Address:Soblahov 480 Soblahov 913 38 Company no.: 44690347
According to § 60(1) of Act No 18/2018 on the protection of personal data and amending certain acts (the “personal data protection act”), a data controller must make specific information available on its website to the data subject (the individual whose personal data are processed).Apart from its identification and contact data and the contact data of the data protection officer, the public authority must also make available the information found under the tabs on the left of the screen.
Data protection officer
Contact details of the Office
Office for Personal Data Protection of the Slovak Republic
820 07, Bratislava 27
Company no.: 36 064 220
Monday - Thursday 8:00 - 15:00
Friday 8:00 - 14:00
Telephone consultations concerning personal data protection:
Tuesday and Thursday from 8:00 to 12:00: +421 2 323 132 20
Secretariat of the President of the Office: +421 2 323 132 11
Secretariat of the Office: +421 2 323 132 14
Fax: +421 2 323 132 34
mobile: 0910 985 794
email: [email protected]k
a) general: [email protected]
b) for information according to Act No211/2000: [email protected]
c) website: [email protected]
d) to submit a request for information under Act No 211/2000 on freedom of information, use the online form.
e) email address on which the Office will provide assistance in matters of personal data protection. It is intended for children, youth, students, teachers, and parents who suspect their personal data have been misused: [email protected]
Information about purpose
Information about the purpose for which personal data are processed
One of the principles of processing personal data is purpose limitation.That means personal data may only be collected for specific, explicit and legitimate purposes, and may not be further processed in any manner incompatible with those purposes.
Personal data should be processed in close alignment with the processing purpose, particularly as regards the types or scope of the data necessary for the processing to achieve its intended purpose.Function creep should be avoided (this is where the types or scope of personal data are factitiously or gradually widened beyond their initial purpose).If the purpose and the types of personal data and the extent to which they are processed are defined by law, the law must be complied with. If the controller determines the types of personal data and the extent of their processing, the controller must take care not to unnecessarily widen the purpose beyond that stated extent.
The personal data protection act requires controllers to provide information to data subjects about the purpose for which their personal data are processed, even if the personal data are not obtained directly from the data subject concerned.This information must be provided to the data subject at the time their data is collected, or in good time, and the information must be concise, intelligible, and in clear and easy to understand language.
Ask our data protection officers to send you information about the purposes for which personal data are processed.
Rights of the data subject
Right of the data subject to bring proceedings in accordance with § 100 of the personal data protection act
A data subject who suspects that their personal data have been processed unlawfully, or that their data have been misused, may bring data protection proceedings before the Office for Personal Data Protection of the Slovak Republic (the “Office”).
Proceedings may be brought in writing; orally in person for entry on official record; electronically with an advanced electronic signature; or by telegraph or fax (which must then also be made in writing or orally on official record within 3 days).
Pursuant to § 63(2) of the personal data protection act, the complaint must contain:
a) name, surname, permanent address, and signature of the complainant,
b) name of the party against whom the complaint is lodged – business name or name and surname, registered office or permanent residence, and legal form and company identification number, if applicable,
c) subject matter of the complaint, indicating which rights the complainant alleges have been infringed in the processing of personal data,
d) evidence to support the allegations set out in the complaint,
e) where rights may be invoked pursuant to § 28, copy of a document demonstrating that such rights are being invoked, or a statement of reasons meriting special consideration.
The Office will decide on the complaint within 60 days after the complaint was filed; in justifiable cases the Office may reasonably extend this time period, but not by more than 6 months.The Office notifies the parties to the proceedings in writing of that extension.
Sample complaint: https://www.dataprotection.gov.sk/uoou/sites/default/files/kcfinder/files/WEB-vzor_navrhu.pdf
Right of access
Information about the right to request the competent authority for access to personal data concerning the data subject, and the right to the rectification, erasure, and restriction on the processing of the personal data
A data subject has the right to obtain confirmation from the competent authority about whether their personal data are processed, and if the data are processed they have the right to access the personal data and to obtain information about
a) the purpose of the processing and the legal basis for the processing,
b) the categories of personal data that are processed,
c) the recipients or categories of recipients to whom the personal data were or are disclosed, particularly recipients in third countries and international organisations,
d) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period,
e) their right to request from the competent authority rectification or erasure of the personal data or the restriction of processing or to object to processing,
f) contact information for the office,
g) their right to bring proceedings in accordance with § 100,
h) the sources of the personal data, if available.
Individuals should have the right of access to the data which have been collected concerning them, and to exercise that right easily, in order to be aware of, and verify, the lawfulness of the processing.Every data subject should therefore have the right to know and obtain information in particular with regard to the purposes for which the personal data are processed, the categories of the data concerned, the period for which the personal data are processed, the recipients of the personal data, etc.To be in compliance it is sufficient if the data subject has a full summary of the above information in an intelligible form that allows the data subject to be informed and to be able to exercise their rights afforded by this law.
The competent authority may completely or partially restrict access to their personal data, to the extent and for the time that, with due regard to the rights and legitimate interests of the data subject concerned in a democratic society, such a measure is necessary and proportionate for preventing obstruction of official or judicial detection, investigation, or proceedings, to avoid compromising criminal proceedings in order to protect public or national security, or to protect the rights and freedoms of others.The competent authority should examine each specific case individually as to whether the right of access should be partially or completely restricted.
The data subject should in principle be notified in writing of any restriction of access, stating the reasons of fact or law on which this decision is based.
The data subject should also have the right to rectification of inaccurate personal data and the right to the erasure of data if the processing of those data is in contravention of the law.However, the content of a witness statement for instance should not be affected by the right to rectification.
Individuals should have the right to a restriction on processing in cases where they challenge the accuracy of the personal data and the accuracy of that data cannot be determined, or where personal data must be kept for evidentiary purposes.Rather than erasing personal data, processing should be restricted particularly in specific cases where there is reason to believe erasure could affect the legitimate interests of the data subject, in which case the restricted data should only be processed for those purposes that prevented the erasure of the data.Methods to restrict the processing of personal data could include moving the selected data to another processing system, for instance for archiving purposes, or restricting their accessibility, and others.In automated filing systems, the restriction of processing should in principle be ensured by technical means.It should be clearly indicated in the system that the processing of personal data is restricted.Any rectification or erasure of personal data or restriction of processing should be communicated to each recipient to whom the data were disclosed and to the competent authority from which the data originated.The competent authorities should likewise discontinue any further dissemination of such data.
Contact our data protection officers for more information.
To ensure the fair processing of the personal data of data subjects, and to ensure data subjects can exercise their rights, in specific cases, apart from the stated information, data subjects should also be informed of
a) the legal basis for which their personal data are processed,
b) how long the personal data will be stored,
c) the purpose for which their personal data are processed,
d) the categories of recipients and other information.