| LEGISLATIVE ARRANGEMENTS OF THE SO SR |
52
ACT
of February 3, 1998
on Protection of Personal Data in Information Systems
The National Council of the Slovak Republic has enacted this law:
PART
ONE
BASIC PROVISIONS
Scope
| (1) | The Act shall regulate: | |
| a) | the protection of personal data1) with respect to processing in information systems, and | |
| b) | the protection of anyone against unauthorised collection, disclosure or other misuses of data about his or her person2) (hereinafter referred to as ”personal data”). | |
| (2) | The Act shall not regulate the protection of personal data processed by a natural person in the course of a purely personal or household activity. | |
Object
The object of the Act is
| a) | to protect the fundamental rights and freedoms of natural persons with respect to the processing of their personal data; | |
| b) | to determine the rights and obligations of natural persons in supplying their personal data for information systems and the rights, obligations and responsibilities of legal and natural persons involved in personal data processing; | |
| c) | to determine the rights and obligations of controllers of information systems, processors and data subjects with respect to the provision of personal data from an information system; | |
| d) | to determine the conditions for transborder personal data flow; | |
| e) | to determine the conditions relating to a method for the registration of information systems containing personal data; | |
| f) | to establish the status and scope of authority of state supervision over the protection of personal data in information systems; | |
| g) | to determine the sanctions for violating the Act. |
Definitions
For the purposes of this Act
| a) | personal data shall mean any data relating to an identified or identifiable natural person, where such a person is one who can be identified, either directly or indirectly, in particular by reference to an identification number or to one or more features or attributes constituting his physical, physiological, mental, economic, cultural or social identity; | |
| b) | the processing of personal data shall mean conducting any necessary operation or set of operations upon personal data, such as their acquisition, collection, recording, organisation, storage, adaptation or alteration, retrieval, inspection, use, disclosure by transmission, dissemination, rearrangement or combination; | |
| c) | an information system containing personal data shall mean a system for personal data processed according to special organisational conditions using either automatic or non-automatic means for the processing; | |
| d) | the provision of personal data shall mean their delivery or disclosure to another legal or natural person other than the data subject, controller, processor or a third party; | |
| e) | the disposal of personal data shall mean the cancellation of personal data by their disintegration, erasure or physical destruction of the data storage device so as to make any personal data irreproducible therefrom; | |
| f) | the data subject’s consent shall mean any freely given, expressed and intelligible indication of his or her will, by which the data subject expresses his agreement to personal data relating to him or her being processed; | |
| g) | the controller of an information system shall mean any legal or natural person or other entity that processes the personal data, and concurrently determines the goals and means for the processing; such person shall also be responsible for defining the purpose for the processing, as long as this is not established by a special law; | |
| h) | the processor shall mean a legal or natural person processing personal data on behalf of the controller, namely on the basis of a contract or an authorisation from the controller; | |
| i) | a third party shall mean any natural person who comes into contact with personal data as a part of his or her employment contract or similar working relationship or when conducting his or her public function; such person may only process data if so instructed by the controller or processor, unless required to do so by a special law; | |
| j) | a data subject shall mean any natural person portrayed by the personal data in the information system; | |
| k) | a user shall mean any legal or natural person, other than a data subject, controller, processor or a third party, who uses personal data from the information system; | |
| l) | transborder personal data flow shall mean the transmission of personal data outside the territory of the Slovak Republic, to non-resident legal or natural persons seated or having permanent residence abroad, or the exchange of this data with such persons. |
PROTECTION OF PERSONAL DATA IN INFORMATION SYSTEMS
Data Subject’s Consent
| (1) | The processing of personal data may only be performed with the data subject’s consent. This consent shall not be required if so provided by a special law3). |
| (2) | A person other than a data subject may supply personal data on the data subject to an information system only with this subject’s consent. This shall not apply if the personal data is supplied to an information system under conditions provided for by a special law4). |
| (3) | The consent defined in paragraph 1 shall not be required in cases that involve the processing of personal data exclusively for the purposes of artistic or literary expression. |
| (4) | If a data subject is not capable of legal acts, the consent defined in paragraph 1 may be given by his legal guardian5). |
| (5) | If a data subject is deceased, the consent as defined in paragraph 1 may be given by a near person6). |
| (6) | The condition of having a consent shall be satisfied if personal data is concerned which may be publicised on the basis of the data subject’s consent. Any data published in this way shall not be protected hereunder. |
Responsibility for the Veracity of Personal Data
Anyone who has supplied personal data to the information system containing personal data (hereinafter referred to as the ”information system”) shall be responsible for their veracity.
