayor / mayor and not to his / her head within a department or division, by
of which he is assigned if he also performs another agenda,
- remuneration for the performance of the work of the responsible person according to the Labor Code, Act no. 553/2003
Z. z. on the remuneration of certain employees in the performance of their duties in the public interest
possibly other regulations,
may not be penalized for remuneration or in any other way for
independent performance of his duties under the GDPR and the law.
- representation in case of absence
• short-term absence - proceed as in the case of representation of any
another employee, in principle no further action is required,
• long-term absence - the municipality / city should appoint a "substitute" responsible person
(eg temporarily appoint another employee or temporarily appoint an external employee)
responsible person - even such "temporary" responsible persons must meet all
the above conditions for the performance of this function).

5

Page 6

b) an externally cooperating person
- has a non-employment relationship with the municipality / city,
- it can be a natural person or a legal entity that concludes a contract with the municipality / city
on the provision of the service, which should include in particular:
• identification of the person or persons who will perform the tasks of the responsible person,
• in the case of several persons, the designation of one specific person who will be the principal
the contact person for the persons concerned and the Office,
• an indication of the individual tasks to be performed by the responsible person,
• an agreement guaranteeing the independence of the responsible person,
such as the obligation of the responsible person to report a conflict of interest, exhaustive
calculation of the reasons for which the contract may be terminated and the person responsible
may be a long - term failure to perform tasks, loss of ability to perform
individual obligations)
- the reasons must not include a disguised sanction for the independent performance of the function
responsible person and must not create room for arbitrary untying
cooperation with the responsible person by the municipality / city,
• confidentiality clause on personal data and security measures
municipalities / cities,
- we recommend concluding the contract for an indefinite period of time, as the responsible person should know
internal operation and organization of the municipality / city in detail,
- conditions of remuneration and amount of remuneration - a matter of agreement of the municipality / city
and the responsible person,
- Representation in case of absence - the responsible person should take appropriate measures
to ensure that individual tasks are performed continuously (for example, setting deadlines
in which the individual tasks are to be performed under threat of sanctions).
(c) the joint responsible person
- Neither the GDPR nor the law excludes the possibility to designate one responsible for several municipalities / cities
person
- the joint responsible person must perform his tasks effectively in relation to all
cooperating municipalities / cities,
- methods for designating the joint responsible person:
• responsible person of the district / regional city - responsible person
district / county town would perform this function in smaller ones as well
municipalities / cities belonging to its district,
• contract concluded between the municipality / city and the responsible person - several
municipalities / cities would independently conclude contracts with 1 responsible person,
• contract concluded between municipalities / cities - this is a contract for the purpose of implementation
specific task or activity and its essence is that one municipality / city will provide
its responsible person to the other municipality / city (this may be, for example, cases of neighboring
municipalities / cities, or also in cases where it is necessary to ensure continuity of performance

6

Page 7

tasks of the responsible person due to his long absence and to replace him temporarily
another responsible person),
• contract concluded between the association of municipalities / cities and the responsible person - according to §
20 par. 1 of the Act on Municipal Establishment, municipalities (cities) may cooperate on the basis of
a contract concluded for the purpose of carrying out a specific task or activity, on the basis of
agreements on the establishment of an association of municipalities (cities), the establishment or establishment of a legal
persons under a special law. Once an association is created, that association can
enter into a contract with a specific responsible person to perform the function
responsible person for the municipalities / cities that created the association.
3 PENALTIES FOR BREACH OF OBLIGATION TO IDENTIFY THE PERSON RESPONSIBLE
For breach of the obligation to designate a responsible person as well as other related obligations
with the institute of the responsible person threatens the municipalities resp. cities according to Art. 84 par. 4 letter a) GDPR
(Section 104 (1) (a) of the Act) imposition of a fine of up to EUR 10,000,000, depending on
from the circumstances of each individual case and after due regard to other facts. 2
CONCLUSION
The determination of the responsible person is an obligation of the municipality / city arising directly from the GDPR
and the law. However, such a designation should not only be formal, but the person actually responsible
must meet all the conditions set out in the GDPR resp. law and must carry out its tasks in real terms
perform. For this purpose, the municipality / city is obliged to allow the responsible person to carry out
these tasks and must not prevent it from doing so or otherwise obstruct its activities.
The municipality / city may not be responsible for the fulfillment of individual tasks in any way
sanction. The existence of a responsible person should ensure that the procedures of municipalities / cities are at
processing of personal data in accordance with the GDPR and the law and is intended to assist it in fulfilling its
individual responsibilities.
Done at Bratislava, 20 March 2018

