Frequently Asked Questions (FAQ)

Question regarding the application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which repeals Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "Regulation") and Act no. 18/2018 Coll. on the protection of personal data (hereinafter referred to as "Act No. 18/2018 Coll.") and their relationship to the previous legislation are many, we have selected for you the most frequently repeated ones. We believe that they will help you.

The legal texts to which we refer in the text of the questions and answers can be found in the section Legislation and jurisprudence -> National legislation and European legislation.

Questions and answers

From what date will it be necessary to proceed according to the new legislation, i.e. according to the regulation and Act no. 18/2018 Z. z.? adjusted

The regulation began to be applied in practice and Act No. 18/2018 Coll. entered into force on 25/05/2018. Previous Act No. 122/2013 Coll. and two office decrees (Decree No. 164/2013 Coll. and Office Decree No. 165/2013 Coll.) became ineffective on 24/05/2018, i.e. from 25/05/2018 it is necessary that all those who process personal the data of natural persons were processed in accordance with the Regulation and Act no. 18/2018 Coll.

Since May 25, 2018, the Regulation and Act No. 18/2018 Coll. Why? adjusted

The regulation is directly applicable in the legal order of the Slovak Republic, i.e. it has become a direct part of the Slovak legal order and directly imposes on subjects the rights and obligations that subjects must comply with.

Law no. 18/2018 Coll. is the result of harmonization of Slovak national legislation with the Regulation and also with Act no. 18/2018 Coll. regulate some areas that the Regulation directly determined that it is necessary for the member states to adjust, or to have the possibility to adjust some processing activities with regard to national legislation. It is therefore necessary to follow both regulations.

Another reason for the adoption of Act No. 18/2018 Coll. in the form in which it is published in the Collection of Laws of the Slovak Republic is that in Art. 2 par. 2 letters a) of the Regulation, it is stated that "This Regulation does not apply to the processing of personal data in the framework of an activity that does not fall within the scope of Union law"; which means that as part of the processing there are certain processing activities in which personal data is processed, but it is not possible to proceed with this processing according to the Regulation, as these activities are not regulated by Union law. It is precisely for these rare processing activities that a law was adopted in a wording "almost identical" to the Regulation, so that even if the processing does not fall under Union law and when the operator will proceed according to Act no. 18/2018 Coll. the operator did not have to proceed differently than when processing personal data according to the Regulation. Exception from the substantive scope of the Regulation referred to in Article 2, paragraph 2 letters a) must be interpreted restrictively. The aim of this provision is to exclude from the scope of the aforementioned Regulation the processing of personal data carried out by state authorities in the course of activities.

Law no. 18/2018 Coll. is also a law, the third part of which was transposed Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in the processing of personal data by competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offences, or for the purposes of enforcing criminal sanctions and on the free movement of such data and on the repeal of the framework decision (hereinafter referred to as the "Directive") according to which, if personal data will be processed by competent authorities for the purposes of preventing, investigating, detecting or prosecuting criminal offenses or for the purposes of enforcing criminal sanctionsthey will proceed precisely according to this third part of the law, which does not concern other than competent authorities in the position of operators. Competent authorities according to § 3 par. 3 of Act No. 18/2018 Coll. they are the Police Force, the Military Police, the Corps of Prison and Judicial Guards, the Financial Administration, the Prosecutor's Office and the courts of the Slovak Republic.

So when will it be necessary to proceed only according to Act No. 18/2018 Coll. and when also according to Act no. 18/2018 Coll. and also according to the Regulation? adjusted

Situation A: If it concerns the processing of personal data within the scope of the operator's activity, which falls under Union law, the Regulation will apply to the operator, but Act No. 18/2018 Coll., with the exception of its 2nd and 3rd parts; that is, from Act no. 18/2018 Coll. the first part will be relevant for the operator except § 2 and § 5 and subsequently the fourth to sixth parts of Act no. 18/2018 Coll. This concerns, for example, the processing of personal data by banks, schools, medical facilities, and the processing of personal data in e-shops.

Situation B: If it concerns the processing of personal data as part of the activity of the operator, which does not fall under Union law and the operator is not a competent authority, Act No. 18/2018 Coll. except for its third part.

Situation C: In the case of processing of personal data by the operator in the capacity of a competent authority, the latter will process the personal data of natural persons for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or for the purpose of enforcing criminal sanctions pursuant to Act No. 18/2018 Coll. specifically its first part and third to sixth parts with regard to some provision from the second part. This will be, for example, the processing of personal data of a person accused of a crime, when his personal data is processed by the prosecutor's office or the court.

So when will it be necessary to proceed only according to Act No. 18/2018 Coll. and when also according to Act no. 18/2018 Coll. and also according to the Regulation? adjusted

The Regulation excludes processing for the purposes of the Directive from its substantive scope. This means that they are two separate pieces of legislation that are used independently of each other. Therefore, the Regulation does not apply to the processing activities of the competent authorities for the purposes specified in the Directive, specifically for the purposes of preventing, investigating, detecting or prosecuting criminal offenses or for the purposes of enforcing criminal sanctions. However, if the competent authority processes personal data for purposes other than the purposes of this Directive, the Regulation shall apply, unless the processing is carried out within the scope of an activity that does not fall within the scope of Union law. The Regulation applies to the processing of personal data by a recipient who is not a competent authority within the meaning of the Directive and to whom the personal data has been lawfully provided by the competent authority.

Some concepts from the current law no. 122/2013 Coll. were dropped and are not found in the Regulation or are included in the text of both the Regulation and Act no. 18/2018 Coll. they just mention why? adjusted

The regulation, it is stated directly in its full title, repeals the directive 95/46/EC, which was transposed precisely into Act no. 122/2013 Coll. Directive 95/46/EC is from 1995, when the processing and protection of personal data was at a different level, with regard to the means by which personal data were processed (application development was at the beginning, camera systems were of lower quality and had lower resolution, the use of mobile phones was in the early days) and in what quantity they were processed. Also, the process of globalization (use of cloud services) has its share in the addition or deletion of some terms. Especially with regard to the development of technologies and ways in which personal data can be processed, terms such as profiling, pseudonymization, breach of personal data protection were added to the Regulation and defined in it.

In the context of concepts, in Act no. 18/2018 Coll. mentions the concept of logo and not in the Regulation. Why? adjusted

Logging is a record of the user's activity in an automated information system, i.e. logging can be considered a form of security measure, on the basis of which the operator or intermediary can find out who (for example, from his employees) was in the system, what he did with personal data in it, when did. Logging is an effective measure aimed at ensuring controlled (authorized) access to the information system and the means through which personal data is processed, stored, and transmitted. By logging in, we can reveal e.g. violation of confidentiality (unauthorized access), violation of integrity (unauthorized change of data), violation of availability (deletion), or e.g. attempt to penetrate the environment and others.

The concept of logo is included in Act no. 18/2018 Coll. stated for the reason that the Directive imposes the obligation to log on the operators, which are the competent authorities (for the obligation to introduce logging, see in more detail § 110 paragraph 10 of Act No. 18/2018 Coll.); therefore, regular operators can introduce logging, but it is not an obligation for them. However, implementing logging is an excellent tool for monitoring data protection, i.e. for checking all relevant processing operations. We recommend that the operator does not underestimate the introduction of logging and pays due attention to the logos and the information that these logos should contain. It is important that logs are regularly evaluated because suspicious reports can often reveal e.g. serious security threats.

From the basic concepts defined in Regulation and Act no. 18/2018 Coll. the concept of authorized person was dropped, and in this context, the text of Regulation and Act no. 18/2018 Coll. does not even find the so-called "instructing an authorized person"; does this mean that the operator and intermediary no longer have or cannot instruct their employees or persons who process personal data for them? adjusted

It is true that the concept of an authorized person and the instruction of an authorized person from the text of Regulation and Act No. 18/2018 Coll. dropped out, despite the fact that Regulation and Act no. 18/2018 Coll. continue to impose on the operator and intermediary the obligation to authorize and give instructions to persons who process personal data for them.

We would like to draw attention to Art. 29 and Art. 32 par. 4 Regulations on the basis of which The Intermediary and any person acting on the authority of the operator or the intermediary who has access to personal data may process such data only on the basis of the instructions of the operator, except in cases where this is required by Union law or the law of a Member State." and The operator and the intermediary shall take steps to ensure that any natural person acting on the authority of the operator or the intermediary who has access to personal data processes such data only on the basis of the instructions of the operator, except when required by the law of the Union or the law of a Member State.".

The provision cited above means that the operator/intermediary is obliged to guide natural persons processing personal data for him.

You can find more information in the document Authorized person and instruction of the authorized person according to the new legislation.

What is the difference between pseudonymized data and anonymized data? New

Pseudonymized data are personal data that are processed in such a way that the personal data can no longer be assigned to a specific data subject without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that the personal data were not assigned to an identified or identifiable natural person. Pseudonymized data continues to fall under personal data protection, as it continues to be viewed as personal data.

