The Slovak Republic’s New Data Protection Act Eases Rules on Cross-Border Transfers of Personal Data

The New Data Protection Act No. 122/2013 Coll.¹ (“the New Act”), which was approved by the Slovak Parliament on April 30, 2013, and subsequently signed by the Slovak President, will become effective in the Slovak Republic as of July 1, 2013. The Act will replace Act No. 428/2002 Coll. on Protection of Personal Data as amended (“Act 428/2002”).

The reasons for adoption of the New Act included the need for thorough implementation of the EU Data Protection Directive (95/46/EC)² in the context of the observations of the European Commission’s evaluation mission and tasks contained in the Schengen action plan for the Slovak Republic, as well as in the context of the results of the analysis of the application of Act 428/2002.

The New Act aims to provide a more easily comprehensible legal framework for the rights and obligations of persons in the area of data protection, and to define more precisely the particular procedures in this area.

Among other things, the New Act:

• introduces new rules on cross-border transfers of personal data to third countries not ensuring an adequate level of protection of personal data;

• introduces new rules with respect to data protection officers (“DPOs”)³;

• amends the conditions and procedures regarding the registration (plain or special) of filing systems; and

• provides greater precision regarding the mutual relationship between the controller and the processor.

New Rules on Cross-Border Transfers of Personal Data to Third Countries Not Ensuring an Adequate Level of Protection of Personal Data

Controller to Processor (‘C2P’) Transfers Based on the Standard Contractual Clauses (‘SCCs’)

These transfers no longer have to be authorized by the Office for Personal Data Protection of the Slovak Republic (“the Office”), and thus controllers transferring data to such countries will not incur expenses related to translations or elaborations of Slovak language versions of the SCCs if they wish to have the SCCs in a language other than Slovak, and there will be no need to wait for the issuance of the authorization.

The wording of the New Act does not even contain any deposition requirement of the SCCs with the Office, which in our view may be seen as a business-friendly solution further lessening administrative burdens.

However, if the contractual clauses are different from the SCCs or are apparently incongruent with the SCCs, the controller may transfer the data only with the prior authorization of the Office.

Controller to Controller (‘C2C’) Transfers Based on the SCCs

These transfers have to be authorized by the Office similarly to C2P transfers based on the SCCs, i.e., only in cases where the contractual clauses are different from or apparently incongruent with the SCCs.

Transfers Based on Binding Corporate Rules (‘BCRs’)

The New Act now explicitly states that these transfers may be carried without any authorization by the Office, provided the BCRs (issued by the controller) are approved by the supervisory authority in the area of personal data protection in an EU Member State. This is again a positive change, due to the fact that, under the provisions of Act 428/2002, C2P transfers of personal data, even based on BCRs approved in another Member State, had to be approved by the Office.

The New Act also introduces a new competence of the Office: the competence to approve the controller’s BCRs for the purposes of transfers of personal data to countries not ensuring an adequate level of protection of personal data.

It is also worth noting that the New Act states that transfers of personal data (to third countries not ensuring an adequate level of protection) of employees must be based exclusively either on approved BCRs or, alternatively, on the SCCs.

Transfers to Controllers and Processors Residing/Having a Registered Office in the United States and Listed on the Safe Harbour List

These transfers no longer have to be authorized by the Office. The previous practice was that each such transfer had to be authorized by the Office, which, in general, verified whether or not the importer of the personal data was listed on the Safe Harbour list and then, depending on the result, issued the authorization. In our view, the New Act does not even contain any requirement to notify the Office of the transfer.

The New Act also contains the minimum obligatory contents of the contract on the transfer of personal data to importers listed on the Safe Harbour list.

The Office issued 45 authorizations of transfers of personal data to third countries not ensuring an adequate level of protection of personal data during the years 2011 and 2012. The transferred data comprised mostly data of employees, clients and business partners, and the main purposes of the transfers were effective governance of the human resources agenda, global governance of business activities and processing of the agenda related to employees.⁴ Thus, it can be concluded that the provisions of the New Act in this area will especially benefit multinational companies.

New Rules with Respect to Data Protection Officers

It can be generally stated that the New Act contains more detailed provisions in this area than those in Act 428/2002. The most significant of the newly introduced rules are the following:

• An obligation is imposed on controllers⁵ to authorize in writing one or more DPOs, on condition that the controller processes personal data via 20 or more entitled persons (i.e., basically natural persons who are in contact with the personal data in the course of their employment or other relationship with the controller). It should be noted that, contrary to Act 428/2002, which required appointment of the DPO only when the controller employed more than five employees, the New Act does not associate this obligation only with the employment relationship of entitled persons;

• The DPO must be authorized by the controller within 60 days of the start of the processing of personal data, and the authorization of the DPO must be announced to the Office within 30 days;

• The DPO must have a valid certification on passing an examination before the Office; when a DPO who has such certification has not carried out the function of the DPO during the term of two years or longer, the DPO must pass the examination again;

• The New Act also newly specifies the minimum obligatory content of the authorization of the DPO; and

• The controller may notify the Office of the authorization of more than one DPO, whereas, under Act 428/2002, a controller could have notified the Office of the authorization of only one DPO, even in case more DPOs were authorized, e.g., in order to supervise different filing systems of the controller.