Soňa Pőtheová
President of the Office

2

See Art. 83 par. 2 regulations resp. § 106 par. 1 of the Act

7

---

Page 1

INTRODUCTION OF NEW LEGISLATION IN THE FIELD
PROTECTION OF PERSONAL DATA
SHORT GUIDE FOR CITIES AND MUNICIPALITIES

From 25.5. 2018, the EUROPEAN REGULATION will be applied in practice
(EU) 2016/679 OF THE PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals
processing of personal data and on the free movement of such data, repealing the Directive
95/46 / EC (General Data Protection Regulation) (hereinafter "the Regulation") 1 and Act no. 18/2018
Z. z. on the Protection of Personal Data and on the Amendment of Certain Acts (hereinafter referred to as the “Act”)
or "Act no. 18/2018 Coll. ”) 2 .
How to deal with the advent of this legislation in practice?
What to focus on in the environment of towns and villages?
What to check?
Based on the " control questions " below from the different areas covered by the legislation
data protection, it is possible for municipalities and cities to prepare for the entry into force of the regulation
and the law and mapped the flows of personal data in their environment.

1

PERSONAL DATA FLOW MAPPING - GENERAL MAPPING
In order to comply with the regulation and the law in the environment of the operator, which is the municipality or
city, it is necessary to know how the "operator - municipality, city 3 " has in its conditions
addressed area of ​protection and processing of personal data according to current legislation. Just
the municipality / city finds out “ what personal data it processes and how it has the processing in its conditions
adjusted "where the weaknesses and what needs to be done in order to comply with Regulation
and the law; mapping the flow of personal data is the basis on which it can and should start
the process of aligning with the new legislation in the environment of any operator, ie
municipality or city.
Questions - general mapping of the flow of personal data
It is appropriate to "map" the flow of personal data in the environment of the operator municipalities, cities; specifically
• it is necessary to examine how personal data "flows" in the environment of the municipality / city: as their municipality
obtains and how it processes, on what legal basis such processing takes place, how
their municipality / city archives, on what legal basis it makes them available, provides them
or publishes, and how they are liquidated ;
• The purpose of this initial mapping is to review and determine the status of how
the municipality / city processes personal data;

1
2
3

https://dataprotection.gov.sk/uoou/sites/default/files/nariad_2016_679_text_sk.pdf
https://www.slov-lex.sk/static/pdf/2018/18/ZZ_2018_18_20180525.pdf
https://www.slov-lex.sk/static/pdf/1990/369/ZZ_1990_369_20161101.pdf

Page 2

• The aim of this first step is to “clean up” the flow of data in the municipality / city from the personal ones
data on which the processing of the municipality / city lacks a legal basis and the finding that
processing takes place without a legal basis and the disposal of such identified
personal data, or assigning them the correct legal basis, if any;
• The aim is also to eliminate " merging, interconnection or duplication " of legal bases
where it is inappropriate or outright incorrect, for example if in pre-contractual
relations or contractual relations, except for the contract " for security " municipality / city
also asks the data subjects to consent to the processing of personal data 4 ;
• The aim is to get an overview of the flow of personal data in the environment at the end of the mapping
operator (municipality / city) also with its errors and shortcomings, which subsequently, already
as identified, the operator (municipality / city) will address.
For the purpose of performing the mapping, it is also possible to use the questions below that you ask
the operator - municipality / city will answer and get an overview of the flow of personal data in its
environment:
a) Indication of the operator's data - municipality / city, address, contact details
municipality / city, indication of the statute;
b) Date of mapping - state the specific date of mapping,
where appropriate, the beginning and end of the mapping;
c) In which areas does the municipality / city process personal data on its own
currency - is the operator?
• Indicate the areas in which personal data are processed
natural persons by the municipality / city, it is appropriate to accurately identify these areas, ie
determine also the special law / s and its / their specific provision / on the basis of which
personal data are processed by the municipality or city 5 , namely:
Delegated performance of state administration;
I.
Performance of state administration - self-government;
II.
Internal processes of the operator (municipality / city) - human resources agenda
III.
and wages, employee health and safety agenda, other employee training,
employee attendance, company motor vehicles, business trips