Anonymized data is information that does not relate to an identified or identifiable natural person. The process by which personal data is modified in such a way that the person concerned is no longer identifiable is called anonymization. Data protection policies should not apply to anonymous information. Even personal data that has been anonymized should be considered as personal data relating to a third party to the extent that it is of such a nature that it can be attributed to an identifiable natural person through the use of additional information. To determine whether a natural person is identifiable, all means that are reasonably likely to be used by the controller or any other person, for example by special selection, to directly or indirectly identify the natural person should be taken into account. To find out

As part of determining the "categories" of personal data that belong to a special category of personal data, have there been any changes since 5/25/2018? adjusted

Law no. 122/2013 Coll. was aware of the special category of personal data that was directly listed in § 13. The change that came into effect on 25/05/2018 is that the sensitive personal social security number has been removed from the category of special categories of personal data, which is no longer from 25/05/2018 a special category of personal data. According to the Regulation, genetic data and biometric data processed for the individual identification of a natural person also belong to a special category of personal data.

The Slovak Republic adopted a new regulation of the processing of the birth number as a national identifier in § 78 par. 4 of Act no. 18/2018 Coll., based on the enabling provision of the Regulation in Art. 87. It is still valid that it is forbidden to publish the birth number, only the person concerned has the right to publish the birth number.

From the current list of sensitive personal data, personal data related to guilty pleas for crimes and misdemeanors, which became a separate category of personal data and are listed in Art. 10 Regulations.

Is the information that a certain person injured his leg and is partially unable to work personal health information? New

Yes, such data is health-related data and therefore represents a special category of personal data. Health-related data deserves greater protection, as the use/processing of such sensitive data may have serious adverse consequences for data subjects. Data related to health needs to be interpreted more broadly, so that it includes information related to all components of a person's health, physical as well as mental. For the legal processing of such personal data, it is necessary to have a legal basis from Art. 6 par. 1 of the Regulations and fulfill the additional condition from Art. 9 par. 2 Regulations.

Where can I find the legal basis for processing personal data according to the Regulation? adjusted

The processing of personal data should first of all be legal, that is, carried out in accordance with the law and good morals, and it should also be carried out on a relevant legal basis, which is explained in more detail in Art. 6 of the Regulation, which is dedicated to the conditions of legal processing, i.e. the legal basis, which are contained in this provision.

The legal bases are listed in Art. 6 par. 1 letter a) to f) Regulations (or in § 13 paragraph 1 letters a) to f) of Act no. 18/2018 Coll. z). On the other hand, the legal bases are not listed in Art. 9 of the Regulation, which is a provision that needs to be understood as containing exceptions to the prohibition of processing a special category of personal data; since according to Art. 9 par. 1 of the Regulation, the processing of special categories of personal data is prohibited, and in Art. 9 par. 2 letters a) to j) Regulations are exceptions that, if fulfilled by the operator, can also process this data, but it is necessary that the legal basis for the processing of a special category of personal data is subsequently sought in Art. 6 par. 1 of the Regulations, since only the fulfillment of the exception from Art. 9 par. 2 as a legal basis for processing is not sufficient.

You can find more information in the document Methodological guideline no. 2/2018 - Lawfulness of processing. Updated version from 01.22.2019.

How can I, as an operator, fulfill the principle and condition that the processing of personal data that I carry out is in accordance with Act No. 18/2018 Coll. and Regulation? With what documents, what measures will I prove it? adjusted

Compliant processing of personal data can be considered to be in accordance with the principles of processing established in Art. 5 Regulations. Processing compliance can only be achieved by introducing and applying measures. It is not enough to introduce measures only formally, but their application and compliance in practice is extremely important for achieving and demonstrating compliance with the Regulation. The operator has an obligation to protect personal data and, for that purpose, take all feasible measures, both of a technical and personnel nature.

For example: The operator shall determine in an internal directive the exact scope of personal data that is necessary to achieve the purpose. Despite the above, when processing personal data, it will acquire and process personal data, beyond the scope of these personal data, which are not necessary for the given purpose. Such processing cannot be considered compliant processing, as the operator has not applied the principle of minimization. Measures were taken (described in the directive), but were not implemented in practice.

Simply put, in order to achieve compliance, the operator should have adopted and implemented measures/procedures/means, through which it is ensured that when processing personal data, in particular, it applies that:

• the operator can demonstrate that there is a valid legal basis for processing personal data,
• the operator can prove that the person concerned is provided with all necessary information about the processing before the processing of personal data begins,
• the operator can demonstrate that it keeps records of processing activities,
• the operator can demonstrate that the acquisition and processing of the personal data of the affected persons is carried out only for specific purposes and at the same time can demonstrate that the personal data is not processed for a purpose that is not compatible with these purposes,
• the operator can demonstrate that it processes only such a range of data that is reasonable and limited to the range of data that is necessary to achieve the specified purpose, i.e. processes only those data that are really necessary to achieve the stated purpose,
• the operator can demonstrate that it processes only correct current data, i.e. measures have been applied to ensure that the data are up-to-date from the point of view of the purpose (e.g. the client's contact details must be correct, otherwise the purpose for which they were intended will not be achieved, i.e. communication with the client would not be ensured),
• the operator can demonstrate that the processed personal data are stored for a period that depends on the purpose of their processing,
• the operator can demonstrate that, when processing personal data, he has introduced and actually applies measures (technical and organizational) to ensure that there is no accidental or illegal destruction, loss, alteration, unauthorized provision during their transfer, storage, processing or unauthorized access to them and others,
• the operator can prove that the intermediary and any person acting on the authority of the operator or the intermediary who has access to personal data only processes this data based on the instructions of the operator. We recommend formulating the instructions of the operator in such a way that it is clear what should be applied in the given processing activity, so that personal data is protected and processed in accordance with the principles, or define what is allowed and what is prohibited in the processing of personal data,
• the operator can demonstrate that, if it uses an intermediary for data processing, it has concluded an intermediary agreement with him; in the case of joint operators, it is necessary for them to have a mutual agreement concluded between them, selected parts of which they are obliged to provide to the persons concerned,
• the operator can demonstrate that, in the event of a breach of protection, he notified the breach to the supervisory authority, or to the affected persons,
• the operator can demonstrate that it keeps records of all violations of personal data protection,

the operator can demonstrate that he has carried out an impact assessment for the processing for which its execution is mandatory.

The operator is responsible for the compliance of personal data processing and the fulfillment of obligations under the Regulation. The operator cannot delegate this responsibility to someone else.

I am an operator who processes personal data of clients on the basis of consent, do I have to obtain new consent from clients based on the onset of new legislation, when nothing has changed in the course of processing? adjusted

We bring to your attention § 110 par. 11 of Act no. 18/2018 Coll. "Consent to the processing of personal data granted according to the current law, which is in accordance with this law or a special regulation [Regulation] is considered to be consent to the processing of personal data according to the regulations effective from May 25, 2018.". If your consent obtained from the client is consent with all requirements according to Regulation and Act no. 18/2018 Coll. (that is, the person concerned has expressed consent to a specific operator with the processing of specific personal data for a defined purpose or purposes; Article 7, paragraph 1 of the Regulation) it appears that you would, on this legal basis, consent obtained pursuant to Act no. 122/2013 Coll. could continue to process the client's personal data on the condition that you complete the information obligation, i.e. information according to Art. 13 Regulations (current § 15 paragraph 1 of Act No. 122/2013 Coll.). The compliance of the consent obtained by 24/05/2018, including the assessment of the possibility of continuing the processing based on the given consent, is the responsibility of each operator.

In the event that the assessment is in favor of the previously obtained consent and the operator completes the information obligation to the affected person according to Art. 13 of the Regulations, it is not necessary to obtain a new consent just because the old one contains a reference to Act no. 122/2013 Coll.

You can find more information in the document Guidelines for consent according to regulation 2016_679 - part 8. 

What should consent look like according to the Regulation? adjusted

When consenting, it is necessary to pay attention to the principle of transparency, that is, if the consent occurs within another document, it must be distinguished from other parts and contents of the document, for example in a bold font or a font of a different color, so that the person concerned can clearly and she clearly perceived this consent and "did not pass it over in the reading" without noticing.

It is also necessary that the person concerned can withdraw his consent and be clearly and clearly informed about this right, and also that he can withdraw his consent as easily as he gave it (for example, if he gave his consent by clicking on the "checkbox", he should be able to withdraw it option also electronically, in the same way as it was granted

The operator must not make the acquisition of consent conditional, that is, the provision of consent must not be conditional, for example, on the provision of a service and formulated in such a way that "if the person concerned does not agree to marketing", then he cannot order goods from the e-shop at a discount, etc.

You can find more information in the document Guidelines for consent according to regulation 2016_679.

Is it possible to obtain consent other than in writing or electronically? adjusted

According to Art. 4 par. 11 of the Regulation, the consent of the person concerned is any freely given, specific, informed and unequivocal expression of the will of the person concerned, by which, in the form of a statement or a clear affirmative act, he expresses his consent to the processing of personal data concerning him"; it follows from the very definition of consent that consent is any manifestation of the will of the person concerned, if it meets the requirements stated in the definition, i.e. consent can also be obtained, for example, by recording via phone or recording on a camera, subject to the provision of information pursuant to Art. 13 Regulations at the latest at the time of obtaining consent. The operator must not forget the principle that he is obliged to prove the obtaining of consent, that is, for example, to keep paper consents, or to keep recordings of consents, or to have electronically provided consents stored, for example, in an archive.