Acquisition of Personal Data
| (1) | Anyone who acquires personal data shall be obliged to produce proof of his identity at the data subject’s request and to notify in advance the data subject or other natural person from whom he requires the data, of: | |
| a) | the identity of the controller of the information system (hereinafter referred to as the ”controller”), should he be acting on his behalf; | |
| b) | the purpose for the acquisition of personal data; | |
| c) | the voluntary or obligatory basis of providing the required personal data; | |
| d) | the Act that lays down the obligation to provide the required personal data and the consequences for the refusal to do so; | |
| e) | the expected range of users. | |
| (2) | Anyone who acquires personal data under paragraph 1(d), shall be obliged to produce proof of authorisation for such activity, unless such authorisation is laid down in law. | |
| (3) | The authorisation for the acquisition of personal data shall be issued by either the controller or processor. | |
Processing of Personal Data
| (1) | The processing of personal data may only be performed by the controller or processor. The same shall apply to the disposal of personal data. | |
| (2) | The processor shall be authorised to carry out the processing of personal data under conditions and within the scope set out by a written contract or a written authorisation. | |
| (3) | A controller must ensure that processing is not performed on personal data that | |
| a) | by
virtue of their scope and contents are incompatible with the given purpose
of processing, whereas further processing of personal data for historical, statistical and scientific purposes shall not be considered as incompatible, or | |
| b) | are not up-to-date or relevant with respect to the purpose of their processing. | |
| (4) | After the purpose of processing has been discharged , the controller shall forthwith provide for the disposal of personal data, unless provided for otherwise by a special law7). | |
| (5) | In the processing of personal data, a universal identifier may be used in order to identify a natural person, providing that such identifier is regulated by a special law8). | |
The Processing of Special Categories of Data
| (1) | The processing of special categories of personal data, which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data concerning health or sex life and conviction, shall be forbidden. | |
| (2) | The provision of paragraph 1 shall not apply, if: | |
| a) | the data subject has given his or her explicit consent to the processing of these data, or | |
| b) | the processing is required by a special law, in particular for the purposes of criminal proceedings, execution of final judgements or the defence and security interests of the state; in such cases supervision over the processing shall be performed by an authority of the state determined by a special law9), or | |
| c) | the processing is necessary to protect the vital interests of a data subject as long as this subject is physically or legally incapable of giving his or her consent, and it is not possible to obtain the consent from his or her legal guardian, or | |
| d) | the processing is carried out in the course of the legitimate activities of an association or non-profit organisation with political, philosophical, religious, economic or trade-union objectives on the condition that the processing concerns solely the members of this institution and that the data are not disclosed without the data subject’s consent to any other person but the controller or third parties, or | |
| e) | the processing relates to personal data that have been made public by a data subject or that is necessary for the enforcement of his or her legal claim, or | |
| f) | the processing is required for the purposes of preventive medicine, medical diagnosis, sickness insurance and social security, provision of medical treatment or for the purpose of health care services management and providing that these data are processed by a health facility or the Social Insurance Company. | |
Responsibility for Accuracy and Keeping Personal Data Up-to-date
| (1) | The controller shall be obliged to provide for accuracy and keep the personal data up-to-date. Any personal data that have been provided in accordance with section 5 shall be considered accurate. |
| (2) | The controller shall be obliged to process only that personal data whose contents and scope correspond with the purposes of their processing. |
| (3) | In order to keep personal data up-to-date, the controller shall be obliged to correct, or dispose of any personal data that become outdated in the course of processing. |
Responsibility for the Security of Personal Data
The controller and processor shall assume responsibility for the security of personal data by protecting them against alienation, loss, damage, unauthorised access, alteration or dissemination. To this end, they must adopt adequate technical and organisational measures to correspond with the mode of processing, as well as a method for disposing of the personal data.