2

employees, etc.
d) What categories of personal data does the municipality / city process? It is necessary to make a basis
the above list of legal bases (most often special laws
and possibly consent) to identify which specific categories (possibly also specific
personal data) personal data are processed by the municipality / city:

4 Requiring

the sending of consent to the processing of personal data for the purposes of the selection procedure and its evaluation; it is not necessary as

specifically, the selection procedure is a pre-contractual relationship, ie the legal basis for the processing of personal data is now § 10 para. 3 letter b) of the Act
no. 122/2013 Coll. and from 25.5.2018 the legal basis will be Art. 6 par. 1 letter (b) of the Regulation.
5 For example, agendas: Human Resources and Wages, Population Register, Registry, Chief Comptroller, Local Taxes and Fees, Decision-Making in
Environmental Affairs, Joint Office - Environmental Decision-Making, Social Welfare, Building Authority, Joint Office
building office, CCTV - public space, Promotion, Complaints, Litigation, Registry administration, Reporting
anti-social activities, School office, Pupil records, School canteen, Accounting documents, Municipal council, Applications under
info law, Evidence of events, Law of petition, General library, Contractual relations

Page 3

• "ordinary" personal data such as name, surname, address, date of birth, etc.,
do not forget that from 25.5.2018 the birth number will no longer be a special category of personal
data, but ordinary personal data (for more details § 78 paragraph 4 of Act No. 18/2018 Coll.);
• special categories of personal data (Article 9 of the Regulation, or § 16 paragraph 1 of Act No.
18/2018 Coll.) Such as personal data related to health, membership
in trade unions, personal data relating to religion or
worldview, etc.,
• personal data relating to the admission of guilt for criminal offenses and misdemeanors; Art. 10 of the Regulation
e) Identification of the person concerned; it is necessary that on the basis of the above elaborated
the analysis was supplemented by the position of the person concerned vis-à-vis the operator
municipality / city within the specific purpose of processing (for example: citizen, deputy
municipal / city council - is affected and the authorized person at the same time,
taxpayer, taxpayer, employee, debtor, complainant, etc.);
f) What is the legal basis for the processing? 6 To be supplemented by the above
mapping the "legal basis" of the processing of personal data, ie whether the municipality / city
processes personal data on the basis of a special law, or will be on the basis of
Act no. 18/2018 Coll., On the basis of a contract. It also needs to be mapped
carried out with regard to the still effective Act no. 122/2013 Coll. and subsequently to legally
the foundations which, with the expiry of Act no. 122/2013 Coll. "Expire / cease
exist "have already been replaced in the mapping by the" new "legal bases under

3

regulations or laws that will apply from 25.5.2018 (for example, monitoring
according to § 15 par. 7 of Act no. 122/2013 Coll. will be replaced by processing on the basis of
fulfillment of obligations in the public interest pursuant to Art. 6 par. 1 letter (e) regulations, or
for example, processing according to § 15 par. 6 second sentence 122/2013 Coll. will be replaced
processing for the purposes of a legitimate interest pursuant to Art. 6 par. 1 letter (e) of the Regulation
etc.).
g) Determination of purposes. It is necessary to assign purposes to the data obtained so far
processing of personal data, ie what is the purpose of the data in question
on the basis of a special law, the municipality / city processes it. For example, fulfilling information
Social Insurance Agency about the employee of the municipal office, which follows the municipality
in the position of employer / operator from the above identified legal
basis - a special law.
h) Where and how does the municipality / city archive personal data?
• The answer here will be, for example, that the municipality / city has an optical archive - for example
cloud / "paper" classic archive;
• It is also necessary to specify the parameters of the repository or archive of the municipality / city;
that is, if the municipality / city has an optical archive, it is operated technically by the municipality, or this one
does the service be provided by an external company? If an external company, what for the municipality within the service
provides (only archiving or even liquidation or other services)? He has to have her
the municipality concluded an intermediary contract? Is it closed now?
• If the municipality / city has a “classic” paper archive, where is it located? If it's an archive
secured? What are the specific security measures? Who has access to it? How

6 See

Art. 6 par. 1 letter a) to f) regulation, or § 13 par. 1 letter a) to f) of the Act.