What does a child's consent to information society services mean? adjusted

The consent of a person under the age of 16 to the services of an information society means that if a person under the age of 16 wants to use the services of an information society, then in the event that it is necessary to give consent to the processing of personal data for this purpose, this consent will either be given by a person under the age of 16 years and her parent/legal representative/guardian appointed by the court approves it, confirms it to the operator, or consent is provided directly for a child under 16 by his parent/legal representative/guardian appointed by the court; only in that case will the operator lawfully process the personal data of a person under the age of 16.

We would like to emphasize that the consent only concerns the use of information society services, and does not in any way restrict persons under the age of 16 to, for example, enter into an agreement on part-time work, when the legal basis for processing their personal data will be the agreement itself, i.e. Art. 6 par. 1 letter b) Regulations. The consent of a parent or guardian is not required in the case of preventive or counseling services offered directly to the child. For example, the provision of child protection services offered to a child through an online chat service does not require prior parental consent.

Information society services are defined in Directive 2015/1535/EC, and in the conditions of the Slovak Republic, this is transposed into Act No. 22/2004 Coll. on electronic commerce, where information society services as a concept are explained and examples are also given of what is not considered an information society service.

You can find more information in the document Guidelines for consent according to regulation 2016_679 - part 7.1.1.

How to deal with the rights of the affected person and how to inform the affected person? adjusted

The operator is obliged to deal with and respond to the right of the person concerned without undue delay, but no later than one month after the person concerned exercised the right. In the event that the operator is unable, for objective reasons, to implement the right of the person concerned within one month, he may extend the deadline for implementation by a maximum of two additional months, while it is the duty to inform the person concerned about such an extension. By the means by which the data subject exercised the right of the data subject, the operator is obliged to provide him with an answer, unless the data subject himself suggested that he would prefer the answer in a different way than he exercised the right of the data subject.

In the event that the operator cannot comply with the right of the person concerned, he has a maximum of one month, within which he must respond to the person concerned that he will not comply with his right and state the reasons why, and also provide him with information that in this case he can submit a proposal to initiate protection proceedings personal data to the office.

It is very correct that the operator has an internally set process, how and who will handle the requests of the affected persons within the operator/intermediary, i.e. designated persons, procedures and possibly also an internal methodology.

You can find more information on the rights of data subjects at this link: Rights of data subjects.

According to Art. 13 and 14 of the Regulation, in the position of the operator, we are obliged to provide information to the person concerned, to fulfill the information obligation, but the Regulation is not specific as to how the operator should fulfill/perform it in practice. What specific variants of fulfilling the information obligation are considered possible/suitable? adjusted

The Regulation obliges the operator to provide the affected person with information pursuant to Art. 13 or 14 of the Regulation and at the same time does not establish a specific form in which the operator should do this. It is appropriate that the operator fulfills the information obligation in accordance with Art. 12 par. 1 of the Regulations, that is, that this is fulfilled "in a concise, transparent, comprehensible and easily accessible form, formulated clearly and simply, especially in the case of information intended specifically for children. Information shall be provided in writing or by other means, including, where appropriate, electronic means. If the data subject has requested it, the information can be provided verbally, provided that the identity of the data subject has been proven in another way.": It is therefore possible for the operator to clearly explain the specific purpose of the processing, or all of them together, fulfilled the information obligation according to Art. 13/14 of the Regulations by firstly publishing the information in the form of a document on its website, publishing a printed version of the document on an official notice board, if it has one and/or on a bulletin board, being willing to print this information at a branch/brick and mortar store at the request of the person concerned, will provide the information as an e-mail attachment, or the information will be provided in the application through which the operator obtains the personal data of the person concerned.

The fulfillment of the information obligation should not be neglected even when processing personal data with a camera system, where it is possible to fulfill the information obligation according to Art. 13, for example, at least basic information according to Art. 13 par. 1 Regulations on the sticker under the camera, with the fact that more detailed information according to Art. 13 The affected person will learn about the regulations on the operator's website www.menofirmy.sk or at the operator's reception, etc. In the case of camera systems, it is desirable to specify the monitored area, if this cannot be determined logically by observation, for example by stating that the operator XY (for example, the municipality) is the operator of the camera system, which is the monitored street Pekná , Vajanského, Chlumeckého / this street and so on; we think,

Each operator is obliged to fulfill the obligation to provide information, regardless of whether the purpose of processing was determined by him or it follows from a separate law, it is also necessary for the operator to fulfill the obligation to provide information to each affected person, i.e. to clients (natural persons) as well as also towards its employees, or towards the participants in the proceedings, if it conducts the proceedings, at the latest at the time of obtaining personal data.

The purpose of the notification is to provide the affected person, i.e. an employee of the operator, a client of the bank, a parent of a student at school, a client of an e-shop, an actor in a theater, a patient of a doctor, information about what kind of personal data is being processed by all of them in the position of the operator about the affected person.

You can find more information in the Transparency Guidelines document.

You can find more information on information during camera processing in the document Guidelines for the processing of personal data through camera devices_v 2.1 - section 7. 

What is the difference/relationship between the right of access to personal data and the right of access to documents? New

The right of access to documents and the right to the protection of personal data have different goals.

The first right concerns ensuring the greatest possible transparency of the decision-making process of public authorities, as well as the information on which their decisions are based. Its aim is therefore to facilitate the exercise of the right to access documents as much as possible and to support proper official procedure.

The second right aims to ensure the protection of the fundamental rights and freedoms of natural persons, especially their privacy, when processing personal data. The aim of the Regulation is not to facilitate the exercise of the right of access to documents.

In other words, the asserted right to access data cannot be equated with the right to access entire documents.

If the search engine provider complies with the request to remove links according to Art. 17 par. 1 Regulations, is he obliged to do this removal in all versions of his search engine? New

Currently, there is no obligation under Union law for a search engine provider that complies with the request of the affected person to remove links, possibly following an order from a supervisory or judicial authority of a Member State, to carry out such removal in all versions of its search engine (but Union law does not even prohibit this ).

As regards the question of whether such de-linking must be carried out in the versions of the search engine corresponding to the Member States or only in one version of that search engine corresponding to the Member State in which the person entitled to de-link resides, such removal should in principle to be carried out for all Member States. This is also justified by the fact that the Union legislator has currently established rules in the field of data protection by means of a regulation that is directly applicable in all member states. The aim is to ensure a consistent and high level of protection throughout the Union and to remove obstacles to the flow of personal data within the Union (recital 10 of the Regulation). You can find more information in the document Guidelines for criteria related to cases of application of the right to be forgotten in search engines according to the general regulation on.

How do I find out that the communication I carry out falls under direct marketing? New

In order to be able to assess whether your activity is direct marketing, it is necessary to take into account whether the communication follows a business purpose and is directly and individually addressed to the consumer. The fact that the consumer of this communication is chosen at random or predetermined does not affect this. For example, when sending an advertisement via e-mail, it is not important whether the advertisement is addressed to a predetermined and individually identified recipient, or whether it is a mass and random sending to a large number of recipients.

According to the legislation of the Slovak Republic, can an organizational component of a foreign person (the foreign person is based in the Czech Republic) acquire rights and obligations as an operator for the purposes of processing personal data? Will the determining factor of the position of the operator be that the organizational component determines the purpose and means of personal data processing? New

An important factor in this case is whether both entities, the organizational component and the foreign person, have their own legal personality, or whether only one of them has legal personality. In the event that only one of them has legal personality, from the point of view of personal data protection, it will be responsible for the processing and thus will be in the position of the operator. This entity must also be listed as an operator, e.g. in the information obligation. The second entity, which does not have legal personality, will not have the status of either an operator or an intermediary.

Currently, we are inclined to the opinion that the founder of the organizational unit should be considered the operator, not the organizational unit of the foreign legal entity itself (if it does not have legal personality). The main objective of the Regulation is to ensure a high level of protection of natural persons and to ensure that natural persons are not denied the protection to which they are entitled. This approach to the organizational component of a foreign legal entity will ensure a higher level of protection of the personal data of the persons concerned, as well as ensure the enforceability of the provisions of the Regulation.

What if I do business together with another company and we decided together, for example, to organize a competition, i.e. the two of us determined the purpose and means of processing and the two of us participate in one purpose of processing towards the contestants? What is the mutual relationship between us? adjusted

In this case, it is a joint operator according to Art. 26 Regulations. It is necessary that an agreement be concluded between such operators according to Art. 26 of the Regulations, the basic parts of which they are obliged to provide to the affected persons, so that they know that in this particular case of processing it is a joint operator.

You can find more information in the document Guidelines on the concepts of operator and intermediary under the General Data Protection Regulation - Part I, Chapter 3 and Part II, Chapter 2.

Who is an intermediary according to the Regulation? adjusted

An intermediary is anyone who processes personal data of natural persons on behalf of the operator on the basis of a contract concluded with him pursuant to Art. 28 par. 3 Regulations.

The basic link of the processing chain is the operator; the intermediary processes personal data on his behalf, on the legal basis determined/established by the operator, i.e. the intermediary does not acquire a new legal basis for the processing of personal data, since it processes personal data on the legal basis of the operator.

It is often the case that another intermediary, also called a sub-intermediary, can enter the operator-intermediary relationship.