Instruction
The controller shall be obliged to advise legal and natural persons who have access to the information system about their rights and obligations provided hereunder and the liability for breaching them.
Obligation of Confidentiality
| (1) | A controller and a processor shall be obliged to maintain the confidentiality of any personal data processed by them. The obligation of confidentiality shall even continue beyond the end of processing. Authorities conducting criminal proceedings shall not be subject to the obligation of confidentiality if required to do so by a special law; without any prejudice to the provisions of special laws10). |
| (2) | A third party shall be committed to maintain the confidentiality of any personal data he or she comes across; he or she may not employ the data for his or her personal use, nor may he or she disclose it to anyone else without the controller’s consent. |
| (3) | The obligation of confidentiality stated in paragraph 2 shall also apply to other natural persons, who as a part of their activities (e.g. maintenance and servicing of technical means) come across personal data at the controller’s or processor’s site. |
| (4) | The obligation of confidentiality stated in paragraph 2 shall last even after the third party’s function comes to an end or after the termination of his or her labour relationship. |
| (5) | The provisions of paragraphs 1 to 4 shall not apply in relation to the authority of state supervision over the protection of personal data in information systems (Art. 28 and 29(2)). |
Data Subject’s Rights
| (1) | A data subject shall be entitled to request from the controller: | |
| a) | information about his personal data while they are being processed, to contain the registration number of the information system, if assigned, the name of the controller, his address and identification number, the purpose of processing, an overview of measures providing for the security of personal data to the necessary extent and the expected range of users; | |
| b) | the correction of inaccurate or outdated personal data in the course of processing, if necessitated by the purpose of processing; | |
| c) | the disposal of his or her personal data if the purpose of processing has been met; | |
| d) | the disposal of his or her personal data if the law has been violated. | |
| (2) | The right of a data subject may only be restricted by virtue of paragraph 1(c)&(d) under the condition that through its exercise, the protection of a data subject or the rights and freedoms of any other persons would be violated. | |
| (3) | A data subject shall have the right to object, on request and free of charge to the processing of any of his or her personal data which he or she expects to be processed for the purposes of direct marketing. | |
| (4) | A data subject shall have the right not to be subject to any decision by the controller which would cause legal effects concerning him or her or would significantly affect him or her, if such a decision is made solely on the basis of automatic processing of his or her personal data. This right may only be restricted if provided so by a special law11) in which measures to ensure the legitimate interests of a data subject are laid down. | |
| (5) | After discovering that his or her personal data were subjected to unauthorised handling, a data subject may notify the state supervisory authority of this fact. (Art. 25). | |
Providing Information to a Data Subject
| (1) | A controller shall be obliged to provide a data subject with information as defined in Article 13(1)(a) free of charge once a year, providing that the data subject has requested this information in writing, and in other cases at a price agreed upon12) or for an administrative fee13). |
| (2) | The controller shall be obliged to ensure that the requirements as defined in Article 13(1)(b) to (d) are met free of charge. |
| (3) | The controller shall be obliged to satisfy the requirements of a data subject in accordance with Article 13 and to inform him or her in writing no later than 30 days after receiving them. |
Notification of the Restriction of the Data Subject’s Rights
A data subject and the state supervisory authority (Art. 25) must be forthwith notified by the controller of any restriction of the data subject’s rights under Article 13(1).