Page 4

the municipality / city will find out about the security incident within this archive (for example
security breaches, burglary, heating, etc.)?
i) To whom does the municipality send the personal data of the persons concerned? Who are the recipients of personal
data for the municipality / city in terms of regulation / law? It is necessary to name here
all intermediaries of the municipality, other state bodies to which personal data
the municipality / city sends, also for example law firms, if they represent the municipality or
city ​etc.
j) How long does the municipality / city process personal data? How the municipality has a defined purpose
processing in the context of time? You need to review and adhere to it personal
the data have been processed in particular within the time limits set by law for their processing
basis, ie the period determined under a special law or the period for which it was granted
consent; then it is necessary that, once the primary purpose of the processing has been fulfilled, they are
personal data have been destroyed or have been archived according to the registry regulations
municipality / city.
k) How long does the municipality / city archive and store personal data? It is necessary to look
and revise the registration rules 7 of the municipality / city (or draw it up if it is not), whether
it sets out the retention periods for personal data. The purpose is to
prevented the storage and archiving of everything for "ages" which burdens both
operator (municipality / city) and this is not correct even with regard to obligations
operator (municipality / city) who should not have personal data longer than
necessary in the context of the purpose, or for archiving purposes, after processing
for the primary purpose.
l) How does the municipality / city dispose of personal data? Performs liquidation of assets by the municipality / city
containing personal data under his direction or has a contract for this activity
external entity? Is this in the position of a mediator towards the municipality? If so, she has it with him
municipality / city concluded an intermediary contract? How does the municipality / city oversee
liquidation? The municipality / city is being checked to see if the liquidation has taken place as it should
did it not happen that the personal data was not destroyed / correctly disposed of? She knows
on liquidation of municipality / city records?
m) Does the municipality / city have intermediaries 8 ? If so, you need to adjust your contracts with them
and align their wording with Art. 28 of the Regulation, or to close them again.

4

After the municipality / city has mapped the flow of personal data, it will get an overview of what
what purposes it processes specific personal data, what is the legal basis of the processing as it has
solved archiving and disposal of personal data, will be able to set up processes so that
the part that now does not have it set correctly knew until 5/25/2018 to set it up correctly and also to
dealt with the change of some legal bases (which we know from Act No. 122/2013
Coll.) Which will expire on May 25, 2018 and also to properly "set" them in the context of the
Regulation and Act no. 18/2018 Coll.

7

https://www.slov-lex.sk/static/pdf/2007/503/ZZ_2007_503_20071113.pdf
Art. 28 of the Regulation.

8 See

Page 5

PERSONNEL SUBSTRATE - PERSON RESPONSIBLE 9
It is advisable for the operator to treat the personal substrate, which is with the arrival of a new one
legislation will be subject to some changes, in particular as regards the necessary documents in the context of the principle
proving the fulfillment of obligations and consistent processing of personal data with Act no.
18/2018 Coll. After regulation. Part of the personnel substrate of the municipality / city as the operator
in addition to employees processing and working with personal data (authorized persons), etc.
responsible person of the municipality / city.
Questions - Responsible person 10
1. The municipality / city has an authorized person in accordance with Act no. 122/2013 Coll. ?
2. The municipality / city notified the authorized person responsible (still authorized according to Act no.
122/2013 Coll.) Of the Office?
3. From the date 25/05/2018 money must be 11 village / city designated / entrusted responsible
person on the basis of regulation / law no. 18/2018 Coll.
• Does the municipality / city want to keep the current one or designate another responsible person?
• If the municipality / city wants to entrust / designate another responsible person, it must have a responsible person
authorized under Act no. 122/2013 Coll. at the office to log off and the responsible person
determined in accordance with the regulation as of 25.5.2018 to notify the Office + also notify its contact
data; it is ideal if the municipality / city does it in one step, ie logs off at the office
authorized responsible person according to Act no. 122/2013 Coll. and notify the Office
responsible person under the Regulation.

