• Insights

On the second anniversary of the GDPR in Slovakia, what has changed?

Written by
NITSCHNEIDER & PARTNERS largest boutique firm focusing on HR law.
This article summarises developments in GDPR enforcement and strategy in the last year in the Slovak Republic.

The GDPR has brought a huge change in the way we think about the protection of personal data. Since the GDPR came into force on 25 May 2018, we have faced several practical and theoretical problems. After two years we could say that the GDPR is like wine: it gets better with age.

1. Relevant decisions issued by the Slovak DPA

The Slovak DPA (in Slovak: Úrad na ochranu osobných údajov Slovenskej republiky) issued several interesting decisions. So far we have not witnessed any astronomically high fines, the highest ones are set out below.

Social Insurance Agency (SIA)

A fine of EUR 50,000 was imposed due to insufficient technical and organisational measures to ensure information security.

The main nature of the GDPR breach was the inappropriate transfer of documentation to customers overseas. Documentation included personal data, ID data, as well as health data and was mailed by SIA  as a ‘not registered mail’ that is, mail that is not delivered solely to the customer and cannot be tracked. The DPA‘s reason for the decision was that due to the nature of sensitive personal data this documentation should have been posted as a ‘registered mail’.

Slovak Telecom

A fine of EUR 40,000 was imposed for failing to adopt adequate technical and organisational measures to ensure information security.

In this case, the controller distributed printed contracts and delivered them incorrectly. The personal data of the data subjects, including their name, residence, birth number, date of birth, ID card number, telephone number, email address, were given to unauthorised people throughout Slovakia as a result of this incident.


A fine of EUR 10,000 was imposed because of the late response of the controller to a data subject’s request for information about the processing of his personal data.

According to the DPA’s reasoning , the controller failed to provide the data subject with the requested information within a period of one month. The controller provided information after 67 days.

2. Plan of investigations in 2020

The DPA announced a plan of investigations for the year 2020. With the exception of the state bodies, the DPA will mainly focus on the controllers/providers in the following areas:

  • accommodation facilities;
  • public telecommunications services;
  • web hosting;
  • parking services;
  • collection of tolls or charges for the use of defined road sections.


However, this plan does not prevent the DPA from also initiating investigations in other areas.

3. English version of the Slovak Data Protection Act

In 2019, the DPA informed the public about the translation of the Slovak Data Protection Act into English. The wording of the Act is available here.

The Slovak Republic is also following the EDPB guidelines and other recommendations (e.g. 3/2018 on the territorial scope of the GDPR; 2/2019 – the processing of personal data under Article 6 (1) (b); 3/2019 on processing of personal data through video devices; 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR; 05/2020 on consent, etc.).

We hope that the following year of the GDPR will bring interesting new findings. In the upcoming months, we are expecting news in the area of processing health data, as a result of the fight against the Covid-19 pandemic.

Marek Bugan