The operator can set the contract with the intermediary in such a way that it specifically allows him to involve another intermediary in the process, but establishes specific conditions that the other intermediary must fulfill in order to be involved in the processing.

The operator can also in the "intermediary" contract according to Art. 28 par. 3 of the Regulations to determine, only in general, that the intermediary may also involve another intermediary in the process, whose characteristics he does not define in detail; in this case, the intermediary is obliged to inform the operator about the involvement of the subcontractor in order to approve the potential subcontractor or reject its involvement.

In the contract between the operator and the intermediary, the operator can also stipulate that the involvement of another intermediary is not possible and prohibits it.

You can find more information in the document Guidelines on the concepts of operator and intermediary under the General Data Protection Regulation - Part I, Chapter 4 and Part II, Chapter 1.

You can find out more information about the mediation agreement at this link: Standard contractual clauses - mediation agreement.

According to the previous legislation, it was necessary for the operator to keep records of the information systems in which it processes personal data, or to send a notification to the office, or it was necessary for the office to decide by decision and the personal data information system to obtain a so-called special registration, such a division of information systems and the notification obligations associated with it still mandatory? adjusted

There is no record, notification of the information system of the office or request of the office for special registration of the information system according to the Regulation. However, the operator and intermediary is obliged to keep records of processing activities (Article 30 of the Regulation). The records are not sent to the office, the operator/intermediary keeps them at home; only if the office requests it, it will send them, not on initiative. The records were formally replaced by all three above-mentioned documents, i.e. registration letters, notices and special registrations.

In Art. 30 par. 5 of the Regulation is an exception to the obligation to keep records.

You can find more information about the records on the website in the section Sample Records of Processing Activities.

Within the framework of Art. 32 par. 1 Regulations mention security measures and, among others, encryption or pseudonymization. Are these mandatory? From now on, does every operator/intermediary have to encrypt when processing personal data? adjusted

No, stating the possibility of encryption or pseudonymization in Art. 32 par. 1 letter a) Regulations is only an example of possible security measures that the operator can implement. The operator is obliged to assess the selection and application of suitable technical and organizational measures according to Art. 25 Regulations with regard to the nature, scope, context and purposes of the processing, as well as the risks of varying probability and severity that the processing represents for the rights and freedoms of natural persons, the operator at the time of determining the means of processing and at the time of the processing itself.

What are the examples of technical security measures that can be applied in the context of personal data processing based on the specific conditions of the operator or intermediary in its environment?

For example:

Securing the object using mechanical means of prevention (e.g. lockable doors, windows, gratings) and, if necessary, also using technical means of security (e.g. the object's electrical security system, electric fire alarm system).

Prevention of accidental viewing of personal data from display units of the information system (e.g. appropriate placement of display units).

Cipher protection of the content of data carriers and cipher protection of data moved via computer networks.

Identification, authentication and authorization of persons in the information system.

Creating backups with pre-selected periodicity.

Safe deletion of personal data from data carriers.

Detection of the presence of malicious code in incoming e-mail and other files received from a publicly accessible computer network or from data carriers.

Rules for access to a publicly accessible computer network (e.g. preventing connection to certain websites).

What are the examples of organizational security measures that can be applied in the context of personal data processing based on the specific conditions of the operator or intermediary in its environment?

For example:

Definition of personal data to which a specific person should have access for the purpose of fulfilling his duties or tasks.

Instruction of persons on procedures associated with automated means of processing and related rights and obligations (on the operator's premises and outside these premises).

Key management (individual allocation of keys, safe storage of spare keys).

Mutual representation of persons (e.g. in the event of an accident, temporary incapacity for work, termination of employment or similar relationship).

Determination of personal data disposal procedures with the definition of the related responsibility of individual persons (secure deletion of personal data from data carriers, disposal of data carriers and physical carriers of personal data).

A business company based in the EU (not in the Slovak Republic), which is the parent company of a Slovak business company (based in the Slovak Republic), notified the competent supervisory authority in the state of its headquarters that there has probably been a violation of the protection of personal data that it processes (hacking into of its information system - which is also shared by its Slovak subsidiary - ie it is a cross-border flow of data within the EU). Given that it may also be data relating to the affected persons in the Slovak Republic, we would like to verify whether it is necessary for the Slovak (subsidiary) business company to notify the Office for the Protection of Personal Data of the Slovak Republic of this fact - and referring to the provisions of Article 56 of the Regulation - since the main operation is outside the Slovak Republic in the EU state where the parent company is headquartered, which made the notification to the supervisory authority in the country of residence? New

If a breach occurs in the context of cross-border processing and notification is required, the controller will have to submit a notification to the lead supervisory authority. Therefore, when developing a breach response plan, the operator must assess which supervisory authority is the lead supervisory authority to which it will submit a notification. This will allow the operator to immediately respond to the violation and fulfill its obligations under the article. It should be clear that in the case of a breach related to cross-border processing, a notification must be made to the lead supervisory authority, which is not necessarily located where the data subjects concerned or where the breach occurred. When submitting a notification to the managing authority, the operator should indicate, if necessary, whether the infringement concerns establishments located in other Member States, as well as in which Member States data subjects were likely to be affected by the breach. If the operator has any doubts about the identity of the lead supervisory authority, it should at least notify the local supervisory authority at the place where the violation occurred.

For more information, see the Privacy Breach Notification Guidelines document.

You can find more information on the appointment of the leading supervisory body in the document Guidelines for the appointment of the leading supervisory body of the operator or intermediary.

There is a list of processing operations for which I am obliged to carry out an assessment of the impact on data protection, i.e. the so-called blacklist? New

Yes, the authority has accepted and published a list of such operations. This list is available at this link: List of processing operations subject to an impact assessment.

There is a list of processing operations for which I am exempt from performing a data protection impact assessment, i.e. the so-called whitelist? New

No, the office did not accept such a list. The regulation does not make the adoption of such a list mandatory.

Is the authorization of the responsible person mandatory from 25/05/2018? adjusted

Designation or authorization of a responsible person is not mandatory for all operators or intermediaries, only the operator or intermediary must appoint a responsible person if the processing of personal data is carried out as a public authority (with the exception of courts in the exercise of their judicial authority), or in the event that the main activities of the given operator or intermediary are processing operations, which consist in regular and systematic monitoring of natural persons on a large scale, or in the processing of a large amount of data belonging to a special category of personal data or to the category of data related to recognition of guilt for criminal offenses and offenses.

You can find more information in the document Guidelines regarding responsible persons - section 2.1.

I am an operator or an intermediary who must have a responsible person authorized, who can that person be?

The responsible person should be a natural person who will fulfill the obligations arising from the Regulation as a responsible person. It can be an employee of the operator or an intermediary, it can be an external natural person, or it is possible to conclude a contract with a legal entity, while the contract specifically determines who will be the responsible person for a given company providing these services in relation to a specific operator/ to the intermediary to hold.

I am an operator/intermediary who must have a designated responsible person, but is this financially and personally demanding for me? What should I do? adjusted

The Regulation allows according to Art. 37 par. 2 and 3, so that the operator or intermediary, if possible and their organizational structure allows it, appoint one responsible person together. It is therefore possible that, for example, several schools within the establishment jurisdiction of the region have one responsible person in charge.

You can find more information in the document Guidelines regarding responsible persons - section 2.3.

You can find more information on the authorization of a responsible person in the environment of municipalities and cities in the document Methodological guideline no. 1/2018 - Institute of the responsible person in the conditions of municipalities and cities.

What does it mean that I am obliged to publish the contact details of the responsible person and notify them to the office? Which ones are they? adjusted

The contact details of the responsible person are the data through which the operator/intermediary and anyone from the outside, but especially the affected persons, can communicate with the responsible person. It is usually an e-mail address, a telephone contact, or a specific address, if the responsible person can be reached there.

It is not necessary that the contact data directly contain the name and surname of the responsible person; for example, the responsible person's contact details could look like this:

responsible person@nazovfirmy.sk/ or the English variant dpo@názovfirmy.sk (from the English Data Protection Officer, DPO), contact on a mobile or landline and possible contact to the operator, e.g. indicating the door number, where the responsible person can be found at the specific operator.

The method of publication is left to the operator/intermediary. However, it is important that the disclosure helps the responsible person to be easily accessible to all interested parties.

Notification of the name/title of the responsible person to the supervisory authority is necessary so that the responsible person can serve as a point of contact between the organization and the supervisory authority. You can find more information on reporting a responsible person to the office at this link Reporting a responsible person in the field of personal data protection.

You can find more information in the document Guidelines regarding responsible persons - section 2.6.

What position should the responsible person have within the operator/intermediary? adjusted

The responsible person is an advisory body that advises the operator/intermediary, helps, for example, in concluding intermediary contracts, provides him with support and information when setting up the processing of personal data. Her position should be independent and the operator should follow her recommendations, if he does not agree with them, he should justify a different implemented solution. The responsible person, especially if it is an internal employee, must not be in a conflict of interest (in this position it is most likely). This means that the responsible person should not be an employee who participates in or directly sets the purposes of the processing and is responsible for them. In simple terms, the responsible person should have an independent position and be like an "auditor" regarding the processing and supervision of personal data.

More information can be found in the document Guidance on responsible persons - part 3.