5

4. If the municipality / city has not yet had a responsible person in charge, it must entrust it to him
contact details to notify the Office 12 !
5. The responsible person of the municipality / city will be internal after 25.5.2018 - an employee of the municipality / city
or external?
• Will the responsible person be an employee? You need to be responsible
person has been taken into account in his job / activity description and to have a municipality / city
resolved any conflict of interest of that person.
• Will the responsible person be external? It is necessary for the city / municipality to close with it
a contract for consideration / free of charge on the basis of which it will perform for the city / municipality
function of the responsible person.
• Will the responsible person of the municipality / city be a legal entity - a member of a legal entity? Is a
necessary in the contract between the municipality / city and the legal entity (providing
services of the responsible person for the municipality / city) was specifically specified in the contract by the natural
person - the future responsible person directly by name and surname, specified.

9 See

Art. 37 to 39 of the Regulation and recital 97 of the Regulation.

10

For the responsible person in the local government environment, see also the methodological guideline of the Office no. 1/2018 on this issue, which will be
published in mid-April 2018 on the Office's website.
11 See Art. 37 par. 1 letter a) to c) of the Regulation.
12 See

Art. 37 par. 7 of the Regulation.

Page 6

6. Will the municipality / city, as the operator, use, within the possibilities provided by the regulation,
responsible person together with other municipalities (joint responsible person for several
municipalities)?
• If so, it is necessary to consider whether this responsible person will prosecute to perform his or her duties properly
obligations. If the answer is no, it is advisable and we recommend looking for another individual
or a legal entity (within it an employee) that would for the city / municipality
performed the function of a responsible person.
7. Is the municipality / city ready and aware of the obligation to provide everything to the responsible person
necessary synergies 13 ?
PERSONNEL SUBSTRATE - AUTHORIZED PERSON
The Regulation does not recognize the term " beneficiary ", but this does not mean that it will cease to be entitled
person actually exist.
We would like to draw your attention to Art. 32 par. 4 of the Regulation
“The operator and the intermediary shall take steps to ensure that each natural person
a person acting under the authority of the operator or intermediary who has
access to personal data, processed such data only on the basis of instructions from the controller with
except where required to do so under Union or Member State law. ".

6

We also dare to draw attention to Art. 29 of the Regulation
"Intermediary and any person acting on behalf of the operator or
an intermediary who has access to personal data may process that data only on
on the instructions of the operator, except where required by Union law
or the law of a Member State . "
It follows from the above provisions that the current instruction of the entitled person is possible
interpreted in accordance with the above-mentioned authorization of the operator in the environment of the operator
and instructions can be understood as specifying specific responsibilities to a particular employee
on the basis of which and according to which it is to carry out the processing of personal data.
Questions - Authorized person
1. Does the municipality / city have authorized persons (persons processing personal data)?
• Has a municipality / city of employees (permanent employment, part - time employment)
employment, employment agreement, civil service .....), other physical
persons who process personal data on its behalf?
2. Does the municipality / city have these persons instructed in accordance with Act no. 122/2013 Coll. ?
• Are these lessons current (they correspond to real lessons as well as to the real situation
and job description of a particular employee)?

13 See

Art. 38 of the Regulation.

Page 7

• If the instructions of the authorized persons are prepared in accordance with Act no. 122/2013 Z.
from. the city / municipality is obliged to check and supplement them in its environment
and update them in the context of the forthcoming Act no. 18/2018 Coll. and regulations.
• If the instructions are not up-to-date and there are errors, it is better to re-write them
(in terms of content it can be partially taken over from the instruction according to Act No. 122/2013 Coll. 14 )
already in the context of new legislation and call them, for example, “Authorization of the
persons ’.
3. Specific authorizations must be made known to the specific authorized persons,
employees processing personal data on behalf of the controller and to obtain evidence
that they are aware of their responsibilities, for example by signing the authorization
it will be clear that the employee in the conditions of the operator (municipality / city)
acquainted with his duties in the context of personal data processing and them as well
he understood.
4. The elaborated credentials must be kept by the operator (on the premises of the municipality,
cities - for example with the responsible person), are not sent to the office.
5. If the employee's assignment changes or his job description changes and thus changes
also the area in which it processes personal data requires authorization, as has been the case so far
instruction, updated at a given specific time (in the form of an addendum in the necessary section
amend).