Notification of Correction
| (1) | Within 30 days of making a correction to personal data, a controller must notify any person to whom he had provided the data of such a correction. |
| (2) | This notification may be omitted, if the data subject’s rights are not violated because of the failure to notify the correction. |
Supervision of the Protection of Personal Data
| (1) | Any liability for supervising the protection of personal data processed hereunder shall lie with the controller. |
| (2) | If the controller employs more than five persons, he shall appoint a responsible person or several such persons to carry on the supervision of compliance with statutory provisions in personal data processing; when any breach of these provisions is found, the controller shall have to be notified forthwith. |
Transborder Flow of Personal Data
| (1) | The transmission of personal data to legal or natural persons seated or domiciled abroad may be executed provided that the country of destination ensures an adequate level of protection. Anyone who conducts the transmission of personal data shall also be held accountable for the data’s security (Art. 10) in transit. | |
| (2) | The adequacy of the level of personal data protection (paragraph 1) shall be assessed in the light of all circumstances surrounding the transfer operation. In so doing, special consideration is to be given to the relevant legislation of the country of destination, in relation to the nature of the data, the purpose and duration of the processing. | |
| (3) | In the event that the country of destination does not assure an adequate level of protection, the transmission may be carried out under the condition that | |
| a) | the data subject has consented to the proposed transmission, or | |
| b) | the transmission is necessary or required by law on the grounds of an important public interest or for the establishment, exercise or defence of a legal claim, or | |
| c) | the transmission is necessary for the protection of the vital interests of a data subject, or | |
| d) | the controller shall provide adequate guarantees for the protection of privacy and the fundamental rights and freedoms of data subjects; such guarantees must be reflected in the respective contracts. | |
| (4) | Consent by the state supervisory authority (Art. 25) shall be required for the transmission of personal data as defined in paragraph 3(d). | |
| (5) | The protection of personal data transmitted from legal or natural persons seated or domiciled abroad must be carried out in accordance with the provisions hereof. Only an entity operating in the territory of the Slovak Republic under special regulations14) may act as the controller. | |
REGISTRATION OF INFORMATION SYSTEMS
Registration
| (1) | The controller shall be obliged to have his information systems registered in the scope and under the conditions provided hereunder. The registration shall be conducted by the Statistical Office of the Slovak Republic (hereinafter referred to as ”the Office”). The Office shall conduct this registration free of charge. | |
| (2) | The Office shall be obliged to provide the state supervisory authority (Art. 25) with any information concerning the registration of information systems free of charge. | |
| (3) | Information systems shall not be subject to registration, if | |
| a) | they contain the personal data of any persons who are connected with the controller as an employee, people working for him or her on a similar labour-related basis, members, apprentices or clients, and if an in-house business of the controller is exclusively involved, or | |
| b) | they contain personal data for the purposes of health insurance, sickness insurance and old-age security and unemployment insurance, or | |
| c) | they contain personal data for the purposes of financial and other support, for the purposes of social benefits and social assurance benefits, or | |
| d) | they contain data on persons involved in the proceedings before the authorities of the government, prosecutors and courts, or | |
| e) | they contain personal data serving the purposes of official statistics, or | |
| f) | they contain such personal data that exclusively serve the mass media for their information activity, or | |
| g) | they contain personal data for the purposes of science and research, or | |
| h) | they exclusively contain personal data that have already been made public, or | |
| i) | if so stipulated by a special law15) | |
| (4) | The provision of paragraph 3 except for (i) shall not apply if special categories of personal data as defined in Article 8(2) are processed in the information system. | |
| (5) | In cases of doubt as to whether an information system is or is not subject to registration, this shall be decided by the state supervisory authority (Art. 25). | |
Filing for Registration and Notification of Changes
| (1) | Filing an information system for registration shall be the responsibility of the controller. | |
| (2) | The controller shall be obliged to file the information system for registration before the processing of personal data starts. | |
| (3) | When filing the information system for registration, the controller shall be obliged to give the following data: | |
| a) | the controller’s name; | |
| b) | the controller’s address; | |
| c) | the controller’s identification number; | |
| d) | the name of the responsible person who will oversee the protection of personal data in the information system; | |
| e) | the purpose of the personal data processing; | |
| f) | the personal data types; | |
| g) | the range of data subjects; | |
| h) | the legal basis of the information system; | |
| i) | the expected range of users of the information system; | |
| j) | if transborder personal data flow is anticipated, the names of target countries and the legal basis for the transborder flow; | |
| k) | a characterisation of measures providing for the protection of personal data; | |
| l) | the expected date and hour on which the personal data processing shall begin. | |
| (4) | The controller must notify the Office in writing within fifteen days of any changes to the data in accordance with paragraph 3 that may occur during the processing of personal data. | |
Prior Checking
| (1) | Prior to the assignment of a registration number, the Office shall be obliged to submit the data listed under Article 20(3) for the state supervisory authority’s review (Art. 25). |
| (2) | The state supervisory authority shall make a judgement as to whether the processing of personal data does not potentially endanger the rights and freedoms of the data subjects. |
| (3) | In cases of doubt, the controller shall be asked by the state supervisory authority to furnish some further explanation. |
| (4) | The Office shall assign a registration number (Art. 22) only after having obtained the position from the state supervisory authority. |
Registration Number
| (1) | The assignment of a registration number to an information system forms a part of registration. The controller shall be notified of this number by the Office in writing. The controller shall state this number in any communication concerning the personal data being processed. |
| (2) | The issuance of a substitute certificate of the assigned registration number shall be subject to charges under a special regulation16). |
Deregistration
Within fifteen days of terminating the processing of personal data, the controller must deregister the information system. As a part of this deregistration, the date and hour at which the processing of personal data was terminated, is stated.