Does it still apply that the person in charge should have passed the exam at the office? adjusted

No, currently successfully passing the exam is no longer a condition for the authorization of the responsible person, and therefore the office does not conduct such exams.

What can be considered sufficient proof of the professional qualities of a person who is applying for the position of responsible person with me? adjusted

Assessment of qualities and their evaluation is the responsibility of the operator/intermediary; as a form of proof of sufficient expertise of the person in charge, documents on education (if this education is relevant in relation to the performance of this position), documents on the completion of educational courses, working in the position of the person in charge even now; The regulation does not define what specifically the operator/intermediary should demand from the future responsible person, i.e. if the operator/intermediary decides, it can, for example, test the potential responsible person.

You can find more information in the document Guidelines regarding responsible persons - section 2.5.

Can the operator/intermediary be entrusted with several responsible persons?

The regulation does not directly prohibit the operator/intermediary from having several responsible persons authorized, however, if there are more of them, it is necessary for each of them to be able to cover all their duties and the contact details of all responsible persons, so that the operator/intermediary reports to the authority.

There are also new fee-based institutes in the Regulation, such as codes of conduct, certificates, are these mandatory for everyone?

No, joining the code of conduct or obtaining a certificate is voluntary.

How does the control by the office take place? adjusted

The inspection can be regular or extraordinary. As part of a proper inspection, the office - the inspection body is obliged to notify at least 10 days in advance before the inspection is carried out that an inspection will be carried out at a specific operator/intermediary (controlled person), if prior notification threatens to defeat the purpose of the inspection, the inspection notification will not be sent and the inspection body will only do this immediately before the inspection, on the spot.

Before the start of the inspection, the inspection body is required to present an authorization to carry out the inspection, and the members are required to present themselves with service cards.

Both the authorizations and obligations of the control body as well as the controlled person are contained in Act no. 18/2018 Coll., where you can familiarize yourself with them in detail.

The result of the inspection is a protocol (if the inspection revealed deficiencies) or a record of the inspection (if the inspection did not reveal a violation). The inspected person can object to the inspection findings in the report within 21 days from the date of delivery of the report.

You can find more information about the control at this link: Control of personal data processing.

How does the procedure for personal data protection take place? adjusted

According to the previous legislation, a separate proceeding on the protection of personal data was conducted, within which the office imposed measures, and a separate proceeding is the proceeding on a fine.

Since May 25, 2018, the office has conducted only one procedure on the protection of personal data, in which it decides on both measures and fines at the same time. There was also an extension of the time limits within which the office in the proceedings is obliged to issue a decision; the office will make a decision in the proceedings within 90 days from the date of the start of the proceedings, in justified cases the office will extend this period appropriately, but by no more than 180 days. The office informs the participants of the proceedings in writing about the extension of the deadline. It still applies that if an inspection is required as part of the procedure, then during the performance of the inspection, the time limits in the procedure are suspended/do not expire.

As part of the filing of the appeal, i.e. the appeal of the parties to the proceedings against the decision of the office in the 1st stage, the applicant of the appeal may expand or supplement the submitted appeal with another proposal or other points, but only within the period determined for its appeal.

You can find more information about the personal data protection procedure at this link: Personal data protection procedure.

Are the EDPB guidelines legally binding? New

The main task of the EDPB is to ensure the consistent application of the Regulation within the European Union and the European Economic Area. It also fulfills this role by issuing guidelines and other documents to help operators or intermediaries with the application of the Regulation. The Office also has the task of enforcing the consistent application of the Regulation. As a member of the EDPB and as one of the subjects involved in the creation and approval of these documents in practice, he proceeds in accordance with them.

The guidelines represent the so-called soft law, i.e. legal norms whose status is not the same as the status of primary or secondary law of the European Union, but they are transcriptions that are generally respected in practice and applied by supervisory authorities for the protection of personal data.

Samozrejme, sú možné odchýlky od toho, čo je napísané v usmerneniach a iných dokumentoch a tieto odchýlky sa posudzujú prípad od prípadu. Avšak, dôkazné bremeno toho, že táto odchýlka nenarušuje konzistentné uplatňovanie Nariadenia, ale napomáha vyššej ochrane osobných údajov, je na prevádzkovateľovi podľa zásady zodpovednosti uvedenej v čl. 5 ods. 2 Nariadenia. Dokumenty EDPB slúžia prevádzkovateľovi/sprostredkovateľovi ako pomôcka k tomu, aby vedel, aké požiadavky sú na neho kladené v súvislosti napr. so spracovateľskou operáciou (monitorovanie kamerami) alebo v súvislosti s právnym základom (napr. súhlas) a aby teda optimalizoval spracúvanie osobných údajov.

As a company, we maintain a database of applicants, in which we also include unsuccessful applicants after the end of a specific selection procedure, if they have impressed us with their abilities, and we also add CVs to this database, which are sent to our company without a request, if the given person interests us based on the CV sent. On what legal basis can we create such a database, what will be the legal basis for processing personal data in it? What obligations do we have in relation to it towards the affected persons - applicants? adjusted

The applicant database is an initiative of the given company, i.e. the company (operator) has determined the purpose and means of processing CVs/personal data from them in the given records, and thus the company is also obliged to determine how long it will keep the given data in the given records.

In the event that the company includes in this database unsuccessful applicants from duly announced selection procedures for specific positions, it is necessary to ask them for their consent to be included in the database [Art. 6 par. 1 letter a) Regulations], as it is not possible to proceed in such a way that inclusion in the applicant database is a continuation of pre-contractual relations from a specific selection procedure in which the person in question participated in the company and in which he was unsuccessful.

If it is a database/record containing the CVs of people who have sent them on your own initiative, you need to obtain consent from these candidates to store and process this data.

If it is a database/record containing the CVs of people who have sent them on your own initiative, you need to obtain consent from these candidates to store and process this data.

The employer is interested in introducing a new attendance system for employees. One of the alternatives is to combine the card with taking a photo at the time of shooting. Before we introduce such an attendance system, I would like to ask you for your opinion/opinion on such types of attendance systems from your point of view, as it would involve the creation of photos of employees when scanning the card. New

The Office currently takes the position that for the purposes of employees' attendance at work, in accordance with § 99 of the Labor Code, a minimum amount of data is required, namely the name, surname and date and time of the employee's arrival and departure to/from the workplace. The stated range of data is sufficient for the employer to fulfill the purpose pursued by this provision, namely the recording of working hours. Any other personal data such as the aforementioned photo is no longer necessary to achieve the purpose established by law, while the possible justification consisting in the fact that the method of "classic" attendance records (writing in a book, cards, etc.) is misused by employees is not sufficient. The office is currently of the opinion that it is a control mechanism of the employer, with which the employer tries to detect employees who abuse the originally set system.

For the introduction of the control mechanism, the operator must then fulfill not only the conditions according to the Regulation, but also according to § 13 par. 4 of the Labor Code.

The employer would like to introduce an attendance system, which would consist in recording the attendance of employees using a "fingerprint". What does the employer have to do in order to implement such attendance? New

The processing of personal data for the purpose of employee attendance records by the employer is the processing of personal data without the consent of the person concerned in accordance with § 99 of the Labor Code. The Labor Code does not imply an obligation to process the employee's biometric data for the purpose of attendance management, therefore the office is of the opinion that the operator (employer) will need another legal basis to process such personal data.

In the case of biometric data processing for the purpose of unique identification of the person concerned, processing is permitted only if a condition is met according to Art. 9 par. 2 of the Regulations and at the same time the operator must have an adequate legal basis in accordance with Art. 6 par. 1 Regulations. In this context, the office points out that the only possible alternative in connection with the processing of personal data for the purposes of the biometric attendance system is the express consent of the employee pursuant to Art. 9 par. 2 letters a) Regulations.

Consent within labor relations will not be considered the most appropriate legal basis in every situation, due to the unequal relationship between employee and employer. The consent obtained in this way may not fulfill the basic requirement of voluntariness of the consent, which may cause the very invalidity of the granted consent [in the case of biometric data processing for the purpose of unique identification of a natural person according to Art. 9 par. 2 letters a) Regulations we are talking about explicit consent]. However, the mere existence of a legal basis is not enough, but it is also necessary to assess the necessity of personal data processing. The possibility of processing biometric data is subject to a strict assessment of necessity and adequacy, taking into account whether the intended purpose can be achieved by other, less intrusive intervention. If the benefit of introducing a biometric attendance system is to be, for example, only an increase in convenience, or only cost savings, in general, such a loss of employee privacy is not considered adequate. The proportionality of the interference with the rights of the affected person during the processing of the employee's personal data over the rights of the affected person will always be at the discretion of the employer himself.

Jurisprudence in the field of labor relations and the processing of biometric data of employees is not developed, and therefore situations where such interference with the rights of the affected person is appropriate will always be examined individually for specific cases in any administrative proceedings. An example can be laboratories, where it is necessary to prevent the unauthorized entry of persons into the facilities, due to the nature of the activity performed there. In such a case, however, we are not talking about an attendance system, but about a security element, when the processing of biometric data for the purpose of unique identification of a person entering such a space would be permissible from our point of view. On the contrary, the introduction of an attendance system, which processes biometric data generally for all employees only for the sake of cost savings, is not in accordance with the basic principles of personal data processing (Article 5 of the Regulation).

