Changes in personal data protection starting from May 2018

Starting from 25th of May 2018, the new Regulation of the European Parliament and of the Council (EU) No. 2016/679 from 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter referred to as “GDPR “) will come into force in all the Member States of the European Union, including the Slovak Republic, introducing significant changes in the field of the protection of personal data of individuals, and hence major changes in the rights and obligations of data controllers and processors which process personal data. The GDPR will be a legal act directly binding and applicable throughout the European Union (EU), including the Slovak Republic. Alongside the GDPR, there will be the new Act No. 18/2018 on the Protection of Personal Data in force in Slovakia  (hereinafter referred to as the “Act on the Protection of Personal Data”). The new Act on the Protection of Personal Data repeals and replaces the existing Act no. 122/2013 Coll., and its subject-matter includes in particular those areas that do not fall within the scope of the GDPR, or issues left by the GDPR to be addressed by national legislation.

Primarily, the GDPR strives to respond to the rapid technological development, increased use of the Internet, IT, social networking sites, cloud-based services, and the associated new business models and marketing tools, and, last but not least, the strong globalisation in this area. Its purpose is to facilitate the free movement of personal data within the EU while ensuring the same high level of protection of this personal data throughout the EU, and uniform rules in the application thereof. GDPR sets as its main goal to ensure a high level of protection of personal data as an implementation of their basic right, and to strengthen the rights of data subjects in order to prevent unauthorised handling of their personal data, and the corresponding detailed specification of the responsibilities of entities who process personal data or who make decisions about its processing.

The issue of personal data protection concerns anyone who processes personal data of individuals for a particular purpose. The scope of the GDPR is excluded in some situations, for instance, when personal data is processed by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. The GDPR defines these personal or household activities to include correspondence and the holding of addresses, or social networking and on-line activity undertaken within the context of such activities. However, the commercial and professional area where personal data is commonly processed is so wide that the new legal regulation affects almost all entrepreneurs, public authorities, institutions, and so on. The processing of personal data takes place in a variety of situations and social relations, for example. in employment relations, in education, in business relations, in the provision of services (healthcare, public and private), when selling goods to customers, and many more. Therefore, it is very important to become familiar with the new legislation and to prepare for implementing these rules in procedures and processes of individual controllers. Of course, the new legislation also concerns the rights and obligations of natural persons whose data is being processed, the data subjects who should also become familiar with their rights and obligations introduced by the Regulation.