Furthermore, the New Act no longer provides for the voluntary authorization of the DPO. Under Act 428/2002, the controller had a choice to authorize the DPO when it had five or fewer employees. The advantage of such authorization was that the controller was then exempt from the obligation to register its filing system.⁶ The New Act states in this respect that the controller who processes personal data via less than 20 entitled persons is obliged (without exception) to register the filing systems which are subject to registration pursuant to the New Act.

The register of the DPOs maintained by the Office contained 44,566 authorized DPOs (as of December 31, 2012) who were notified to the Office.⁷ The transitional provisions of the New Act state that the authorizations and notifications of DPOs made under Act 428/2002 are also valid under the New Act, but the controller should ensure compliance with the new set of rules for DPOs (as mentioned above) during the one-year transitional period.

Registration and Special Registration of the Filing Systems

Generally, all the filing systems in which personal data are processed via wholly or partially automated means of processing are subject to either plain registration (“registration”) or special registration with the Office. The following are the major changes introduced by the New Act in this area:

Registration

• A controller that processes personal data via fewer than 20 entitled persons cannot authorize a DPO in order to avoid an obligation to register its filing system(s), and thus must register the filing systems which are subject to registration pursuant to the New Act.

• A controller that processes personal data via 20 or more persons and has authorized one or more DPO does not have to register the filing systems under the New Act.

• Pursuant to the New Act, the filing systems containing personal data of job applicants and personal data of the human resources agenda must be registered with the Office, since the registration exception contained in Act 428/2002 that was applicable to these filing systems was not incorporated into the New Act.

• Registration of the filing system or alteration of the registration is subject to an administrative fee in the amount of €20.

Special Registration

• Processing of biometric data⁸ is, in a majority of cases, subject to special registration.

• Special registration of the filing system or alteration of the special registration is subject to an administrative fee in the amount of €50.

As of December 31, 2012, there were 303 registrations of filing systems and 78 special registrations of filing systems with the Office.⁹ Pursuant to the transitional provisions of the New Act, registrations and special registrations under Act 428/2002 will still be valid after July 1, 2013. However, controllers are obliged to register their filing systems (either plain or special registration) pursuant to the new rules within the transitional period of six months, if such registration is required by the New Act.

Regulation of a Mutual Relationship Between the Controller and the Processor

The New Act explicitly states that the controller is entitled to authorize a processor to process personal data on behalf of the controller only on the basis of a written contract, whereas under Act 428/2002 it was possible for the controller to simply issue a written authorization to the processor in this respect.

The New Act also newly specifies the following minimum obligatory content of the written contract between the controller and the processor:

• identification of the controller and the processor to the extent stated in the New Act;

• the date as of which the processor is authorized to process personal data on behalf of the controller;

• the purpose of the processing of personal data;

• the name/designation of the filing system;

• a list of personal data processed;

• the data subjects;

• the conditions of processing of personal data and also the list of permitted operations with personal data;

• the declaration of the controller that he met the statutory requirements imposed on the choice of the processor;

• if the data are to processed by a sub-processor, the contract must also include a written agreement on such possibility;

• the duration of the contract; and

• the date and the signatures.

Furthermore, complying with the request of the European Commission, the provision of Act 428/2002 that was interpreted to allow for the existence of a chain (or a pyramid) of several (sub-) processors was not incorporated into the New Act.¹⁰

According to the New Act, a processor may authorize another processor (i.e., a sub-processor that is legally defined in the New Act as a “sub-contractor”) only on condition it was agreed in the written contract concluded with the controller. The sub-contractor cannot further authorize another processor to process personal data on behalf of the original controller.

Pursuant to the transitional provisions of the New Act, the controller is obliged to comply with the new obligations regarding the contractual relationship between the controller and the processor within the period of one year as of the effective date of the New Act.

Conclusion

Thus, as described above, it can be stated that compliance with the new regulation of personal data contained in the New Act requires the attention of persons involved in the processing of personal data, due to several new obligations that have to be complied with in the respective transitional periods. Moreover, certain obligations are also associated with financial expenses for administrative fees.

On the other hand, the new regulation of personal data clearly lightens the administrative burdens related to cross-border transfers of personal data, and is, in our view, certainly more easily comprehensible to the general public.

Radovan Repa is a Senior Associate and Tomas Blazej is an Associate with Bird & Bird s.r.o., Bratislava. They may be contacted at radovan.repa@twobirds.com and tomas.blazej@twobirds.com.