VYou can find more information in the document Opinion on data processing at work and Guidelines for consent according to regulation 2016_679.

Does the working time register, i.e. data on the time when individual workers start and end their shift, as well as data on breaks or time that is not included in working time, constitute personal data? New

Yes, such a register represents personal data subject to the personal data protection rules under the Regulation.

I work in a company where there is a list of employees in the internal information system, where presence at the workplace, PN, OĆR, doctor, vacation, etc. is recorded online. This list is freely accessible to all employees. Is this in accordance with the applicable legal regulations? New

Based on the situation described by you, in general, it could be a violation of the principle of minimization and integrity and confidentiality of data processing [Art. 5 par. 1 letter c) and f) of the Regulations - personal data must be adequate, relevant and limited to the extent necessary in view of the purposes for which they are processed; processed in a way that guarantees adequate security of personal data, including against unauthorized or illegal processing...], probably to the extent that this information may not be available to all employees, but, for example, only HR personnel and employees' superiors. This conclusion may not be applicable to all attendance management situations, as it is up to the operator to justify why (for what purpose,

VYou can find more information about these principles in the document Guidelines for Article 25 - Specific Design and Standard Data Protection - Section 3.5 and 3.8.

The business company uses an external company performing activities in the field of recruiting employees to recruit employees. The process looks like this: the business company approaches the recruiting company for cooperation in a specific recruitment, they enter the parameters of the employee they are looking for. The recruiting company then starts recruiting employees, i.e. it advertises the desired employee profile, collects the relevant resumes, and then forwards suitable candidates and their resumes to the business company. What position does the recruitment agency have in terms of processing personal data vis-à-vis the commercial company as its client (operator - operator, operator - intermediary, or joint operators)? (it obtains personal data about potential candidates on the basis of a contract for the provision of recruitment services with a commercial company as its client). It is necessary to conclude a contract with the recruiting agency on the processing of personal data in accordance with Art. 28 Regulations et seq.? New

The personnel agency is regulated by Act No. 5/2004 Coll. on employment services and on the amendment of certain laws (hereinafter referred to as the "Employment Services Act") as a "legal person or natural person who performs activities under this Act, in particular employment mediation for payment", and therefore provides its services on the basis of § 32 para. 1 of the Employment Services Act, while

1. searches for employers for job seekers or job seekers and/or
2. searches for employees for potential employers.

In the first case, it appears that the personnel agency as well as the potential employer are in the position of independent operators.

In the second case, we draw your attention to the Guidelines on the concepts of operator and intermediary according to the General Data Protection Regulation, specifically Example: Recruitment agencies on page 24-25. From the given example, it follows that the personnel agency is considered to be the operator and, together with the potential employer, controls at least those sets of operations that relate to the recruitment of new employees for this potential employer. In this case, it will be joint operators according to Art. 26 Regulations.

However, if the personnel agency would also use the personal data of the persons concerned who contacted it in accordance with point 1 when searching for employees for a potential employer, it is necessary that the independent operator has an adequate legal basis for such a processing operation (provision of personal data) and at the same time that the joint operator had an adequate legal basis for processing the personal data obtained in this way.

The same principle applies if joint operators want to use the obtained personal data for other employers or for themselves as an independent operator. For the related provision of personal data, the existence of an adequate legal basis is necessary, and at the same time it is necessary that the other operator (possibly joint operators) has an adequate legal basis for processing the personal data obtained in this way.

To summarize:

1. If the recruitment agency is approached by a job seeker or job seeker, the recruitment agency is in the position of an independent operator.
2. If a recruitment agency is approached by a specific employer

1. when obtaining and further processing personal data for a specific employer, the personnel agency and the specific employer are in the position of joint operators;
2. if he uses the data obtained according to point 1 for this employer - it is the provision of personal data from a separate operator for a joint operator - in this case it is necessary to ensure the legality of such processing (in particular, determine the appropriate legal basis for processing);
3. if it uses personal data obtained as joint operators for other operators (joint operators) - in this case, it is necessary to ensure the legality of such processing (in particular, determine the appropriate legal basis for processing).

Based on the above, it is necessary for the personnel agency to implement adequate security measures to prevent illegal processing of personal data and, in accordance with the above, to ensure the fulfillment of the information obligation.

When ordering a masseur or hairdresser, is it necessary to give consent to this entrepreneur/company providing these and similar services? What is the legal basis for the processing of any personal data by these operators? adjusted

Performing a manicure, pedicure, haircut, or similar is the provision of a service, that is, a contractual relationship is created between the customer and the service provider (manicurist, hairdresser, etc.), even if the contract is not written, it will be a so-called an unwritten contract, which can also include the processing of personal data when subscribing to such a service. If, for example, a hairdressing salon/hairdresser registers orders for the customer's name, surname and phone number, it processes the personal data of the customer (natural person) in the position of the operator. Since it is an order for a certain service that is to be performed for the benefit of the customer, as a rule, in return for the processing of the customer's personal data for the purposes of the order and the performance of the ordered service, the customer's consent is not necessary, since the personal data is processed in the "regime" of pre-contractual/contractual relations, that is, according to Art. 6 par. 1 letter b) Regulations; not based on customer consent.

However, if the service provider does e.g. also various questionnaires, which ask about the customer's state of health or allergies, what medicines he is taking, this involves the processing of health-related data. Since this is a special category of personal data that is protected more strictly, it is necessary that, in addition to the legal basis specified in Art. 6 par. 1 of the Regulations, the service provider also fulfilled one of the exceptions in Art. 9 par. 2 Regulations. A suitable legal basis could be the express consent of the person concerned.

It is also necessary that the operator fulfills the information obligation in relation to the customer in accordance with Art. 13 and 14 of the Regulation, for example by publishing it on its website or otherwise demonstrably, transparently and comprehensibly in accordance with Art. 12 par. 1 Regulations.

Another situation is if, for example, a hairdressing salon wants to reach out and send newsletters/service offers, discounts/advertising materials to those who show interest in it through a mobile application or by signing up for a subscription through their website. It applies that if for the purpose of sending offers the operator - hairdressing salon collects, for example, name, surname, e-mail address and telephone number, such sending is based on the consent of the person concerned, the person interested in sending. If the recipient of the offers was already a client of the given hair salon - operator, hair salon - operator, legitimate interest could also be used as a legal basis for sending offers [Art. 6 par. 1 letter f) Regulations], when the legitimate interest would be a precisely defined purpose of personal data processing, for example "improvement and personalization of services to long-term customers.". In this case, however, the hairdressing salon must provide for each sent offer in a simple way the exercise of the right to object according to Art. 21 par. 3 Regulations.

In the case of a legitimate interest, it is always necessary for the operator who wants to use the legitimate interest as a legal basis for personal data processing to define/concrete this, it is not enough if the operator, for example, in the records of processing activities (according to Article 30 of the Regulation) only states that the legal basis processing is Art. 6 par. 1 letter f) Regulations. The interests or basic rights and freedoms of the data subject must not prevail over the interests of the operator.

Also, in the case of sending offers either on the basis of consent or on the basis of a specific legitimate interest, it is necessary for the operator to fulfill the information obligation according to Art. 13 or 14 of the Regulations.

Our facility provides accommodation for people, we keep a register of those accommodated, what is the legal basis for processing personal data in this register?

The processing of personal data of accommodated guests in the book of accommodated guests is regulated as an obligation according to § 24 par. 1 of Act no. 253/1998 Coll. on residence reporting, according to which Natural persons and legal entities that provide services on the basis of an accommodation contract are obliged to keep a book of accommodated persons, which contains data on the name and surname of the person accommodated, the number of their identity card or travel document, the address of permanent residence and the period accommodation.". On the basis of the above-mentioned provision, this provision of a special law is the legal basis for processing, within the framework of the Regulation, the legal basis is the legal obligation arising from the above-mentioned law, i.e. Art. 6 par. 1 letter c) Regulations. Since this obligation for the operators of accommodation facilities follows from the act on reporting of stay, it is not necessary and appropriate to ask the consent of the accommodated guests for such processing, they are obliged to tolerate the provision of data as far as the entity in which they are accommodated follows from the act on reporting of stay. It should be added that persons providing accommodation - operators must fulfill their obligation to provide information to accommodated guests according to Art. 13 or 14 of the Regulation, for example by publishing it on your website, or by stating it in writing at the reception, or otherwise appropriately so that the persons concerned.

It is also immaterial whether the accommodation establishment keeps a book of guests in paper or electronic form, or both, the legal basis of processing is the same, only the means of processing are different/dual, in both cases it concerns the processing of personal data for the purpose of a special law on residence reporting , where we do not recommend requiring consent from the accommodated persons for this purpose, as it would unnecessarily lead to the accumulation of legal bases, which in this case is neither desirable nor necessary.

In our company, we have a form set up by which we obtain the name, surname, telephone number and e-mail address from people for the purpose X, but it happens that people take the initiative to provide us with other, unsolicited personal data in a note/elsewhere in the form, which what should we do with such redundant personal data?

