Effective May 25 2018, the existing Data Protection Directive 95/46/EC and the Slovak data protection act will be replaced by the new EU General Data Protection Regulation (GDPR). Although the GDPR will be directly applicable in all EU member states, certain national particularities will remain even after the GDPR comes into force. A new version of the data protection act in Slovakia that accounts for the GDPR is in the process of inter-ministerial consultation and will replace the existing data protection act.
Taking into account digital advancements, the new legislation will also apply to companies that are not physically present in the EU. A 'virtual presence' will be sufficient, so the legislation will also apply to companies that process the personal data of subjects in the EU, offer goods or services to EU citizens or monitor their behaviour in the EU. Therefore, if a company has a website in an EU language, the company may fall within the scope of the GDPR and will be subject to all the obligations set out in the GDPR. Under the GDPR, localisation data, cookies, and email and IP addresses are considered personal data.
The GDPR enshrines the new 'right to be forgotten' but existing Slovak legislation already provides a certain form of this – specifically the right to request the deletion of personal data once the purpose for processing the personal data ceases to exist. The Court of Justice of the European Union already confirmed the 'right to be forgotten' in 2014 in its judgment in the Google Spain case (Google Spain SL, Google Incv Agencia Española de Protección de Datos (AEPD), Mario Costeja González, 2014). According to the GDPR, the right to be forgotten includes the necessity of erasing internet references to the personal data of the data subject, including search results and archives. However, exercising the right to be forgotten by the data controller does not mean that third parties who copied the personal data must also erase those data.
Measures were also adopted to limit automated individual decision-making, including profiling. Data subjects will have the right not to be subject to a decision that is solely based on automated processing, such as automated refusal of a credit application or elimination of a job applicant as the result of e-recruiting practices without human intervention. Companies will also be required to inform data subjects about the use of profiling and how to object to profiling.
As compared with other EU countries, data controllers in Slovakia are already required to implement relatively time-consuming administration of data processing records that must be kept by practically all companies, even those that only process personal data on a small scale. Nearly every company that processes, for instance, national identity numbers is required to develop a security project, even though the security project is a relatively extensive document. Anyone who processes personal data beyond the scope of the law, and has not designated and registered a data protection officer who has passed the examination administered by the Office for Personal Data Protection of the Slovak Republic is subject to a reporting duty (ie they must report every information system to the Office for Personal Data Protection).
The new legislation does away with some of these obligations such as the reporting, record-keeping and registration obligations, and the obligation to develop a security project. However, companies will be required to keep records of processing operations that take the place of the existing reporting duty. In contrast to the reporting duty, only companies with more than 250 employees and those who process personal data on a large scale will be required to keep these records of processing operations. Rather than a safety project, companies will prepare assessments of impact on personal data protection, and this will only apply to companies that process personal data on a larger scale or have more than 250 employees. The Office for Personal Data Protection is expected to issue a list of processing operations that will be subject to an assessment of their impact on protection of personal data. If the impact assessment shows that the processing operations involve high risk, the company will be required to seek an advance consultation with the Office. Although it is not yet clear how the new provisions will be interpreted, we can already infer that compared to the existing situation in Slovakia, particularly concerning smaller companies that do not process personal data on a large scale, there will be a reduction of obligations and a simplification of the required documentation in respect of personal data protection.
|Byung Sung |