 |
|
|
Data protection law - An Introduction
Handbook Resources About the author
|
Slovakia
Objects of and constitutional grounds for data protection legislation
NATIONAL COUNCIL OF THE SLOVAK REPUBLIC Act No. 428/2002 Coll. on Protection of Personal Data,
F U L L W O R D I N G The National Counc il of the Slovak Republic has approved the following Act: PART ONE BASIC PROVISIONS Object and Operation Section 1 (1) This Act regulates a) protection of personal data of natural persons in the course of their processing, b) principles of personal data processing, c) security of personal data, d) protection of the rights of data subjects, e) transborder personal data flow, f) registration and keeping of records of filing systems, g) establishment, status and scope of powers of the Office for Personal Data Protection of the Slovak Republic (hereinafter the “Office”). (2) This Act applies to the state administration authorities, territorial self-government authorities, other public authority bodies, as well as to other legal and natural persons, which process personal data, determine the purpose and means of processing or provide personal data for their processing. (3) This Act also applies to the controllers, which do not have their registered office or permanent residence on the territory of a) the Slovak Republic but are located abroad at a place, where the laws of the Slovak Republic take precedence based on an international public law, b) a Member State of the European Union, provided that for the purposes of personal data processing they use fully or partially automated means or other than automated means of processing located on the territory of the Slovak Republic, while such means of processing are not used solely for the transfer of personal data through the territory of the Member States of the European Union; in such case the controller shall proceed pursuant to Section 23a Paragraph 3. (4) This Act applies to the personal data systematically processed by fully or partially automated means of processing or by other than automated means of processing, which constitute a part of a filing system or are intended for processing in a filing system. Section 2 (1) Provisions of Section 5 Paragraph 4, Section 6 Paragraphs 1 to 4, Section 10 Paragraphs 1, 2 and 8, Section 20 Paragraph 1, Section 27 and Section 32 shall not apply to the processing of personal data necessary for safeguarding of the public interest, provided that the controller fulfils the obligations expressly stipulated by a special Act determined for safeguarding of a) security of the Slovak Republic, b) defence of the Slovak Republic, c) public policy and security, d) preventing, precluding, detecting and documenting of criminal offences, disclosing their perpetrators, investigating and prosecuting of criminal offences, e) important economic or financial interests of the Slovak Republic or of the European Union, including monetary, budgetary and taxation matters, f) inspection, internal supervision, external supervision or regulatory function connected with exercise of official authority in cases referred to in Subparagraphs c), d) and e), or g) protection of the data subject or of the rights and freedoms of others. (2) Only a State authority established by a special Act1) may act as the controller of a register of persons sentenced by a final decision delivered by courts in the criminal proceedings, or of a register of persons against which a prosecutor or court delivered a final decision on conditional discontinuation of criminal prosecution or on approval of a conciliation. Section 2a This Act shall not apply to protection of personal data a) processed by the natural person for his own needs within the framework of purely personal or household activities, like keeping a personal directory or correspondence, b) which were obtained accidentally without prior determination of the purpose and means of processing, without the intent of their further processing in an organized system according to special criteria and which are not further systematically processed. Definition of Terms Section 3 Personal Data Personal data shall mean any information relating to an identified or identifiable natural person, while such person is one who can be identified, directly or indirectly, in particular by reference to a identifier of general application or by reference to one or more factors specific to his physical, physiological, psychic, mental, economic, cultural or social identity. Section 4 (1) For the purposes of this Act: a) processing of personal data shall mean any operation or set of operations which is performed upon personal data such as obtaining, collection, recording, organization, adaptation or alteration, retrieval, consultation, alignment, combination, transfer, use, storage, destruction, transmission, provision, making available or making public, b) provision of personal data shall mean submitting of personal data for their processing to another controller or to the controller’s representative or his processor, c) making personal data available shall mean disclosing of personal data or making them available to another legal or natural person, except for the data subject or the entitled person, who will not process them like a controller, controller’s representative or processor, d) making personal data public shall mean publication or displaying of personal data in public by means of the mass media, publicly accessible computer networks, creating or exhibiting a piece of work in public, public announcement, presenting on a public list, register or file, their placing on an official board or other publicly accessible place, e) destruction of personal data shall mean liquidation of personal data by breaking them down, erasing them or by physically destroying material carriers in the manner precluding reproduction of the personal data, f) blocking of personal data shall mean putting personal data in such state, in which they are not available and any handling is precluded, g) filing system shall mean any structured set, system or database containing one