The operator has determined, or has determined, the purpose of processing personal data specifically and has determined that it needs specific personal data (for example, name and surname and telephone contact) in accordance with the principle of necessity and expediency for this processing, i.e. ONLY has the relevant legal basis for processing them other personal data, provided on initiative beyond the required data, has no legal basis. It is therefore necessary for him to dispose of the personal data obtained beyond the scope (on the data subject's own initiative) of the purpose defined by him and not to process them. It is advisable to proactively state, for example, in the form of a notice on the given form, that proactively provided data (unsolicited) will be disposed of. In relation to those data, whose processing was originally concerned, the operator must not forget and fulfill the information obligation towards the affected persons according to Art. 13 or 14 of the Regulations.

On the basis of the sales contract, I am going to buy an apartment through a real estate agency, in the draft contract that I received from the real estate agency, there is also a provision according to which "I give my consent to the processing of my personal data for the purpose of buying an apartment, and the consent itself is formulated in the text of the contract". is such a procedure correct?

The stated consent in the contract in this particular case appears to be inconsistent with the Regulation, since if personal data is processed on the basis of a contract in which one of the parties is the data subject and the other party is, for example, a real estate agency, then the processing of personal data of the data specified in the contract is carried out on the basis of processing within the given contractual relationship, i.e. in accordance with Art. 6 par. 1 letter b) Regulations and not on the basis of consent pursuant to Art. 6 par. 1 letter a) Regulations. It is advisable that such statement and consent, if it is mentioned in the contract, be removed from the text of the contract.

As a parent, do I have the right to be informed about my child's academic progress (in person, via the electronic student record book), since I encountered the fact that the school makes my access to my 17-year-old daughter's grades subject to her consent?

The processing of personal data of a specific student and his grade is regulated by Act no. 245/2008 Coll. on Education (Education Act) We particularly draw attention to §144 par. 6 letters c) of the Education Act. These provisions of the Education Act give the right to the legal representative (i.e. the parent of a person under 18 years of age, unless the person has reached the age of majority by marriage) to get acquainted with the academic results of their child, the child in charge: "The legal representative of the child or pupil or the representative of the institution has the right to be informed about the educational results of your child,...". It can also be assumed that since according to § 144 par. 6 letters c) of the Education Act, the legal representative has the right to learn about the child's academic results, so when the child reaches the age of majority, he automatically no longer has this right, as he is no longer his legal representative, i.e. to provide specific grades / information about the results of a child/student aged 18+ already from the age of majority, the parent will need the child's consent, on the basis of which the school will make the results available/provided to him. Such a premise is not directly stated in the Education Act, it follows from the diction only indirectly. Since the office is not responsible for the Education Act, our above-mentioned opinion must be confirmed by the responsible authority for the law, which is the Ministry of Education, Science, Research and Sports of the Slovak Republic.

My child is supposed to go to school in nature. At the parents' association, our school asked us to fill out a questionnaire about the child's health for the school, to which we gave consent for the processing of the above-mentioned sensitive personal data about the children's health. Is such a request by the school for information about the health status of the child justified? Is the legal basis for processing (consent for the school) determined correctly by the school? adjusted

According to § 11 par. 6 of Act no. 245/2008 Coll. on education and training and on the amendment and supplementation of certain laws (hereinafter referred to as the "School Act") schools and educational facilities have the right to obtain and process personal data about children and pupils in the scope of: name, surname, date and place of birth, place of residence, social security number, nationality, nationality, physical health and mental health, mental level, including the results of pedagogical-psychological and special pedagogical diagnostics, identification of legal representatives of the child or pupil (title, first and last name, maiden name; capacity for legal acts; residential address and type of residence; prohibition of residence; and contact for the purposes of communication; and attaining education).

According to § 112 of the Education Act, the system of school facilities consists of: school educational facilities, special educational facilities, school facilities for educational counseling and prevention, special purpose school facilities. Pursuant to § 137 of the Education Act, a purpose-built school facility is a school in nature, school catering facilities, and a school service center.

It follows from the above that in order to obtain and then further process the personal data of children and pupils about their health status, the school attended by your child is directly authorized by the School Act to process such personal data about the child, i.e. the consent of the parents to provide the above-mentioned personal data about child, is not necessary (is redundant), because the requirement of legality of such processing of personal data, according to Art. 6 and 9 of the Regulation is fulfilled directly in the provisions of § 11 par. 6 of the Education Act. Thus, the parent has the obligation, if requested, to provide the necessary and necessary personal data of the child, for the purpose of the school in nature taking place without problems and in the event that any occur, the school has the necessary health information regarding the child, which may be for the child life saving if something were to happen as the school.

If the accommodation facility where the outdoor school will be held is directly included in the network of school facilities, the aforementioned "no-consent regime" applies to the provision of personal data about the child's health also to this facility.

Once again, the operator (school, school facility) is obliged to fulfill the information obligation towards the affected persons according to Art. 13 or 14 of the Regulations.

We ask for information under which conditions and valid legislation the founder (municipality) can install a camera system in the kindergarten building - children's dining room and playground. Is the written consent of all parents and school employees necessary for this? Can the founder install a camera system even if an employee or parent does not agree? Does the founder have the right to carry out the installation even if he does not have a serious reason to do so? adjusted

The processing of personal data by camera is a processing activity that needs its legal basis, while consent is only one of the options. Consent is characterized by the fact that in order to form an effective legal basis for processing, it must be granted voluntarily and unconditionally. In this context, however, it would mean that all parents, including the teaching staff (that is, everyone caught on camera) would have to give their consent. It would be enough for one parent, or the teacher did not grant or revoke her consent and the operator would not have a legal basis for recording with a camera, i.e. he would be filming this particular person illegally.

In the case of using the legal basis according to Art. 6 par. 1 letter f) Regulations - legitimate interest, it is necessary to assess the legitimacy of monitoring based on several criteria, which we present below.

In this context, we point out the requirement of the existence of a legitimate interest and its relevance, it cannot be a fictitious or speculative legitimate interest. There should be a genuine emergency – such as damage or serious incidents involving children in the past that occurred before monitoring began.

The second criterion for assessing the legitimacy of interests consists in assessing the necessity of personal data processing. Under normal circumstances, we do not consider the monitoring of school classrooms and the school playground to be adequate. In this case, the interests, rights and freedoms of children prevail over the legitimate interests of the operators. In certain specific situations, it will be possible to use legitimate interest as a legal basis for monitoring, even only for a strictly defined period of time, until the purpose of monitoring is achieved. The existence of legitimate interests of operators, as well as the necessity of monitoring, must be carefully assessed and documented. An important aspect is also the predictability of processing (proving that the purpose cannot be achieved in other, less invasive ways – by increasing the number of teachers or randomly checking teachers during breaks in the classroom). For these reasons, we are of the opinion that in this context it cannot be a common practice to install a camera system in school classrooms and on school playgrounds or courts and legal basis - legitimate interest can be used in justified extreme situations.

The result of the assessment of the legitimacy of the interests will depend on the specific situation and its seriousness (based on objective evidence).

For more information on impact assessment, see the Guidance document on impact assessment on data protection and determining whether processing is “likely to lead to high.

You can find out more information about video surveillance in the document Guidelines for the processing of personal data through camera devices_v 2.1.

Here are the important parts from the above Guideline:

Point 37: For example, an employee at his workplace vdoes not expect the employer to monitor him in most cases. In addition, monitoring is not expected even in one's own private garden, living space, or in a doctor's office or infirmary. Similarly, it is not reasonable to expect monitoring in hygiene or sauna facilities - monitoring in such spaces is a serious violation of the rights of the person concerned. It is the reasonable expectation of data subjects that no camera monitoring will be carried out in such premises. On the other hand, a bank customer can expect to be monitored in the interior of the bank or at the ATM.

Point 38: Affected persons can also expect not to be monitored in publicly accessible places, especially if these places are usually used for recovery, regeneration and leasure activities, as well as in places where people hang out and/or talk, such as seating areas, tables in restaurants, parks, cinemas and fitness facilities. In this case, the interests or rights and freedoms of the person concerned often prevail over the legitimate interests of the operator.

When you enter my name in the Internet browser, you will find in the report my full name, date of birth and also my financial situation. The bankruptcy register thus publishes the entire procedure of my debt relief without any protection. New

In relation to the publication of personal data on the website of the Ministry of Justice of the Slovak Republic in connection with the register of bankrupts, this is done in accordance with Act no. 7/2005 Coll. on bankruptcy and restructuring as amended. This law regulates the register of bankrupts in § 10a, while in the opening sentence it stipulates that this register is made available on the website of the ministry. According to the provisions of § 10a par. 2 letters a) point 4.1. in the register of bankrupts, data on proceedings pursuant to this Act are published to the extent of the designation of the petitioner and the debtor, if it is a natural person, first name, last name, date of birth and place of residence. If you believe that the Ministry is proceeding in violation of a special regulation that specifies processing as well as the Regulation, we recommend that the affected person first of all exercise the rights of the affected person with the Ministry as the operator.

As a data subject, you can apply to the operator of the affected internet browser for the right to delete personal data from the search results through a form intended for that purpose, in which you provide the operator with specific links (links) in relation to which you exercise your right to deletion. Regarding e.g. o Google browser, you can exercise your right through this form.