7

14

https://dataprotection.gov.sk/uoou/sk/content/vzory-pouceni-opravnenej-osoby-0

Page 8

SECURITY - MAPPING
The regulation and the law no longer work with the term " security project " nor do they specify it strictly
specific security measures and titles of security documents as was the case under
Act no. 122/2013 Coll. The regulation and the law do not strictly stipulate the documentation concerning
security in the context of the fact that the controller processes sensitive personal data
via a computer connected to a publicly accessible network MUST be developed
to the given information system security project, as before.
Both the regulation and the law are more general in describing security measures. Security is
devoted in particular to Art. 24 and 32 of the Regulation, which only state that the operator
and the intermediary are obliged to adequately protect and accept personal data for their protection
appropriate security measures, such as pseudonymisation or encryption; or
they may also demonstrate the consistency of the processing by acceding to the approved code
behavior, etc.
However, within the framework of security, a parameter is created that needs to be assessed, which law no.
122/2013 Coll. did not know, the point is that according to Art. 32 par. 1 “ Operator and intermediary
in the light of the latest knowledge, the cost of implementing the measures and the nature, extent,
the context and purposes of the processing, as well as the risks of varying probabilities and severity for
rights and freedoms of natural persons, appropriate technical and organizational measures to ensure
a level of safety commensurate with that risk , '. Safety assessment and accepted
security measures with regard to the rights and freedoms of individuals have not yet been
necessary, from now on yes.

8

Questions - safety documentation
1. The municipality / city has a security project developed and updated at that time, or
introduced and updated security measures? If so, they need to be checked
topicality, if the municipality / city identifies a deficiency, it is necessary to deal with it.
2. It is necessary to identify the rights and freedoms of natural persons to the municipality / city as
the operator could assess whether the processing operation could take place
to their endangerment, or even to the occurrence of property or non-property damage to the affected persons
persons ( an example of the fundamental rights and freedoms of the persons concerned is the right to freedom of expression,
right to protection of personal data, right to letter secrecy, right to
life, right to religion, etc. ) .
3. It is necessary for the operator (municipality / city) to identify in their environment
threats which may cause harm to the rights and freedoms of the persons concerned and these
described and took appropriate action against them ;
• external attacks (= THREAT) - (specific form of THREAT >> eg: abuse
access to the PC on which personal data are processed (>> INJURY: for example, obtaining
knowledge that the person is a debtor of the municipality, a non-payer, so there was a violation of the right to
protection of personal data and, where appropriate, tax secrecy and possibly disclosure
financial aspects of the data subject, data leakage) >> resulting
security measure, for example: keeping records of individual accesses

Page 9

authorized persons of the operator at least in the most important and sensitive
agendas / voluntary logging + correct setting of access rights
and checking this setting ;
In view of the above new parameter for assessing the safety measures adopted
measures - the rights and freedoms of the persons concerned, the security needs to be updated
measures.

DOCUMENTATION - RECORDS OF PROCESSING ACTIVITIES
Previously used records (registration sheets), information system notifications and applications
on special registrations (special registration decisions), which were mainly formal
evidence of a personal data information system, two of which were sent to the Office,
they disappear.
Their "replacement", another form of keeping records of purposes , no longer about information systems
personal data, the so-called records of processing activities according to Art. 30 of the Regulation.
These will have to be managed by both the operator and the intermediary. Records have their
precise content definition in the regulation. They are not sent to the office.
In part, the content can be based on today's records or notices
information systems.

9

Questions - documentation - records of processing activities
1. The municipality / city has at that time prepared registration sheets, notifications, or approved
special registrations? In terms of content, it is possible to use information from these documents and these
to be added to the content structure of records according to Art. 30 of the Regulation.
2. The Office shall publish on its website a model record of processing activities,
the municipality / city can use one or create your own.

The material is not legally binding, it is only of a recommendatory nature as everyone's environment
operator or intermediary is unique and requires consideration of specific
differences.

