Rights of Data Subjects

 

Everyone shall have the right to be protected against

unauthorized collection, disclosure or any other

misuse of his or her personal data.

Constitution of the Slovak Republic, Art. 19 Sec. 3

 

 

Protection of personal data, especially privacy of their processing, is a sensitive area in the fundamental rights and freedoms of natural persons guaranteed by the Constitution of the Slovak Republic. This issue, including the data subject’s rights, is regulated by the Act No. 428/2002 Coll. on Protection of Personal Data, as amended by latter provisions (hereinafter “The PDP Act”).

 

Data subject is any natural person, whose personal data are processed1. According to the PDP Act, only a natural person can be a data subject; whereby it is not relevant whether it is a citizen of the Slovak Republic or a foreigner. Neither legal entity nor any entrepreneur-natural person can by the conduct of the business activities be data subjects within the scope of the PDP Act.

 

Data subject’s rights compose a substantive and comprehensive section in the area of personal data protection. They shall mean a legal way how the data subject is legitimate to apply its rights and make a request to the controller2 (the person processing personal data). PDP Act gives a detailed regulation in Section 20.

 

 

Data subject’s rights under the PDP Act

 

Based on the wording of the PDP Act the data subject’s rights can be divided into the following areas:

 

1) Data subject right of access

 

Upon a written application, the data subject is entitled to request from the controller:

  1. information about the state of processing of his personal data in the filing system in a generally intelligible form and in the extent under Section 26 Paragraph 3 of the PDP Act; if a decision under Section 20 Paragraph 4 letter b) of the mentioned act is issued, the data subject shall be entitled to familiarize himself with the procedure of the processing and evaluating of operations. The controller is obliged to satisfy this request and provide the data subject with the requested information free of charge,

  2. exact information, in a generally intelligible form, about the source from which the controller obtained his personal data for their processing. The controller is obliged to provide this information free of charge, except for a fee in the amount not exceeding the amount of material costs accrued in connection with the making of copies, providing technical carriers and sending the information to the data subject, unless otherwise stipulated by a special Act,

  3. a copy of his personal data, in a generally intelligible form, which constitute the subject of the processing. The controller is obliged to provide this information free of charge, except for a fee in the amount not exceeding the amount of material costs accrued in connection with the making of copies, providing technical carriers and sending the information to the data subject, unless otherwise stipulated by a special Act,

  4. rectification of inaccurate, incomplete or not updated information, which constitute the subject of the processing. The controller is obliged to satisfy this request and provide the data subject with the requested information free of charge,

  5. destruction of his personal data, if the purpose of their processing under Section 13 Paragraph 1 was fulfilled; if any official documents containing personal data constitute the subject of the processing, he may request their returning. The controller is obliged to satisfy this request and provide the data subject with the requested information free of charge,

  6. destruction of his personal data, which constitute the subject of the processing, in case that the law was breached. The controller is obliged to satisfy this request and provide the data subject with the requested information free of charge.

 

However, it is necessary that the data subject shall execute its rights upon a written request addressed directly to the controller.

 

The rights of the data subject may be restricted only under letters d) and e) of this Paragraph 1), if such restriction results from a special Act or if exercising of this right would infringe the protection of the data subject or the rights and freedoms of others. The controller is obliged to notify in writing the data subject and the Office for Personal Data Protection of the Slovak Republic (hereinafter the “Office“) about such restrictions without undue delay.

 

2) Data subject right to raise objections

 

The data subject is entitled to object to the controller, upon a free of charge written application, to the following:

  1. processing of personal data, in respect of which the data subject expects that they are or would be processed for the purposes of direct marketing without his consent and he shall be entitled to request for their destruction,

  2. use of the personal data referred to in Section 7 Paragraph 4 letter d) of the PDP Act (namely: title, name, surname and address) for the purposes of direct marketing in the mail correspondence; or

  3. provision of personal data referred to in Section 7 Paragraph 4 letter d) of the PDP Act (namely: title, name, surname and address) for the purposes of direct marketing.

 

In addition, the data subject has a right at any time upon a free of charge application to raise objections to the controller toward:

  1. the processing of personal data in the cases under Section 7 Paragraph 4 Subparagraphs a), e), f) or g) of the PDP Act3 by stating the legitimate reasons or by submitting evidence of infringement of his rights and legitimate interests that are or can be violated by the processing of personal data in a concrete case; if it is proved that the objection of the data subject is valid and the legitimate reasons do not prevent it, the controller shall be obliged to block the personal data, the processing of which was objected by the data subject without undue delay and destroy them as soon as possible,

  2. and refuse to submit to the controller’s decision, which would produce legal effects on him or significantly affect him, provided that such decision is based solely on the acts of the automatic processing of his personal data. The data subject shall be obliged to request the controller for examination of the issued decision by a method other than the automatic processing, while the controller shall be obliged to satisfy the request of the data subject in such manner that the entitled person shall have a decisive role in the examination of the decision; the controller shall inform the data subject about the manner of examination and the outcome of his finding in a time limit within 30 days from the day of their receipt. The data subject shall be deprived of the above right only if so stipulated by a special Act including measures for securing the legitimate rights of the data subject or if the above decision was made in the course of entering into, or performance of, a contract between the controller and the data subject, under condition that the request of the data subject contained in the contract was satisfied or that the data subject was granted the right, based on an agreement, to put his point of view anytime during the contract’s validity.

 

In mentioned cases it is also necessary to raise objections in a written application addressed directly to the controller. The most suitable way is through the registered letter in order of its provability in case of the proceeding.

