The GDPR has brought a huge change in the way we are thinking about the protection of personal data. Since the GDPR came into force on 25 May 2018, we have faced several practical and theoretical problems. After two years we can say, that the GDPR is like wine – it gets better with age.

In this article, we summarize the last year´s developments of the GDPR in the Slovak Republic.

1. Relevant decisions issued by the Slovak DPA

The Slovak DPA (in Slovak: Úrad na ochranu osobných údajov Slovenskej republiky), issued several interesting decisions. So far, we have not witnessed any astronomically high fines, the highest ones were:

Social Insurance Agency (SIA) – a fine in the amount of 50,000 EUR was imposed due to insufficient technical and organizational measures to ensure information security.

The main nature of the GDPR breach was the inappropriate shipping of documentation to customers overseas. Documentation included personal data, ID data, as well as health data and was mailed by SIA as a "not registered mail" that is not delivered solely to the customer and cannot be tracked. The DPA‘s reason for the decision was that due to the nature of sensitive personal data such documentation should have been shipped as a "registered mail".

Slovak Telecom – a fine in the amount of 40,000 EUR for the adoption of insufficient technical and organizational measures to ensure the information security.

In this case, the controller distributed the printed contracts and delivered them incorrectly. The personal data of the data subjects, including their name, residence, birth number, date of birth, ID card number, telephone number, e-mail address, were due to this incident given to the unauthorized persons throughout Slovakia.

TESCO SK – a fine in the amount of 10,000 EUR because of the late response of the controller to the request of the data subject to provide information about the processing of his personal data.

According to the reasoning of the DPA, the controller failed to provide the data subject with the requested information within a period of one month. The controller provided information after 67 days.

2. Plan of investigations in 2020

The DPA announced a plan of investigations for the year 2020. With the exception of the state bodies, the DPA will mainly focus on the controllers/providers in the following areas:

  • accommodation facilities;
  • public telecommunications services;
  • web hosting;
  • parking services;
  • collection of tolls or charges for the use of defined road sections.

However, this plan does not limit the DPA to initiate an investigation also in other areas.

3. English version of the Slovak Data Protection Act

In 2019,  the DPA informed the public about the translation of the Slovak Data Protection Act into English. The wording of the Act is available on this site: https://dataprotection.gov.sk/uoou/en/content/national-legislation.

The Slovak Republic is following also the EDPB guidelines and other recommendations (e.g. 3/2018 on the territorial scope of the GDPR; 2/2019 – the processing of personal data under Article 6 (1) (b); 3/2019 on processing of personal data through video devices; 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR; 05/2020 on consent, etc.)

We hope that the following year of the GDPR will be even fruitier on the new findings. In the following months, we are expecting news in the area of processing of health data, as a result of the fight against the Covid-19 pandemic.