Making the Current Status of Registration Public
The registration kept hereunder shall be public. The Office shall provide for the publication of the current register, giving the data as defined in Article 20(3) and Article 22.
STATE SUPERVISION OVER THE PROTECTION OF PERSONAL DATA IN INFORMATION SYSTEMS
| (1) | State supervision over the protection of personal data in information systems shall be performed by the Commissioner for the Protection of Personal Data in Information Systems (hereinafter referred to as ”the Commissioner”). |
| (2) | In carrying out his or her functions, the Commissioner shall be independent and only bound by law. |
The Commissioner
| (1) | The Commissioner shall be appointed and removed by the Government of the Slovak Republic on the basis of a proposal by the President of the Statistical Office of the Slovak Republic. | |
| (2) | Only a person without a criminal record, with citizenship of the Slovak Republic, a University graduate, with professional experience of no less than ten years in the field of information technology or law and over the age of thirty, may be appointed as the Commissioner. | |
| (3) | The Commissioner shall be appointed for a period of five years and he may be appointed for no more than two consecutive terms. | |
| (4) | Any person who in the preceding four years, starting from the day of filing the nomination for Commissioner, was | |
| a) | the President of the Slovak Republic, or | |
| b) | a deputy of the National Council of the Slovak Republic, or | |
| c) | a member on the Government of the Slovak Republic, or | |
| d) | a functionary or a paid employee of the apparatus of a political party or a political movement may not become the Commissioner. | |
| (5) | The Commissioner’s office is a public function. The particulars of the Commissioner’s remuneration shall be determined by the Government of the Slovak Republic according to a special regulation17). Travel reimbursements, to which the Commissioner shall be entitled in connection with the execution of his office, shall be made in accordance with a special regulation18). | |
| (6) | During his office, the Commissioner shall take part in health insurance19), sickness insurance and social security20) in the same way as employees working under a labour contract do. For the purposes of health insurance, sickness insurance and social security, the Commissioner shall be employed by the Office of the Government of the Slovak Republic . | |
| (7) | During his office, the Commissioner shall be entitled to statutory holiday, to which the relevant provisions of a special law21) shall be applied. | |
| (8) | During his office, the Commissioner may not engage in any other income-earning activity with the exception of scientific, teaching, journalistic, literary or artistic activity and the management of his own assets. | |
| (9) | During and after the end of his term, the Commissioner shall be charged with the obligation to maintain the confidentiality of any facts relating to the contents of personal data which he learnt about when in office. | |
| (10) | In specific cases, the Commissioner may be released from the confidentiality obligation by the Government of the Slovak Republic. | |
| (11) | The Commissioner shall be accountable for his activity to the Government of the Slovak Republic. | |
| (12) | The Commissioner’s office shall cease | |
| a) | through the elapse of his or her term of office (paragraph 3), or | |
| b) | by his or her death, or | |
| c) | by his or her resignation from office, or | |
| d) | by his or her removal from office. | |
| (13) | The Commissioner may only be removed from office on the grounds of | |
| a) | a conflict of interest (paragraphs 4 and 8), or | |
| b) | a failure to fulfil his or her functions (Art. 28) for a period of more than one year, or | |