You can find more information in the document Guidelines on the criteria for cases of exercising the right to be forgotten in search engines under the General Data Protection Regulation.

Can I request to be deleted from the credit register when all loans and credits have been repaid? It's just that it hasn't been 5 years since the repayment and I have some installments when I was late. New

In the event that the processing of personal data results from the law, the operator does not have to comply with the request for deletion of personal data. According to § 7 par. 13 of Act no. 129/2010 Coll. on consumer credits and other credits and loans for consumers and on the amendment of certain laws data on the consumer and his consumer credits provided to the register by the creditor shall be kept in the register for five years from the termination of the consumer's obligations from consumer contracts towards the creditor. The creditor is obliged to provably state in the register the date of termination of the consumer's obligations from the consumer loan agreement.". In other words, if the processing of personal data in the credit register is regulated by a special law that regulates the obligation to process personal data, the provisions on the obligation to delete personal data according to Art. 17 Regulations do not generally apply to such situations. In this case, the operator will be obliged to delete personal data from such a register after the expiry of the statutory period.

Anyone can retrieve data about any property, including its owners and their date of birth, from the cadastral portal. How is that even possible? New

The legal basis for the processing of personal data in the information system of the real estate cadastre, as informed by the operator of the Office of Geodesy, Cartography and Cadastre of the Slovak Republic in its information obligation (pursuant to Article 13 of the Regulation), is the fulfillment of the legal obligation imposed on this operator by Act no . 162/1995 Coll. on the real estate cadastre and on the registration of ownership and other rights to real estate (cadastral law), as amended (hereinafter referred to as "Act No. 162/1995 Coll.").

The legislator decided to publish the personal data that are published on the aforementioned real estate cadastre portal due to the public interest, which monitors the protection of the rights of owners to owned real estate, tax and fee purposes, valuation of real estate, especially land, protection of agricultural land fund and forest land fund, creation and protection of the environment, protection of mineral wealth, protection of national cultural monuments and other cultural monuments, as well as protected areas and natural creations.

The fact that personal data is published in this way does not mean that they lose the status of personal data according to Art. 4 par. 1 Regulations. If a third party (an operator different from the Office of Geodesy, Cartography and Cadastre of the Slovak Republic) wants to process the personal data published and obtained in this way for its own (other) purposes as stipulated in Act no. 162/1995 Coll., also needs to fulfill at least one of the conditions according to Art. 6 Regulations. If such an entity were to process personal data obtained from the real estate cadastre portal without fulfilling the condition under Art. 6 of the Regulation, would violate the basic principle of legality [Art. 5 par. 1 letter a) Regulations].

Please, I would like to know to what extent there is a violation of the Regulation when state license plates of motor vehicles are published on a publicly available page used for reporting initiatives to the local government. This is mainly the publication of wrecks and long-term parked vehicles. New

EČV is a unique mark associated with a specific vehicle. In this case, the individual may be indirectly identified by allowing the individual to be distinguished from others (specific selection). In cases where the range of available identifiers does not allow anyone to single out a specific person at a glance, the said person may still be "identifiable" because the said information in combination with other information (whether or not this information has been retained by the operator) will make it possible to distinguish the individual from other persons. Currently, we are inclined to the opinion that the processing of the EČV results in the processing of personal data (especially in combination with other information, such as geographic information, information about the manufacturer, model and color). This is one of the cases where a name is not necessary to identify an individual.

In this context, we draw attention to the judgment of the CJEU in case C-582/14 dated 19.10.2016 (especially points 41, 43, 45 and 46). Under the conditions of the Slovak Republic, there are entities that maintain the EČV database for the identification of a natural person. It is objectively possible to expect that anyone can use the possibility to identify a natural person on the basis of the EČV through such entities, within the framework of judicial or extrajudicial proceedings, in order to assert their own legal claims. In terms of the above-mentioned judgment, the condition is met when there are legal means on the basis of which the operator can identify the affected person to whom the EČV relates, thanks to additional information that the operator does not have directly in its environment.

VThe choice of legal basis for processing personal data is solely up to the operator. The very legality of personal data processing in publicly available places on the Internet may depend on several factors. In many cases, the protection of personal data according to the Regulation overlaps with the protection of personality according to § 11 of Act no. 40/1964 Coll. One of the determining factors (but not the only one) will be an assessment of whether the publication of personal data results in the processing of personal data in the capacity of an operator according to the Regulation, or whether you perform such a processing operation as a natural person exempted from the material scope of the Regulation [e.g. according to Art. 2 letters c) processing by a natural person as part of exclusively personal or domestic activity is excluded from the scope of the Regulation]. As the CJEU has already judged the conclusion several times in the past, that the publication of personal data on the Internet does not fall under this exception, in accordance with Art. 6 of the Regulation, the processing of personal data by publication on the Internet will be legal only if at least one of the conditions listed there is met.

Our company needs to send personal data of employees to our parent company, which is in the USA. How should I proceed when transferring personal data to the USA? New

In the event that the operator plans to transfer personal data to third countries (outside EU and EEA member countries), in addition to fulfilling the conditions in Art. 6 par. 1 of the Regulation (or Article 9, paragraph 2 of the Regulation) to fulfill the additional conditions set out in Chapter V of the Regulation. In any case, transfers may only be carried out in full compliance with the Regulation. The transfer should only take place if, subject to other provisions in the Regulation, the operator has fulfilled the conditions set out in the Regulation regarding the transfer of personal data. The need to meet these additional conditions results primarily from the fact that in third countries, different legal regulations apply in the framework of personal data protection, which may not ensure an essentially equivalent level of protection to that provided within the EU/EEA.

Since the USA is not one of the countries for which there is currently an adequacy decision issued by the European Commission (the Privacy Shield decision was annulled by the CJEU decision in the Schrems II case on July 16, 2020), it is necessary to choose another appropriate transfer tool from Chapter V of the Regulation. In addition, it is necessary to inform your employees about the transfer to the USA.

You can find out more information about transfers at this link: Transfer to countries that do not guarantee an adequate level of protection.

You can find more information on transfers to the US after the repeal of the Privacy Shield decision in the document Frequently Asked Questions on the judgment of the Court of Justice of the European Union in case C-311/18 - Data Protection Commissioner/Facebook Ireland and Maximillian Schrems.

You can find more information on reporting on the transfer in the document Guidelines for transparency – part of the appendix.

Is obtaining consent for obtaining necessary cookies through a web browser sufficient in terms of the currently valid legislation? It is necessary for the so-called advertising and other types of cookies to request special consent of the person concerned? New

In the case of essential cookies, i.e. in accordance with the last sentence of §109 par. 8 of Act 452/2021 Coll. on electronic communications, consent is not required.

In the case of advertising cookies and other types of cookies, in accordance with the first sentence of §109 par. 8 of Act 452/2021 Coll. on electronic communications, it is necessary to obtain consent according to the requirements of the Regulation. Such cookie-specific requirements are, for example:

• fulfillment of the information obligation when obtaining consent (Article 13 of the Regulation),
• the obligation to also provide the possibility of refusing consent at the level such as "I agree",
• determination of a reasonable period of validity of consent/disagreement and its re-acquisition/confirmation,
• to provide information about the purpose and recipients of personal data before granting consent.

In accordance with the jurisprudence of the CJEU (C-673/17 - Planet49), the EDPB guidelines for consent were also changed. The validly granted "free" consent in the so-called cookie walls (changes were made in points 38-41). Emphasis is placed on the freedom of choice of the affected persons to access services on the Internet, while enabling access to the website only after clicking consent to cookies cannot be considered as validly granted consent. The second significant change concerns scrolling or swiping on the Internet, which cannot be considered a clear and affirming expression of will (point 86 of the consent guidelines). Even in this case, it is necessary to obtain a valid consent in a different way, as such activities cannot be distinguished in practice from normal use of the Internet.

As for the use of cookies through the relevant settings of the browser or computer program, obtaining such consent is also possible in this way. However, we recommend that you make sure that such browser settings meet the requirements for the quality of the consent granted under the Regulation as explained in more detail in the EDPB guidelines on consent. Since the operator has the obligation to have a valid legal basis for processing personal data according to the principle of responsibility in accordance with Art. 5 par. 2 of the Regulations, browser or software providers do not necessarily have to pay attention to the obligations arising from the operators according to the Regulations.

You can find more information in the document Guidelines for consent according to regulation 2016_679.

Our company wants to start using cloud services. What should be included in the contract with the cloud service provider in order to have everything in order? New

The basic relationship in the provision of cloud services is the relationship of the operator - the customer and the intermediary - the provider of cloud services. It is necessary to conclude an intermediary contract. It is also necessary for the customer to choose a cloud service provider that guarantees compliance with legal regulations in the field of personal data protection. It is important not to forget to ensure compliance if personal data is transferred outside the EU.

However, there may also be situations in which, depending on the circumstances, the cloud service provider may be considered an operator (or part of joint operators) within its own powers. This can be the case if the provider processes personal data for its own purposes - those that the customer did not request. Or if customers do not have room for negotiation about the contractual conditions of using these services.

More information can be found in the document Guidance on the concepts of operator and intermediary under the General Data Protection Regulation – Example: standardized cloud storage service.

You can find out more information about the mediation agreement at this link: Standard contractual clauses - mediation agreement.