Not even a year has passed since Slovakia introduced a new regime on personal data protection in the form of Data Protection Act No. 122/2013 Coll. However, that regime is already subject to an amendment, proving that it has paid off for businesses to cry on the government's shoulder. Consequently, as of 15 April 2014, businesses can look forward to the removal of certain substantial administrative burdens. Please read through a short overview of the novelties introduced by the amendment:
Authorized persons and responsible representatives
The amendment accepts that in practice it is often not only employees, but also persons working on the basis of agreements on performance of work outside of employment relationships who access personal data. Under the new regime, a special authorization for individuals in the latter group can be struck off employers' paperwork agenda, as these persons are now entitled to process personal data by virtue of law.
The appointment of a responsible representative by data controllers processing personal data by 20 or more authorized persons is no longer a must. Should the data controller decide to appoint a responsible representative, such a person may even be its statutory body (or a member thereof), if he or she passes the relevant exam under the auspices of the Slovak Data Protection Office (the "Office").
Data processing documentation
Under the former wording of the Data Protection Act, a data controller was generally obliged to describe the security of its data processing regime in specific documentation, either in security guidelines or in a security project, depending on the nature of data processing. Although the duty to draft a security project in case of more complex data processing was not removed by the amendment, data controllers can be pleased about the abolishment of the obligation to draft security guidelines.
Data controller and data processor relationship
The one-year grace period for ensuring that the relationship between a data controller and a data processor is recorded in writing and deals with prescribed minimum details has been extended by another year; the deadline is now 30 June 2015. Moreover, following the amendment, data processors are no longer obliged to blow the whistle on a data controller if the data controller does not remedy its breach of data processing legislation without undue delay (in any event, within a month).
Registration vs. notification of filing systems
Generally, filing systems in which personal data is processed partially or wholly by automatic means are now subject to free-of-charge notification to the Office, instead of the former registration, which had been subject to a fee. As a result of the notification, the Office assigns an identification number to the filing system. The data controller may start with data processing as of the date of notification and does not have to wait for any official decision. The Office now issues confirmation proving notification of the filing system only upon request. Conversely, the special registration applicable to specific filing systems (e.g. filing systems containing biometric data upon the data subject's consent), which earns the state EUR 50 per registration, remains in place.
Imposition of fines
The amendment affects the relevant sanction mechanism to a great extent. Foremost, the Office's duty to fine in the event of a breach has been eliminated and the maximum imposable amounts of fines have been lowered. However, once the Office decides to impose a penalty that fine will not be lower than EUR 300. At the same time, mandatory fines of at least EUR 1,000 shall continue to discourage non-compliance with: (i) the duty to elaborate a security project, (ii) the duty for data controllers and data processors to enter into written agreements, (iii) the rules on cross-border transfers of data, (iv) the rules on special registration of filing systems, or (v) the obligations involved when processing specific personal data. From the procedural perspective, the amendment helps the Office to overcome problems with unsuccessful deliveries and allows the Office to make use of the legal fiction of delivery. Consequently, decisions imposing fines are deemed delivered upon the lapse of a three-day period after the delivery is returned to the Office.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.