The General Data Protection Regulation (GDPR) is a body of European legislation of considerable complexity, especially when it comes to its practical implementation. However, Slovakia still lacks models and guidelines from the Office for Personal Data Protection of the Slovak Republic that would make the implementation of the GDPR easier and resolve several open questions. When Slovak law was revised before the implementation of the GDPR, it was hoped that the GDPR would bring about a reduction in obligations and a simplification of mandatory documentation, especially for smaller firms. It now appears from developments in the guidelines of the Office for Personal Data Protection that this might not be the case.
Instead of notification requirements, record-keeping and registration duties being completely eliminated, a new obligation to keep records of processing activities has been introduced. In the context of the GDPR, the recording of processing activities is similar to the record-keeping duties previously required. The model issued by the Office for Personal Data Protection clearly indicates that in Slovakia the records will need to be more detailed. For example, the payroll and personnel management information system was previously considered one purpose and an employer provided information on access to the payroll and personnel management information processes as one system. Under the new rules, the recommended model advises breaking this down into sub-categories such as health and social insurance contributions, attendance, meal vouchers, and so on. This will mean that the information provided to employees must also be more detailed. Another new feature introduced is the obligation to state the duration of data archiving for each purpose, which companies were not previously required to address under personal data protection legislation.
One of the fundamental tasks in personal data processing is to identify the legal grounds for processing a given type of personal data. This might include, for example, whether that processing is based on the data subject's consent, a legal obligation, a concluded contract, a legitimate interest of the company, or other grounds defined in the GDPR. Although the GDPR did not substantially redefine the legal grounds involved in the process, there has been a shift in how the Office for Personal Data Protection interprets them since the GDPR entered into effect. While previously the Office would accept legislation as grounds in cases where a law declared personal data processing a permitted action or possibility, it now requires that the law expressly orders the processing of personal data. This means that if, for example, an employer installs cameras to monitor a workplace, the employer must justify it on grounds of the company's legitimate interests, and conduct a test of proportionality.
The test of proportionality is an innovation introduced by the GDPR and it is not yet clear how the Office for Personal Data Protection will evaluate these tests in practice. The GDPR does not specify the form a test of proportionality should take and merely states that personal data can only be processed on grounds of legitimate interest if the legitimate interest prevails over the fundamental rights and freedom of the data subject whose personal data are being processed. It is not stipulated that a test of proportionality must be conducted in written form, or even that the Office or the data subject need to be informed of it. On the other hand, the guidelines of Article 29 of the Data Protection Working Party (now replaced by the European Data Protection Board) indicate that a data controller may provide information from the test of proportionality to data subjects. In our experience, a data controller is required to do this if a data subject objects to personal data processing based on a legitimate interest, because disclosure enables the data controller to prove to the data subject that it has satisfied the legal requirements for processing personal data based on a legitimate interest.
The priorities in obtaining consent for personal data processing are transparency and obtaining consent for each purpose individually. In many cases, consent given under the old system remains in force under the GDPR because the old legislation was interpreted such that an active expression of will was required to indicate consent for each purpose. What is new is the stronger emphasis on providing detailed information when defining the purpose of personal data processing. As an example, if a company obtains consent to process personal data for marketing purposes that it intends to share with other firms in its group, it must also obtain separate consent for that sharing of personal data with a business partner.