Effective from 1 July 2013, the rules governing data processing in Slovakia will change substantially due to adoption of a new Data Protection Act No. 122/2013 Coll. ("New DPA"). On the one hand, the changes introduced by the New DPA introduce a more relaxed approach, in particular with respect to cross-border transfers of personal data. On the other hand, the New DPA increases requirements for general data protection compliance and also strengthens the sanctioning powers of the Slovak Data Protection Office ("Office"). The main changes introduced by the New DPA are summarised below.
Minimum content requirements for the controller - processor agreement and a new notification obligation for data processer
Unlike under the previous data protection legislation, the New DPA explicitly lays down minimum content requirements for the appointment of a data processor by a data controller. Such an appointment must be executed via written agreement (a written authorisation is no longer sufficient), which shall include inter alia (i) the date from which the data processor is entitled to process personal data, (ii) the list of means of processing, and (iii) the list or scope of personal data to be processed. If so agreed in the agreement, the data processor is entitled to use another person for data processing. Such a sub-contractor, however, always processes the personal data and safeguards its security on behalf of the data processor.
Apart from the minimum content requirements for the controller - processor agreement, the New DPA introduces a new notification obligation on data processors, namely by obliging them to warn the data controller if they discover that the data controller committed an apparent breach of data protection legislation in the course of data processing (in such case, the data processor shall also abstain from further data processing, with the exception of urgent data processing operations). If the data controller does not take appropriate actions to remedy the default without undue delay (in any case within one month from the warning), the data processor is obliged to notify the case to the Office.
New regime of a responsible representative
The status of a person overseeing the data protection compliance at the data controller, i.e. the responsible representative, has also been affected by the New DPA in several ways.
First, for some data controllers, the New DPA eases the requirement to appoint a responsible representative, as only data controllers processing personal data by 20 and more authorised persons are required to appoint a responsible representative (previously, this obligation applied from 5 employees onwards). Those data controllers that are not obliged to appoint a responsible representative shall, however, register their information system with the Office (unless one of the statutory exemptions applies).
Further, the appointment of the responsible representative itself must meet certain formal as well as material requirements, and shall be notified to the Office. Unlike under the former legislation, the New DPA requires that the responsible representative's knowledge of data protection legislation must be tested by the Office through a formal exam, which the representative must pass prior to his/her appointment.
Finally, a person may not be appointed as the responsible representative if he/she acts as a statutory representative of the data controller. However, since an employment relationship is not required by the New DPA, it is possible in our view to appoint an external consultant to the role.
Easier cross-border transfers to countries not ensuring adequate level of protection
The New DPA introduces a less burdensome regime for cross-border transfers of personal data to third countries that do not ensure an adequate level of personal data protection. Under the New DPA, such transfers require the prior consent of the Office only in cases in which the agreement on such a transfer does not comply with standard contractual clauses adopted by the European Commission. Subsequently, the New DPA explicitly stipulates that no prior approval of the Office is required for cross-border transfers implementing the standard contractual clauses to their full extent, or for other cross-border transfers specified in the New DPA, such as transfers based on Binding Corporate Rules.
The sanction mechanism introduced by the New DPA appears to be more stringent than the current legislation, since, under the New DPA, the Office is obliged (not entitled) to impose fines on entities processing personal data in breach of the data protection legislation. Also, the fine limits have been increased, with an upper limit of EUR 300,000 in case of a serious breach. The possibility for the Office to publish decisions on breaches of the data protection regulation, including the violator's identity, has also been added by the New DPA.
Other changes introduced by the New DPA include, for instance, a new regime of the security measures to be adopted by the data controller, detailed requirements on the appointment of persons authorized to process personal data, and the introduction of new separate administrative proceedings for the protection of personal data.
The changes introduced by the New DPA will apply for all data processing activities effective from 1 July 2013. However, and more importantly, they will also apply to all data processing activities commenced prior to this date. For this latter case, the New DPA introduces transitional periods during which compliance should be pursued. The transitional periods are different for individual compliance cases and last from 6 to 12 months from the New DPA effective date.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.