| c) | the committing of a deliberate criminal act, for which he or she has been lawfully convicted. | |
Provisions for the Execution of the Commissioner’s Duties
| (1) | The execution of the Commissioner’s functions shall be provided by the Inspection Unit for the Protection of Personal Data (hereinafter referred to as the ”Inspection”). The Inspection shall operate as an independent unit of the Office of the Government of the Slovak Republic. Employees of the Inspection shall have a labour contract with the Office of the Government of the Slovak Republic and their remuneration shall be governed by special regulation17. |
| (2) | The cost of performing the Commissioner’s functions shall be covered from the state budget of the Slovak Republic. The draft budget shall be submitted as an item in the section pertaining to the Office of the Government of the Slovak Republic and it may only be modified by the National Council of the Slovak Republic. |
The Commissioner’s Functions
The Commissioner shall carry out the following main functions:
| a) | he or she shall decide in cases of doubt about the registration of information systems under Article 19(5); | |
| b) | he or
she shall conduct prior checks of information systems filed for
registration (Art. 20) and shall review them with regard to any potential
danger of violating the rights and freedoms of data subjects (Art. 21(2)); | |
| c) |
he or she shall continuously monitor the current status of the protection of personal data in information systems and the registration of these systems; | |
| d) | he or she shall recommend measures to controllers for ensuring the protection of personal data in information systems; | |
| e) | he or
she shall monitor the processing of personal data in information systems;
to this end he or she shall be entitled to inspect materials and obtain
extracts of data from the controller and processor; | |
| f) | at the controller’s request, he or she shall decide in cases of doubt about the provision of personal data to another country; | |
| g) | he or she shall receive and deal with complaints concerning any breach of the protection of personal data in information systems; | |
| h) | in the event of a suspected breach of the obligations vested hereunder, he or she may summon the controller or the processor with the aim of requiring an explanation; | |
| i) | he or she shall notify22) the authorities conducting criminal proceedings in the case of a suspected criminal offence; | |
| j) | he or she shall file motions, if a breach of obligations set forth hereunder is discovered; | |
| k) | he or she shall participate in the preparation of generally binding regulations in the field of personal data protection; | |
| l) | he or she shall manage the operations of the inspection unit; | |
| m) | he or
she shall submit to the Government of the Slovak Republic and the National
Council of the Slovak Republic a report on the status of the protection of
personal data in information systems at least once a year. |
Concurrence
| (1) | The authorities of government, municipalities and controllers shall be obliged to provide the Commissioner with any assistance he may need when carrying out his functions. |
| (2) | The controller and processor shall be obliged to provide the Commissioner with any data he may require when carrying out his functions. |
PROTECTION OF PERSONAL DATA IN CIVIL LAW
| (1) | If, due to a failure to discharge an obligation provided hereunder, damage is caused to anybody, the injured party shall be entitled to adequate financial compensation23). |
| (2) | The damages shall be decided by the court. |
SANCTIONS FOR VIOLATING THE LAW
If there is breach of the obligations ensuing herewith which does not involve a criminal offence, the procedure in accordance with Articles 32 to 38 shall be followed.