or more personal data, which are systematically processed for the needs of achieving the purpose according to specific criteria and conditions, while using automated, partially automated or other than automated means of processing, disregarding the fact whether the system is centralised, decentralized or dispersed on a functional or geographical basis, e.g. cardindex, list, register, file, record or a system containing files, documents, contracts, certificates, references, assessments, tests, h) purpose of personal data processing shall mean the aim of personal data processing that was previously explicitly specified or determined and is connected with certain activities, i) the data subject’s consent shall mean any freely given specific and informed indication of his wishes by which the data subject knowingly signifies his agreement to personal data related to him being processed, j) transborder personal data flow shall mean transfer of personal data outside the territory of the Slovak Republic by an entity which has its registered seat or permanent residence abroad or their exchange with such entities, k) anonymous datum shall mean a personal datum adjusted in such manner that it cannot be matched with the concerned data subject, l) address shall mean a set of data concerning the residence of a natural person, including the name of the street, house number, registration number of house, name of municipality, if appropriate name of a municipality part, postal code, name of district, name of state, m) identifier of general application shall mean a permanent identification personal datum of the data subject securing its definiteness in filing systems, n) biometric datum shall mean personal datum of the natural person based on which the person is clearly and unequivocally identifiable, e.g. fingerprint, palm print, analysis of DNA, DNA profile, o) audit of the filing system security shall mean an independent expert evaluation of reliability and overall security of the filing system from the viewpoint of securing confidentiality, integrity and availability of the processed personal data, p) third country shall mean a country which is not a member of the European Union, r) public interest shall mean an important interest of the State pursued in the exercise of public authority, which overrides the legitimate interest of the natural person or several natural persons, brings financial or other benefit to other natural persons or to many of them and without pursuing of which an extensive or irrecoverable damages could be caused, s) conditions of the personal data processing shall mean the means and manner of the personal data processing, as well as other requirements, criteria or instructions concerning the personal data processing or the taking of the actions serving for achieving the purpose of the processing, whether prior to the personal data processing or in the course of their processing. (2) Controller shall mean a state administration authority, territorial self-government authority, other public authority body or legal or natural person, which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of the processing of personal data are regulated by a special Act, the controller shall be the authority determined thereby for fulfilment of the purpose of the processing or the authority, which fulfils the requirements stipulated by law. The same shall apply if so stipulated by the Directive of the European Communities and the European Union. (3) Processor shall mean a state administration authority, territorial self-government authority, other public authority body or other legal or natural person processing personal data on behalf of the controller or controller’s representative. (4) Entitled person shall mean any natural person disposing of personal data within the framework of his employment relationship, civil service employment relationship, civil service relationship, membership, based on authorization, election or appointment or within the framework of performance of a public office, who may process personal data only upon instruction of the controller, controller’s representative or processor, unless otherwise stipulated by this Act or by a special Act. (5) Data subject shall mean any natural person whose personal data are processed. (6) Controller’s representative shall mean a legal or natural person representing the controller on the territory of the Slovak Republic, while the controller has his registered office or permanent residence in a third country. (7) Third party shall mean a state administration authority, territorial self-government authority, other public authority body or any legal or natural person other than the data subject, controller or controller’s representative, his processor and their entitled persons. (8) Recipient shall mean a state administration authority, territorial self-government authority, other public authority body or other legal or natural person, to which the personal data were provided or made available; the controller authorized to process personal data under Section 2 Paragraph 1 Subparagraph f) and the Office fulfilling the tasks stipulated by this Act shall not be deemed a recipient. PART TWO RIGHTS, OBLIGATIONS AND RESPONSIBILITY