 

3) Data subject right to disagree and refuse the transfer of the personal data

 

The data subject is entitled to disagree with the controller’s decision under Section 23 Paragraph 5 of the PDP Act and to refuse the transfer of his personal data to the third country, which does not ensure an adequate level of protection of personal data, if the transfer is to be made pursuant to Section 23 Paragraph 4 letter a) of the PDP Act4.

 

 

If the data subject does not enjoy full legal capacity, his rights may be exercised by his legal representative. If the data subject does not live, his rights arising from the PDP Act may be exercised by his close person (family).5

 

 

Filing systems operated by the Police

 

Special legal regulation of the data subject’s rights applies in relation to the filing systems operated by the Police and the Schengen Information System (hereinafter the “SIS”); both operated under the Act No. 171/1993 Coll. on Police Force as amended by latter provisions (hereinafter the “Act on Police Force”).

 

The controller of these filing systems is the Ministry of Interior of the Slovak Republic.

 

Data subject’s rights related to the filing systems operated by the Police are regulated in Section 69c of the Act on Police Force, in accordance which the controller is obliged to act when providing the data subject with the information on personal data, their rectification or destruction. According the mentioned Section, Paragraph 1, the data subject is legitimate to ask the controller:

  1. information, what personal data the Police Force is processing on his person,

  2. information, what personal data and to whom they were provided or made available,

  3. rectification of inaccurate personal data, completion of incomplete personal data, destruction of incorrect or useful personal data or blocking of his personal data,

  4. information dealing with the origin and purpose of their processing, if the personal data are processed under a Special Act.

 

Written application concerning the exercise of rights under this provision is the data subject supposed to address directly to the Ministry of Interior of the Slovak republic as the controller of the filing systems to:

 

 

Ministerstvo vnútra Slovenskej republiky

Pribinova 2

812 72 Bratislava

Slovak Republic

 

 

For SIS, the data subject’s rights are set in Articles 109, 110 and 111 of the Schengen Convention as well. In accordance with the national legislation, the data subject is also supposed to address the application directly to the controller:

 

 

Ministerstvo vnútra Slovenskej republiky

Prezídium Policajného zboru

Úrad medzinárodnej policajnej spolupráce

Národná ústredňa SIRENE

Pribinova 2

812 72 Bratislava

 

 

Related links: http://www.minv.sk/?Data-Subjects-Rights

http://www.mzv.sk/en/ministry/privacy_protection_policy

http://www.foreign.gov.sk/en/consular_info/visa

 

 

Due-time for handling the requests of data subject

 

Each controller (including the filing systems operated by the Police and SIS) is obliged to satisfy the requests of the data subject and notify them in a time limit within the 30 days of their receipt.

 

 

Supervision of personal data protection

 

If the data subject suspects that his personal data are processed unlawfully, or is not satisfied with the process of handling his request, he may notify the Office of it at the address:

 

 

Úrad na ochranu osobných údajov Slovenskej republiky

Odborárske námestie 3

817 60 Bratislava 15

Slovak Republic

 

 

The notification has to be submitted in a written form and must contain above all:

  1. the name, surname, address of the permanent residence and signature of the informant,

  2. identification of the person against whom the notification is filed; name or name and surname, registered office or permanent residence, or corporate form and identification number,

  3. the subject of notification stating which rights were violated by the processing of personal data according to the informant,

  4. evidence supporting the allegations stated in the notification,

  5. a copy of a document proving that the right under Section 20 of the PDP Act (or the Act on Police Force) was exercised, provided that such right could not have been exercised or the reasons worth special consideration.

 

The Office as a supervisory authority will investigate the submitted notification, and if it will not file the notification away because of the reasons set in the PDP Act, it will handle it within 60 days from its receipt. During the same time limit, the Office will inform the data subject of the outcome of the investigation, in which it shall state the data subjects’ rights that were or were not violated.

 

 

Questions and answers

 

Should you have any questions regarding protection of personal data, including data subject’s rights, please do not hesitate to contact us at the above mentioned address or electronically at statny.dozor@pdp.gov.sk.

 

 

 

 

 

 

1 Processing of personal data means any operation or set of operations which is performed upon personal data such as obtaining, collection, recording, organization, adaptation or alteration, retrieval, consultation, alignment, combination, transfer, use, storage, destruction, transmission, provision, making available or making public

2 Controller is every person, which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of the processing of personal data are regulated by a special Act, the controller shall be the authority determined thereby for fulfillment of the purpose of the processing or the authority, which fulfills the requirements stipulated by law. The same shall apply if so stipulated by the Directive of the European Communities and the European Union.

3 Section 7 Paragraph 4 letter a), e), f) or g) of the PDP Act:

Personal data may be processed without consent under Paragraph 1 only if:

a) the processing of personal data is necessary for the purpose of artistic or literary expression, for the purpose of informing the public by means of the mass media and if the personal data are processed by a controller for whom it results from the scope of his activities; this shall not apply if by the processing of personal data for such purpose the controller violates the data subject’s right to protection of his personal rights and privacy or if such processing of personal data without consent of the data subject is prohibited by a special Act or an international treaty binding for the Slovak Republic,

e) the processed personal data have already been made public; in such cases personal data must be duly denoted,

f) processing of personal data is necessary for fulfillment of an important task carried out in the public interest,

g) processing of personal data is necessary for protection of statutory rights and legitimate interests of the controller or the third party, provided that in such processing of personal data the controller and the third party respect the fundamental rights and freedoms of the data subject and by their conduct they do not violate his right to protection of his personal rights and privacy.

4 Section 23 Paragraph 4 letter a) of the PDP Act:

Where the country of final destination does not ensure an adequate level of protection, the transfer may be executed only under condition that the data subject gave a written consent to it, while knowing that the country of final destination does not ensure an adequate level of protection.

5 In this connection, the relevant provisions are stipulated by the Civil Code.



top | back |