| (1) | Penalties may be imposed for any breach of the obligations ensuing herewith (Art. 33 & 34). |
| (2) | The penalties under paragraph 1 shall be imposed by the Office of the Government of the Slovak Republic. |
| (3) | The Office of Government of the Slovak Republic shall take decisions on the basis of motions by the Commissioner. |
A penalty not exceeding 1,000,000 SKK may be imposed upon a controller or processor who
| a) | undertakes the processing of personal data in contradiction to Article 4 or 7; | |
| b) | undertakes the processing of special categories of personal data in contradiction to Article 8; | |
| c) | undertakes the processing of inaccurate, outdated or inadequate personal data or does not dispose of the data after the purpose of processing is over (Art. 9); | |
| d) | fails to take necessary measures for the protection of personal data against alienation, loss, damage, unauthorised access, alteration or dissemination (Art. 10); | |
| e) | fails to instruct legal and natural persons, who have access to personal data in information systems (Art. 11); | |
| f) | fails to discharge the obligation of providing information to a data subject (Art. 14); | |
| g) | fails to discharge the obligation of giving notification of the correction of personal data (Art. 16); | |
| h) | transmits any personal data to another country in contradiction of Article 18; | |
| i) | fails to provide the required data (Art. 29(2)); | |
| j) | fails to satisfy the Commissioner’s requirements (Art. 37(1) & (2)). |
| (1) | A data subject, who has deliberately provided untrue data, may be given a penalty not exceeding 10,000 SKK (Art. 5). | |
| (2) | A person other than a data subject may be given a penalty not exceeding 500,000 SKK should this person | |
| a) | deliberately provide untrue personal data; | |
| b) | be in breach of the obligation to maintain the confidentiality of the personal data. | |
| (1) | The general regulations relating to administrative proceedings24) shall apply to the proceedings on the imposition of penalties under Articles 33 & 34, unless provided otherwise hereunder. |
| (2) | In imposing these penalties, particular consideration shall be given to the severity, duration and consequences of the unlawful conduct. |
| (3) | A penalty under Articles 33 and 34 may be imposed by the Office of the Government of the Slovak Republic within one year of filing the motion, but no later than two years from the day of violating the obligation. |
| (4) | It shall be possible to make an appeal against any decision concerning a penalty imposition within fifteen days of its service. The appeal shall have a dilatory effect. The decision about the appeal shall be made by the head of the Office of the Government of the Slovak Republic within thirty days. |
| (5) | A valid decision on penalty imposition may be reviewed by the court25). |
| (6) | A penalty imposed under Articles 33 & 34 shall be payable within thirty days of the day when the decision or its imposition comes into force. |
| (7) | The proceeds from penalties shall constitute revenue for the state budget of the Slovak Republic. |
| (8) | The provisions of special regulations relating to indemnity26) shall not be injured through the payment of a penalty. |
| (1) | A controller, who has not discharged the obligation of registering an information system containing personal data and related duties arising herewith, may be charged with a penalty not exceeding 500,000 SKK and in the event of a repeated breach, a penalty not exceeding 1,000,000 SKK. |
| (2) | The penalty under paragraph 1 shall be imposed by the Office at the Commissioner’s motion. |
| (3) | In imposing the penalties under paragraph 1, the provisions of Article 35 shall be followed. |
| (1) | Having detected the breach of an obligation under Article 33, the Commissioner shall forthwith call upon the controller to end the processing operation violating this obligation or to provide for the measures requested by the Commissioner. |
| (2) | The controller shall be obliged to forthwith meet the requirements as per paragraph 1 and to inform the Commissioner about so doing. |
| (3) | If the controller does not finish conducting the respective processing operation, or does not carry out the required measures, the Commissioner shall make public the controller’s name, address and identification number, outlining the facts establishing the violation of personal data protection. |
Upon a final decision on the penalty imposition, the Commissioner may, in the cases stated in Article 33, make public the data enlisted in Article 37(3).
JOINT AND CONCLUDING PROVISIONS
Provisions of Empowerment
| (1) | The details of the method, form and procedure for the registration of an information system shall be arranged by a generally binding regulation to be issued by the Office. |
| (2) | The Commissioner’s status shall be detailed in a statute to be approved by the Government of the Slovak Republic on the basis of the Commissioner’s proposal. |
General Restrictions
The provisions hereof, set forth in Article 4(1) & (2), Article 6 (1), Article 7(4), Article 12(1)&(2), Article 13(1), Article 14 in relation to Article 13(1)(a), Article 16, Articles 18 through to 24, shall not be applied, should it be necessary according to a special law in order to ensure:
| a) | internal order or safety, or | |
| b) | defence, or | |
| c) | criminal prosecution, or | |
| d) | important economic or financial interests of the state, including monetary, fiscal and taxation issues, or | |
| e) | the protection of a data subject or the rights and freedoms of other persons. |
Transitional Provision
The controllers of information systems that are already in operation and to which this Act applies, shall be obliged to bring them in compliance with this Act within six months of the effective day hereof, and, if required so hereunder, to file them for registration within this period.
Abrogative Provision
Act no. 256/1992 Coll. on the Protection of Personal Data in Information Systems is hereby repealed.
