Skip to content

Implementation Guide for GDPR at the National Level: Slovakia

Legislation in Slovakia: Overview of Q1, Data of Deceased Individuals Q2, Legal Foundations Q3, Consent of Minors Q4, and Handling of Sensitive Data Q5

Implementation Guide for GDPR at the National Level: Slovakia
Implementation Guide for GDPR at the National Level: Slovakia

Implementation Guide for GDPR at the National Level: Slovakia

Slovakia, like other European Union (EU) member states, has implemented General Data Protection Regulation (GDPR)-based legislation to safeguard the privacy and personal data of its citizens. However, the country is currently under legal scrutiny for specific national transposition shortcomings.

The European Commission referred Slovakia to the Court of Justice of the European Union in July 2025 due to incorrect transposition of rules concerning access to a lawyer [3]. This referral indicates ongoing compliance issues with national legislation, particularly regarding procedural rights for individuals.

Despite this issue, Slovakia participates in the EU-wide enforcement and procedural coordination mechanisms under the GDPR [2]. The Data Protection Act, the main legislation governing personal data protection in Slovakia, authorises providers of mass media services to process personal data necessary for informing the public via mass media, even without the consent of the data subjects, provided that such processing does not infringe upon the data subject's right to protection of personality, right to privacy, and such processing of personal data without the data subject's consent is not prohibited by special laws or by an international treaty binding on Slovakia.

Impact Assessments are only required in accordance with the provisions of the GDPR in Slovakia. The use of a general identifier, such as the birth certificate number (rodné číslo), is permissible only if the purpose of the data processing in question cannot be attained without such an identifier. In the event that the processing of such an identifier is based on the data subject's consent, such consent must be explicit, and processing on the basis of the consent must not be ruled out by special laws. Making the identifier public is prohibited, unless it is made public by the data subject.

The Data Protection Act does not contain any specific rules governing the processing of personal data for the performance of tasks carried out in the public interest, the processing of personal data subject to GDPR in compliance with a legal obligation, or the processing of personal data by a processor. However, additional regulation can be introduced by special laws.

In Slovakia, a child can give their consent to processing in relation to Information Society Services (ISS) at the age of 16. Special laws and/or an international treaty binding on Slovakia may restrict the rights of data subjects with regard to processing for archiving purposes, scientific or historical research purposes or statistical purposes.

Personal data relating to criminal convictions and offences may only be processed based on an authorization stipulated in special laws or an international treaty binding on Slovakia, provided appropriate safeguards are implemented. Data Protection Officers (DPOs) are only mandatory in the circumstances set out in Art. 37(1) GDPR. DPOs are subject to secrecy obligations under national law.

Employers may only collect personal data about employees regarding their qualifications, work experience, and other personal data that may be relevant in relation to the work performed and/or to be performed by the employee in question. Employers may not collect information on pregnancy, family circumstances, or political, trade union, and religious affiliations of candidates in the pre-contractual stage.

The Office for Personal Data Protection of the Slovak Republic (Urad na ochranu osobných údajov Slovenskej republiky) is the Data Protection Authority (DPA) in Slovakia. Parties may challenge first instance decisions of the DPA by appeal, which will be dealt with by the Chairman of the DPA. The decision of the Chairman of the DPA may be further subject to judicial review.

It's important to note that while Slovakia is under legal scrutiny for specific national transposition shortcomings, the country is aligned with the EU’s GDPR framework for personal data protection beyond this issue. New legislation has been passed in Slovakia to address the requirements of the GDPR, and the main pre-GDPR legislation has been repealed in full, but several laws containing provisions regarding the processing of personal data and/or governing certain aspects of personal data processing in specific sectors will continue to apply following the coming into force of the GDPR and have not been fully updated.

Under the Criminal Code, certain criminal offences in connection with the unauthorised or malicious processing of personal data are punishable by imprisonment of up to one or two years. There are no additional rules on apportionment of liability between joint controllers in Slovakia, and there are no specific rules governing the processing of personal data in the exercise of official authority vested in the controller.

In conclusion, Slovakia, like other EU member states, has implemented GDPR-based legislation to safeguard the privacy and personal data of its citizens. While the country is currently under legal scrutiny for specific national transposition shortcomings, it is aligned with the EU’s GDPR framework for personal data protection beyond this issue.

  1. White & Case, a global legal practice, offers services in the area of international regulatory compliance, providing news, insights, and publications on developments in intellectual property law, technology, education, and self-development.
  2. While Slovakia is under legal scrutiny for specific national transposition shortcomings, White & Case advises that the country is aligned with the EU’s GDPR framework for personal data protection.
  3. The Data Protection Act in Slovakia permits media service providers to process personal data for informing the public via mass media without consent, but only if such processing does not infringe upon the data subject's right to protection of personality or privacy.
  4. White & Case's Practice focuses on European Data Protection, guiding businesses on the requirements of the GDPR and other data protection laws in an increasingly complex regulatory environment.
  5. In Slovakia, the age for a child to give consent for processing information society services is 16 years. However, special laws or international treaties may restrict certain rights of data subjects.
  6. Under Slovakian law, personal data relating to criminal convictions and offences may only be processed based on an authorization stipulated in special laws or an international treaty binding on Slovakia.
  7. The Office for Personal Data Protection of the Slovak Republic is the Data Protection Authority in Slovakia, with parties able to challenge first instance decisions by appeal to the Chairman of the DPA, followed by judicial review if necessary.
  8. Employers in Slovakia may collect personal data relevant to the work performed or to be performed by employees, but are not allowed to collect information on pregnancy, family circumstances, political, trade union, and religious affiliations during the pre-contractual stage.

Read also:

    Latest