C H A P T E R O N E PRINCIPLES OF THE PROCESSING OF PERSONAL DATA Section 5 Controller and Processor (1) Personal data may be processed only by the controller or processor. (2) Processor shall be entitled to process personal data only in the extent and under conditions agreed upon with the controller in a written contract or written authorization. The processor shall be entitled to process personal data only in the extent and under conditions agreed upon with the controller, or with another processor, provided that the controller gives consent to it in a written contract or written authorization. (3) While selecting the processor the controller shall, in particular, mind his/her guarantees in the field of technological, organisational and personal safety measures (Section 15 paragraph 1). The controller may not entrust personal data processing to a processor if that could present a risk to the rights and law protected interests of data subjects. (4) If the controller tasked the processor with the processing after acquiring personal data he should inform the data subjects of this fact during the next contact, however, not later than three months from the day of tasking the processor. This shall also apply when data processing is taken over by another controller. (5) The controller’s representative shall be obliged to act within the scope of the controller’s rights and obligations stipulated by this Act. The provisions of this Act under which the Office imposes on the controller to do something, refrain from doing something or bear something, shall apply to the controller’s representative accordingly. Section 6 Basic Obligations of Controller (1) The controller shall be obliged to a) determine unambiguously and concretely the purpose of the processing of personal data before starting the processing of personal data; the purpose of the processing of personal data must be clear and it cannot be contrary to the Constitution of the Slovak Republic, constitutional laws, laws and international treaties binding for the Slovak Republic, b) determine the means and manner of the processing of personal data, if appropriate other conditions of the processing of personal data, c) obtain personal data solely for a defined or determined purpose; obtaining of personal data under the pretext of a different purpose or activity shall be inadmissible, d) ensure that only such personal data are processed, the extent and contents of which correspond with the purpose of their processing and are necessary for its achieving, e) obtain personal data separately for various purposes and ensure that personal data are processed and used solely in the manner adequate to the purpose for which they were collected; combining of personal data obtained for various purposes shall be inadmissible, f) process only accurate, complete and, where necessary, updated personal data in respect of the purpose of their processing; the controller shall be obliged to block inaccurate and incomplete personal data and rectify or complete them without undue delay; inaccurate or incomplete that cannot be rectified or completed in order to make them accurate and complete shall be clearly marked by the controller and destroyed as soon as possible, g) ensure that the collected personal data are processed in the manner enabling identification of data subjects only during a time period necessary for achieving the purpose of processing, h) destroy the personal data whose purpose of processing terminated; personal data may be further processed also after termination of the purpose of the processing only under conditions stipulated in Paragraph 3, i) process personal data in accordance with morality and act in a manner not contrary to, or circumventing, this Act or other generally binding legal regulations; neither the controller may force data subject’s consent or make it conditional with a threat of rejecting the contractual relation, service, goods or duty of the controller or processor laid down by law. (2) The controller shall be exempted from the obligation under Paragraph 1 Subparagraph a) only if the purpose of the processing of personal data is stipula ted by a special Act in accordance with the conditions referred to in Paragraph 1 Subparagraph a). The controller shall be exempted from the obligation to determine the means and manner of the processing of personal data under Paragraph 1 Subparagraph b) only if they are stipulated by a generally binding legal regulation. The controller shall be obliged to fulfil the rest of the obligations under Paragraph 1 Subparagraphs c) to h) and i) of the part of the sentence before the semicolon also in the course of the processing of personal data pursuant to a special Act; this shall not affect the provision of Section 7 Paragraph 6 first sentence including its part after the semicolon. (3) Further processing of the collected personal data for historical, scientific or statistical purposes shall not be deemed incompatible with the original purpose of the processing determined in accordance with Paragraph 1 Subparagraph a) or stipulated under Paragraph 2 first sentence. It is admissible to further process the collected personal data in the necessary extent for the historical, scientific or statistical purposes after termination of the original purpose of processing only provided that the controller a) guarantees that he would not use the processed personal data contrary to the legitimate interests of the data subject and by his conduct he would not infringe the right to protection of data subject’s personal rights and privacy, b) duly denotes such personal data an make them anonymous as soon as possible or destructs them when they become useless. (4) The controller who authorized the processor for processing of personal data shall be obliged to ensure that the processor fulfils the obligations under Paragraph 1 Subparagraphs c) to i) and Paragraph 3. (5) In the case of doubts whether the extent, content and manner of processing or use of the processed personal data answer the purpose of their processing, whether they are compatible with the given purpose of processing or whether they are not up-to-date, as regards to the time and subject- matter, in respect to this purpose, the respective decision shall be made by the Office. The decision of the Office shall be binding. Section 7 Consent of Data Subject (1) Personal data may only be processed upon consent of the data subject, unless otherwise stipulated by this Act. This shall not affect the provisions of Paragraph 5 first sentence, Section 8 Paragraph 4 Subparagraph b), Section 9 Paragraph 1, Section 9 Paragraph 1 Subparagraphs b) and c), Section 10 Paragraph 6, Section 23 Paragraph 4 Subparagraph a) and Section 23 Paragraph 5. (2) If the controller processes the personal data upon consent of the data subject, in the case of doubts he shall be obliged to prove to the Office, anytime upon its request, that he has such