Stage of legislative progress 
Eg. pre-consultation, in consultation

A new Act no. 18/2018 Coll. on Personal Data Protection ("New DPA") has been enacted and is effective as of 25 May 2018. Hence, the legislative process has been fully completed. The New DPA is in line with GDPR.

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

The New DPA has fully repealed the previous Act no. 122/2013 Coll. on Personal Data Protection.

Timescale for implementation 
Eg. pre-consultation, in consultation

The New DPA is effective as of 25 May 2018.  

Areas where Member States must have local laws:

Personal data and freedom of expression 

New DPA stipulates in Article 78 that personal information may be processed without a data subject's consent for journalistic, academic, artistic and literary purposes. However, such processing must not breach a data subject's right to personality protection and privacy.


Slovak criminal act no. 300/2005 Coll. sanctions the unauthorized use of personal data. Any person who, without lawful authority, communicates, makes accessible or discloses a) personal data of another obtained in connection with the execution of public administration or with the exercise of constitutional rights of a citizen, or b) personal data of another obtained in connection with the execution of his profession or employment, and thus breaches a generally binding legal regulation, shall be liable to a term of imprisonment.


Areas where Member States may have local laws:

Professional secrecy 

Controllers and processors are required to ensure that any individual persons who they let into contact with personal information are bound by a confidentiality obligation which must continue even after the termination of the work (employment) or other contract with such person (Article 79 of the New DPA). This requirement for a confidentiality obligation being valid after termination of the relevant relationship goes beyond GDPR confidentiality obligation requirements. 

Scientific, historical or statistical purposes 

Processing of information for scientific, historical and statistical purposes is allowed, if it is adequate, respects the essence of personal data protection and appropriate measures for the protection of the rights and interests of data subjects are taken (Article 16 k) of New DPA).

These measures are of a technical and organisational nature and must respect the principle of data minimisation and pseudonymisation (Article 78 (8) of New DPA). 

Article 78 (9) of New DPA restricts data subjects' rights in this context under certain conditions.


An employer, as a controller, is allowed to process or publish personal data in the extent of title, name, surname, relevant position, employee's work ID, place of work, telephone number, fax number, email and employer's identification data, if it is necessary in relation to the fulfilment of work tasks and duties of the data subject. Such processing or publishing must not undermine data subject's seriousness, dignity and security. (Article 78 (3) of New DPA).

Personal data of deceased persons 

If the data subject is deceased, consent may be given by "a close person" (Article 78(7) of New DPA). Consent is not valid if any other close person disagrees. 

Children online 

16 years

Special rules for special categories of data
Essentially the same as under GDPR.

Genetic, biometric or health data

Genetic, biometric and health data can also be processed on the basis of a special law or international agreement which binds the Slovak Republic (Article 78 (5) of New DPA).

Designation of a Data Protection Officer

Essentially the same as under GDPR.

National identification numbers/any other identifier of general application




Any other areas under discussion