Effective Date
The Act shall take effect on March 1, 1998.
| Signed by the President of the Slovak Republic - Michal Kováè, and |
| the Prime Minister of the Slovak Republic - Vladimír Meèiar, and |
| the President of the National Council of the Slovak Republic - Ivan Gašparoviè |
| 1) | Article 22(1) of the Constitution of the Slovak Republic | return |
| 2) | Article 19(3) of the Constitution of the Slovak Republic | return |
| 3) | For example, Article 1(1)(a) of the Act of the National Council of the Slovak Republic no. 45/1993 Coll. relating to state statistical surveys conducted amongst the population. | return |
| 4) | For example, Articles 18 and 22 of the Act of the National Council of the Slovak Republic no. 274/1994 Coll. on the Social Insurance Company, and s. 67 of the Act of the National Council of the Slovak Republic no. 387/1996 Coll. on Employment. | return |
| 5) | Article 26 through to 30 of the Civil Code | return |
| 6) | Article 116 of the Civil Code | return |
| 7) |
For example, Articles 36 and 39 of the Act of the Slovak National Council no. 80/1990 Col. on the Election to the Slovak National Council, as amended by the Act no. 104/1992 Col. and the Act of the National Council of the Slovak Republic no. 157/1994 Coll. |
return |
| 8) | Act of the National Council of the Slovak Republic no. 301/1995 Coll. on Birth Registration Number. | return |
| 9) | For example, Article 7(1) of the Act of the National Council of the Slovak Republic no. 314/1996 Coll. on Prosecution. | return |
| 10) |
For example, Article 38 of the Act no. 21/1992 Col. on Banking, as amended by later legislation, and Article 40 of the Act of the National Council of the Slovak Republic no. 566/1992 Col. on the National Bank of Slovakia. |
return |
| 11) | For example, Articles 121 and 122 of the Act no. 100/1988 Col. on Social Security, as amended by later legislation. | return |
| 12) | Article 3 of the Act of the National Council of the Slovak Republic no. 18/1996 Coll. on Prices | return |
| 13) | Act of the National Council of the Slovak Republic no. 145/1995 Coll. on Administrative Fees and Charges, as amended by later legislation. | return |
| 14) | Article 21 of the Commercial Code | return |
| 15) |
For example, Article 8(2)(g) of the Act of the National Council of the Slovak Republic no. 100/1996 Coll. relating to the protection of state secret, business secret, on the protection of information through scrambling and on the amendment and extension of the Criminal Code, as amended by later legislation, and Article 20a of the Act no. 21/1992 Col. on Banking, as amended by the Act of the National Council of the Slovak Republic no. 58/1996 Coll. |
return |
| 16) | Item 2(a) on he Tariff of Administrative Fees and Charges, annexed to the Act of the National Council of the Slovak Republic no. 145/1995 Coll. on Administrative Fees and Charges, as amended by the Act no. 1/1998 Coll. | return |
| 17) |
Act no. 143/1992 Col. relating to the pay and remuneration for the standing by at work in budgeted and some other organisations and agencies, as amended by later legislation. |
return |
| 18) |
Act no. 119/1992 Col. on
Compensation of Travel Expenses, as amended by the Act of the National
Council |
return |
| 19) | Act of the National Council of the Slovak Republic no. 273/1994 Coll. relating to health insurance, its funding, the establishment of the General Health Insurance Company and the establishment of departmental, branch, enterprise and civic health insurance companies, as amended by later legislation. | return |
| 20) | Act of the National Council of the Slovak Republic no. 274/1994 Coll., as amended by later legislation. | return |
| 21) | The Labour Code. | return |
| 22) | Article 158(1) of the Criminal Procedure Code. | return |
| 23) | Articles 11 through to 16, Articles 442 through to 450 of the Civil Code | return |
| 24) | Act no. 71/1967 Col. on Administrative Proceedings (Administrative Procedure Code). | return |
| 25) | Article 70 of the Act no. 71/1967, and Articles 244 through to 250k of the Civil Procedure Code | return |
| 26) | Article 420 et subseq. of the Civil Code | return |