consent at his disposal. The consent shall be proven by an audio or audio-visual recording or by an affidavit of the person that provided the personal data to the filing system, or by another reliable manner. The controller shall prove to the Office that he was given a written consent by a document proving obtaining of such consent. The evidence of such consent shall be constituted above all by information who gave the consent, to whom it was given, for what purpose, a list or extent of personal data, validity term of the consent and the terms of its cancellation. A written consent without own signature of the person who gave the consent shall be invalid. (3) The consent under Paragraph 1 shall not be required if personal data are processed pursuant to a special Act stipulating a list of personal data, the purpose of their processing and the group of data subjects. The processed personal data of the data subject may be provided, made available or made public in the filing system only if the special Act stipulates the purpose of provision, making available or public, a list of personal data that may be provided, made available or made public, as well as the third parties to which personal data are provided or a group of recipients to which personal data are made available, unless otherwise stipulated by this Act. This shall not affect the provision of Section 9 Paragraph 1 Subparagraph a). (4) Personal data may be processed without consent under Paragraph 1 only if a) the processing of personal data is necessary for the purpose of artistic or literary expression, for the purpose of informing the public by means of the mass media and if the personal data are processed by a controller for whom it results from the scope of his activities; this shall not apply if by the processing of personal data for such purpose the controller violates the data subject’s right to protection of his personal rights and privacy or if such processing of personal data without consent of the data subject is prohibited by a special Act or an international treaty binding for the Slovak Republic; or b) the processing of personal data is necessary for the performance of a contract to which the data subject is party or in order to establish relations or take steps at the request of the data subject prior to entering into a contract; or c) processing of personal data is necessary for protection of life, health or property of the data subject or of another natural person without legal capacity or physically unable to give a consent and a consent of his legal representative cannot be obtained; or d) the subject of the processing is constituted solely by the title, name, surname and address of the data subject without a possibility of adding his other personal data and they are to be used solely for the controller’s needs concerning the mail correspondence with the data subject and the keeping of records of such data; if the scope of the controller’s activities is direct marketing, he may provide the above personal data, without a possibility of making them available and public only if they are to be provided to another controller whose scope of activities is also solely for the purposes of direct marketing and the data subject did not file an objection in writing under Section 20 Paragraph 3 Subparagraph c); or e) the processed personal data have already been made public; in such cases personal data must be duly denoted; or . f) processing of personal data is necessary for fulfilment of an important task carried out in the public interest; or g) processing of personal data is necessary for protection of statutory rights and legitimate interests of the controller or the third party, provided that in such processing of personal data the controller and the third party respect the fundamental rights and freedoms of the data subject and by their conduct they do not violate his right to protection of his personal rights and privacy. (5) Personal data of the data subject may be obtained from another person and processed in the filing system only upon a prior written consent of the data subject. This shall not apply if by provision of the data subject’s personal data to the filing system the other person protects his statutory rights or legitimate interests or notifies of the facts justifying enforcing of the data subject’s legal liability or if personal data are processed pursuant to a special Act under Paragraph 3 or Section 9 Paragraph 1 Subparagraph a). The person processing personal data in this manner must be able to prove to the Office, anytime upon its requests, that he obtained them in accordance with this Act. (6) A list of personal data under Paragraph 3 and Section 9 Paragraph 1 Subparagraph a) may be replaced by determining the extent of personal data only if individual personal data that are supposed to undergo the processing cannot be concretely determined with respect to the purpose of the personal data processing stipulated by a special Act; in such processing of personal data the controller shall be obliged to proceed pursuant to Section 6 Paragraph 1 Subparagraph d), with exception of those controllers who process personal data for the purpose of judicial proceedings and in connection with them. A list of third parties under Paragraph 3 and Section 9 Paragraph 1 Subparagraph a) may be replaced by determining a group of third parties only in the case that individual third parties to which personal data are to be provided cannot be specified in advance with respect to the nature of the matter, or if the third parties constitute a group of entities with the same scope of activities and if they process personal data for the same purpose or purposes, or if composition of such group is subject to a constant change. (7) The person intending to make personal data of the data subject public cannot violate, by his conduct, the data subject’s right to protection of personal rights and privacy; they cannot be made public contrary to legitimate interests of the data subject. (8) If the data subject does not enjoy full legal capacity, a consent