The General Data Protection Regulation (GDPR) is a body
of European legislation of considerable complexity, especially
when it comes to its practical implementation. However,
Slovakia still lacks models and guidelines from the Office for
Personal Data Protection of the Slovak Republic that would make
the implementation of the GDPR easier and resolve several open
questions. When Slovak law was revised before the
implementation of the GDPR, it was hoped that the GDPR would
bring about a reduction in obligations and a simplification of
mandatory documentation, especially for smaller firms. It now
appears from developments in the guidelines of the Office for
Personal Data Protection that this might not be the case.
Instead of notification requirements, record-keeping and
registration duties being completely eliminated, a new
obligation to keep records of processing activities has been
introduced. In the context of the GDPR, the recording of
processing activities is similar to the record-keeping duties
previously required. The model issued by the Office for
Personal Data Protection clearly indicates that in Slovakia the
records will need to be more detailed. For example, the payroll
and personnel management information system was previously
considered one purpose and an employer provided information on
access to the payroll and personnel management information
processes as one system. Under the new rules, the recommended
model advises breaking this down into sub-categories such as
health and social insurance contributions, attendance, meal
vouchers, and so on. This will mean that the information
provided to employees must also be more detailed. Another new
feature introduced is the obligation to state the duration of
data archiving for each purpose, which companies were not
previously required to address under personal data protection
legislation.
One of the fundamental tasks in personal data processing is
to identify the legal grounds for processing a given type of
personal data. This might include, for example, whether that
processing is based on the data subject's consent, a legal
obligation, a concluded contract, a legitimate interest of the
company, or other grounds defined in the GDPR. Although the
GDPR did not substantially redefine the legal grounds involved
in the process, there has been a shift in how the Office for
Personal Data Protection interprets them since the GDPR entered
into effect. While previously the Office would accept
legislation as grounds in cases where a law declared personal
data processing a permitted action or possibility, it now
requires that the law expressly orders the processing of
personal data. This means that if, for example, an employer
installs cameras to monitor a workplace, the employer must
justify it on grounds of the company's legitimate interests,
and conduct a test of proportionality.
The test of proportionality is an innovation introduced by
the GDPR and it is not yet clear how the Office for Personal
Data Protection will evaluate these tests in practice. The GDPR
does not specify the form a test of proportionality should take
and merely states that personal data can only be processed on
grounds of legitimate interest if the legitimate interest
prevails over the fundamental rights and freedom of the data
subject whose personal data are being processed. It is not
stipulated that a test of proportionality must be conducted in
written form, or even that the Office or the data subject need
to be informed of it. On the other hand, the guidelines of
Article 29 of the Data Protection Working Party (now replaced
by the European Data Protection Board) indicate that a data
controller may provide information from the test of
proportionality to data subjects. In our experience, a data
controller is required to do this if a data subject objects to
personal data processing based on a legitimate interest,
because disclosure enables the data controller to prove to the
data subject that it has satisfied the legal requirements for
processing personal data based on a legitimate interest.
The priorities in obtaining consent for personal data
processing are transparency and obtaining consent for each
purpose individually. In many cases, consent given under the
old system remains in force under the GDPR because the old
legislation was interpreted such that an active expression of
will was required to indicate consent for each purpose. What is
new is the stronger emphasis on providing detailed information
when defining the purpose of personal data processing. As an
example, if a company obtains consent to process personal data
for marketing purposes that it intends to share with other
firms in its group, it must also obtain separate consent for
that sharing of personal data with a business partner.
 |
|
Radka
Sláviková-Geržová |
Zuzana Lenzova |