required under this Act may be provided by his legal representative. (9) If the data subject does not live, a consent required under this Act may be provided by his close person. The consent shall not be valid if any close person expresses his disagreement in writing. (10) The provision of Paragraph 6 shall also apply in the cases when provisions of Section 5 Paragraph 2 or Section 10 Paragraph 1 or 2 are followed. (11) Personal data of the data subject may be provided from the filing system to another legal person, natural person, or an entity residing abroad only upon a written confirmation that a consent was obtained, provided that this Act requires such consent; the person providing personal data in such manner may replace the written confirmation of the obtained consent by a written declaration of the controller stating that data subjects gave their consent, provided that the controller is able to prove that the written consent of data subjects was given. (12) Personal data under Paragraph 4 Subparagraph c) and under Section 9 Paragraph 1 Subparagraph b) may be processed without consent of the data subject only if and until the reasons, which prevented obtaining of the data subject’s consent exist. If the reasons ceased to exist, the person processing the personal data shall provide the data subject’s consent. (13) The person alleging to process personal data which have already been made public shall prove to the Office, upon its request, that the processed personal data have already been made public. (14) Recipients may process the personal data of the data subject which have already been made public only for their own needs within the framework of purely personal or household activities. Section 8 Special Categories of Personal Data (1) The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in political parties or movements, trade-union membership, and the processing of data concerning health or sex life shall be prohibited. (2) In the processing of personal data, an identifier of general application stipulated by a special Act may be used for the purposes of identification of a natural person only provided that its use is necessary for achieving the given purpose of the processing. Processing of a different identifier revealing characteristics of the data subject, or releasing of an identifier of general application shall be prohibited. (3) Processing of personal data relating to a breach of provisions of the criminal law, misdemeanours act or civil law, or relating to execution of final judgements or decisions, may only be performed by a person entitled to it by a special Act. (4) Biometrical data may only be processed under conditions stipulated by a special Act, provided that a) it expressly results for the controller from the Act; or b) the data subject gave a written consent to the processing. (5) Personal data relating to mental identity of a natural person or his mental capacity to work may only be processed by a psychologist or by a person entitled to it by a special Act. Section 9 Exceptions from Restrictions in Processing of Special Categories of Personal Data (1) The prohibition relating to the processing of personal data under Section 8 Paragraph 1 shall not apply if the data subject gave a written consent to their processing, or if a) the processing is required by a special Act stipulating a list of personal data, the purpose of their processing and the group of data subjects; the processed personal data of the data subject may be provided, made available or made public from the filing system only if the special Act stipulates the purpose of provision, making available or public, a list of personal data that can be provided, made available or public, as well as the third parties to which personal data are provided or a group of recipients to which personal data are made available, unless otherwise stipulated by this Act; or b) the processing is necessary for protection of vital interests of the data subject or of another natural person without legal capacity or physically unable to give a consent and a consent of his legal representative cannot be obtained; or c) the processing is performed within the framework of legitimate activities by a civil society, foundation or non-profit organisation providing generally beneficial services, by a political party or movement, trade-union organisation, church or religious society acknowledged by the State, and such processing only concerns their members or the natural persons which are in a regular contact with them with respect to their objectives, the personal data serve solely for their internal needs and will not be provided to a third party without a written consent of the data subject; or d) the processing concerns the personal data which have already been made public by the data subject or which are necessary for exercising his legal claim; or e) the processing is performed for the purposes of providing medical care and effecting public health insurance, provided that these data are processed by a provider of the medical care, a health ins urance company or the Office for Internal Supervision over Health Care; or f) the processing is performed within the framework of social insurance, social security of policemen and soldiers, for the purposes of provision of social relief or assistance in distress or if the processing is necessary for the purposes of fulfilment of obligations or exercising the legitimate rights of the controller responsible for the processing in the field of labour law and employment services, and if it results for the controller from a special Act. (2) The written consent of the data subject given under Paragraph 1 shall be invalid if its provision is prohibited by a special Act. (3) The provision of Section 8 Paragraph 4 shall not apply to the processing of biometrical data, except for analysis of DNA and the DNA profile of natural persons for the purposes of registration or identification in entering the sensitive, especially protected facilities, the premises with reserved access or in accessing technical appliances or devices with a high rate of risk and in the cases of solely internal needs of the controller. Section 10 Obtaining Personal Data (1) The controller who intends to obtain personal data from the data subject shall be obliged to inform the data subject, at the latest during obtaining of the data, and notify him in advance of the following without being requested a) the name and registered office or permanent residence of the controller; if on the territory of the Slovak Republic the controller’s representative acts on behalf of the controller which has registered office or permanent residence in a third country, the controller’s representative shall also notify the data subject of the name and registered office or permanent residence of the controller, b) the name and registered office and permanent residence of the processor, provided that the processor obtains personal data on behalf of the controller or the controller’s representative; in such case the processor shall be obliged to notify the data subject in time of information under this Subparagraph, c) the purpose of the personal data processing; and d) additional information in the extent necessary for safeguarding the rights and legitimate interests of the data subject with regard to all circumstances of the processing of personal data, in particular the right to be informed about conditions of the processing of his personal data 1. identification of the entitled person obtaining personal data or proving his pertinence,
by a reliable document, to the entity, on behalf of which it acts; the entitled person shall be obliged to satisfy such request of the data subject without undue delay, 2. advice on voluntariness or obligation to provide the requested personal data; if the
data subject may decide about provision of his personal data, the controller shall notify the data subject on what legal basis he intends to process the data subject’s personal data; if the obligation of the data subject to provide his personal data arises from a special Act, the controller shall inform the data subject which act imposes this obligation on the data subject and he shall warn the data subject of the consequences of refusing to provide the personal data, 3. third parties, provided that it is expected or clear that personal data will be provided
to them, 4. group of recipients, provided that it is expected or clear that personal data will be
made available to them, 5. form of making public, provided that personal data are to be made public,
6. third countries, provided that it is expected or clear that personal data will be
transmitted to these countries, 7. advice on the existence of the data subject’s rights.
(2) If the controller did not obtain the data subject’s personal data directly from the data subject, he shall be obliged to notify the data subject, without undue delay but at the latest in the time before providing them for the first time to a third party (if such provision was expected already in obtaining of the personal data), of the information under Paragraph 1 Subparagraphs a) to c) and of additional information in the extent necessary for safeguarding the rights and legitimate interests of the data subject with regard to all circumstances of the processing of personal data, in particular the right to be informed about conditions of the processing of his personal data a) advice on the possibility to decide on processing of the obtained personal data, b) list of personal data, c) third parties, provided that it is expected or clear that personal data will be provided to them, d) group of recipients, provided that it is expected or clear that personal data will be made available to them, e) form of making public, provided that personal data are to be made public, f) third countries, provided that it is expected or clear that personal data will be transmitted to these countries, g) advice on the existence of the data subject’s rights. (3) The data subject does not have to be notified of the information under Paragraph 1, provided that with regard to all circumstances the controller is capable of proving to the Office, anytime upon its request, that in the time of obtaining the personal data all necessary information have already been known to the data subject. The data subject does not have to be notified of the information under Paragraph 2 if a) with regard to all circumstances the controller is capable of proving to the Office, anytime upon its request, that all necessary information have already been known to the data subject in the time of the decisive event, b) the processing of personal data is permitted by a special Act or by an international treaty binding for the Slovak Republic, c) the subject of the processing is constituted solely by the personal data that have already been made public, or d) the processed personal data are intended for the purposes of artistic or literary expression, or for the purposes of informing the public by means of the mass media under the conditions stipulated in Section 7 Paragraph 4 Subparagraph a) the part of the sentence before the semicolon, or for historical or scient ific research and development, or for the purposes of the State’s statistics, and if with regard to all circumstances the controller is capable of proving to the Office, anytime upon its request, that provision of such information is objectively impossible or would involve disproportionate costs and effort. (4) The controller obtaining personal data for the purposes of identification of a natural person at his single entrance of the controller’s premises shall be entitled to request his name, surname, title and Identity Card number, or the number of an official identity card, or the number of a travel document, citizenship and for proving, by a submitted document, that the provided personal data are true. If the natural person identifies himself according to a special Act, the controller shall only be entitled to request for the registration number of his official identity card. In such cases, Paragraph 1 shall not apply. (5) The controller or the processor obtaining, making available or providing personal data on the premises accessible to the public shall ensure their processing in secrecy. (6) The personal data necessary for achieving the purpose of the processing may only be obtained by photocopying, scanning or other recording of official documents on an information carrier upon a written consent of the data subject or if a special Act expressly permits their obtaining without a consent of the data subject. Neither the controller nor the processor may force data subject’s consent or make it conditiona l with a threat of rejecting the contractual relation, service, goods or duty of the controller or processor laid down by law. (7) The premises accessible to the public may be monitored by means of a video recording or audio recording only for the purposes of the public policy and security, disclosing criminal activities or interference with the State’s security, provided that the premises are clearly marked as being monitored. Marking of the fact that the premises are being monitored is not required if it is not stipulated by a special Act. The recording may only be used for the purposes of criminal prosecution or proceedings concerning misdemeanours, unless otherwise stipulated by a special Act. (8) The controller who obtained personal data under Section 7 Paragraph 4 Subparagraph d) without the data subject being aware of that or directly from the data subject, shall provide the data subject, in the course of their first contact, with the information under Paragraph 1, and if the personal data are processed fo r the purposes of direct marketing, he shall also notify the data subject of his right to object in writing to their provision and use in the mail correspondence. (9) The controllers whose scope of activity is direct marketing shall keep a list of the provided personal data under Section 7 Paragraph 4 Subparagraph d) in the following extent: name, surname, title and address of the data subject, date of their provision or the date of effectiveness of the prohibition of their further provision under Section 13 Paragraph 6, and the name of the legal or natural person to whom the above personal data were provided. The legal and natural persons to whom the above personal data were provided shall keep a list in the same extent. Section 11 Truthfulness of Personal Data Only true personal data may be provided to a filing system. Liability for false personal data shall be born by the person who provided them to the filing system. Section 12 Accuracy and Keeping Personal Data Up-To-Date (1) The controller shall ensure accurate and up-to-date personal data. Personal data given in compliance with Section 11 shall be considered accurate. (2) Personal data shall be deemed accurate, unless the contrary is proven. Section 13 Destruction of personal data (1) After the purpose of processing is fulfilled, the controller shall provide for destruction of personal data without undue delay. (2) The controller shall provide destruction of personal data, except for the personal data under Section 7 Paragraph 4 Subparagraph d), without undue delay also in the case that a) the reasons which prevented obtaining of a consent of the data subject (Section 7 Paragraph 12) ceased to exist and the consent was not given; or b) the data subject filed an objection under Section 20 Paragraph 3 Subparagraph a); the controller shall further proceed pursuant to Paragraph 5. (3) Paragraph 1 shall not apply if a) a special Act stipulates a time limit18), which prevents destruction of personal data without undue delay; after expiration of the time limit prescribed by law the controller shall provide destruction of personal data without undue delay, b) personal data constitute a part of archive documents, c) the written, audiovisual, audio or other recording containing personal data was included in pre-archive care; no processing of personal data may be performed in the course of pre-archive care except for their storage, and they may only be used for the purposes of civil proceedings, criminal prosecution or administrative proceedings. (4) Storage time limits for written, audiovisual, audio or other recordings containing personal data and included in the pre-archive care may be determined only for the time necessary for exercising the right s or obligations stipulated by law. (5) If the data subject files an objection under Section 20 Paragraph 3 Subparagraph b), the controller shall terminate without undue delay the use of the personal data referred to in Section 7 Paragraph 4 Subparagraph d) in the mail correspondence. (6) If the data subject files an objection under Section 20 Paragraph 3 Subparagraph c), the controller shall notify of it without undue delay and in writing every person to which he provided the personal data referred to in Section 7 Paragraph 4 Subparagraph d); a ban of further provision of the above personal data shall apply to the controller and to every person to whom the controller provided them from the day following after the day of delivery of the data subject’s objection or of delivery of the controller’s notification in writing. (7) If the recording made pursuant to Section 10 Paragraph 7 is not used for the purposes of criminal proceedings or proceedings concerning misdemeanours, the person who made it shall destroy it at the latest within seven days from the day following after the day on which the recording was made, unless otherwise stipulated by a special Act. (8) Repealed as of 1 May 2005 Section 14 Notification of Rectification or Destruction (1) The controller shall notify the data subject and every person to whom he provided personal data of rectification or destruction of the personal data within 30 days from its execution. (2) Notification may be abandoned, provided that the rights of the data subject are not violated by such abandonment of notification of rectification or destruction. CHAPTER TWO SECURITY OF PERSONAL DATA Section 15 Liability for Security of Personal Data (1) The controller and the processor shall be responsible for security of personal data by protecting them against accidental or unlawful damage or destruction, accidental loss, alteration, unauthorized access and making available, as well as against any other unauthorized forms of processing. For this purpose he shall take due technical, organisational and personal measures adequate to the manner of processing, while he shall take into account above all a) the existing technical means, b) the extent of possible risk that could violate security or functionality of the filing system, c) confidentiality and importance of the processed personal data. (2) The controller and the processor shall take the measures under Paragraph 1 in the form of a security project of the filing system (hereinafter the “Security Project”) and they shall provide its development if a) special categories of personal data under Section 8 are processed in the filing system and the filing system is interconnected with a publicly accessible computer network or it is operated in a computer network interconnected with a publicly accessible computer network, b) special categories of personal data under Section 8 are processed in the filing system; in such case the controller and the processor shall only document the taken technical, organisational and personal measures in the extent stipulated by Section 16 Paragraph 3 Subparagraph c) and Paragraph 6; or c) the filing system is used for safeguarding the public interest under Section 2 Paragraph 1; the provision of Section 16 shall not apply to development of the Security Project only provided that an obligation to elaborate a Security Project pursuant to a special Act simultaneously applies to the respective case. (3) Upon request of the Office the controller and the processor shall prove the extent and contents of the taken technical, organisational and personal measures under Paragraph 1 or 2. (4) If the subject of the inspection is constituted by the filing systems under Paragraph 2, the Office shall be entitled to request the controller or the processor for submittal of an evaluation report on the outcome of an audit of the filing system’s security (hereinafter the “evaluation report”), provided that there are serious doubts about its security or about practical implementation of the measures referred to in the Security Project. The controller or the processor shall submit the evaluation report, not older than two years, to the Office without undue delay, otherwise he shall provide performance of an audit of the filing system’s security at his own expense and submit an evaluation report within three months from the day of the obligation’s imposition. (5) The audit of the filing system’s security may only be performed by an external, professionally qualified legal or natural person, who did not participate in development of the Security Project of the respective filing system and there are no doubts about its impartiality. Section 16 Security Project (1) The Security Project shall define the extent and manner of the technical, organisational and personal measures necessary for elimination and minimizing of the threats and risks affecting the filing system from the viewpoint of impairing its security, reliability and functionality. (2) The Security Project shall be developed in accordance with the basic rules of filing system’s security, the issued security standards, legal regulations and international treaties binding for the Slovak Republic. (3) The Security Project shall include above all a) a security policy, b) analysis of the filing system’s security, c) security directives. (4) The security policy shall specify the basic security objectives that must be achieved for protection of the filing system against violation of its security and it shall contain above all a) specification of the basic security objectives and the minimum required security measures, b) specification of the technical, organisational and personal measures for ensuring protection of personal data in the filing system and the manner of their use, c) definition of the filing system’s environment and its relation to the possible security violation, d) definition of the limits determining residual risks. (5) Analysis of the filing system’s security shall mean a detailed analysis of the state of the filing system’s security containing above all a) qualitative risk analysis, within of which the threats affecting individual items of the filing system capable of violating its security or functionality are identified; the result of the qualitative risk analysis shall be a list of threats that could endanger confidentiality, integrity and availability of the processed personal data, while it shall also state the extent of the possible risk, proposals of the measures eliminating or minimizing the affect of the risk and a list of the remaining risks, b) use of security standards and determination of other methods and means of the protection of personal data; evaluation of conformity of the proposed security measures with the applied security standards, methods and means shall constitute a part of the analysis of the filing system’s security. (6) Security directives shall specify and apply the conclusions resulting from the Security Project to the concrete conditions of the operated filing system and they shall include above all a) description of the technical, organisational and personal measures defined in the Security Project and their use in concrete conditions, b) the scope of powers and description of the permitted activities of individual entitled persons, the manner of their identification and authentication in accessing the filing system, c) the scope of liability of entitled persons and of the personal data protection official (Section 19), d) the manner, form and periodicity of performance of the inspection activities focused on observation of the filing system’s security, e) procedures during breakdowns, failures and other extraordinary situations including preventive measures for restricting the occurrence of extraordinary situations and possibilities of an effective restoration of the state before the breakdown. |