UOOU (Slovakia)
Úrad na ochranu osobných údajov | |
---|---|
Name: | Úrad na ochranu osobných údajov |
Abbreviation : | UOOU |
Jurisdiction: | Slovakia |
Head: | Soňa Pőtheová |
Deputy: | n/a |
Adress: | Hraničná 12
820 07 Bratislava 27 SLOVAKIA |
Webpage: | dataprotection.gov.sk |
Email: | statny.dozor@pdp.gov.sk |
Phone: | + 421 2 32 31 32 14 |
Twitter: | n/a |
Procedural Law: | Slovak Administrative Procedural Act (SK) |
Decision Database: | n/a |
Translated Decisions: | Category:UOOU (Slovakia) |
Head Count: | 46 |
Budget: | 1.561.419,00 Euros (2019) |
The Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov) is the national Data Protection Authority for Slovakia. It resides in Bratislava and is in charge of enforcing GDPR and national data protection act in Slovakia.
- Structure
All decisions of the Slovak DPA are taken on behalf of the institution – the Office. Cases are usually assigned to an employee whose name is referenced in all documents. The individual employee decides on behalf of the Slovak DPA.
The head of the Slovak DPA is the President of the Office for Personal Data Protection of the Slovak Republic. The tenure of the President is 5 years and the President is nominated by the Slovak Government with vote held in the Parliament. The majority of the Parliament has to approve the Government's candidate for the position of the President.
The Structure of the Slovak DPA:
- President
- President´s office
- Vice-President
- DPO
- Department of Inspection
- Department of Administrative Proceedings
- Department of Legal Services
- Department of Information Security and Certification
- Department of Internal Administration comprising of:
o Human Resources
o Section of Economics
Procedural Information
Applicable Procedural Law
The Slovak DPA operates under the Slovak Administrative Procedural Act (Zákon č. 71/1967 Zb. o správnom konaní – Správny poriadok) unless the GDPR or the Slovak Data Protection Act (Zákon č. 18/2018 o ochrane osobných údajov) has more specific rules.
While the Slovak Administrative Procedural Act applies as lex generalis, it sometimes also regulates certain procedural elements as a lex specialis. This is for example the case for detailed competences of the Slovak DPA during the inspection or administrative proceedings. The Slovak DPA also provides for specific rules for administrative procedure in the data protection area (eg the content of the claim or special limitation periods) and for approving codes of conducts, certifications or monitoring subjects.
On the other hand, the Slovak Administrative Procedural Act enshrines basic principles for processing, resolution of conflict of interests during the administrative procedures, representation and basic rules on every phase of administrative procedure including rights and obligations of the parties.
Complaints Procedure under Art 77 GDPR
Section 100 of the Slovak Data Protection Act implements Article 77 GDPR. The complaint shall include (Section 100 (3)):
- The name, surname, correspondence address and signature of the complainant,
- identification of the entity against which the complaint is addressed, with name, surname, permanent residency or organisation name, headquarter and identification number if such number was assigned,
- the subject of the complaint, identifying the rights that might have been infringed by the processing of personal data,
- evidence supporting the arguments laid down by the complainant,
- a copy of a document or other type of evidence demonstrating the exercise of a right under the Slovak Data Protection Act or special regulations, if such right has been exercised by the data subject, or justification of special consideration if such right has not been exercised by the data subject, if the complaint was lodged by a data subject.
The Slovak DPA has published a complaint template in Slovak and English:
The Slovak DPA shall postpone the complaint if:
a) the complaint is manifestly unfounded
b) the subject of the complaint is reviewed by a court or law enforcement authority
c) the complainant has not provided necessary cooperation upon the Office’s request, while without his or her active participation the complaint cannot be resolved;
d) more than three years have passed from the event that is subject of the complaint as of the day when the complaint was delivered.
Ex Officio Procedures under Art 57 GDPR
The Slovak DPA may run ex officio procedures out of its own motion. Cases have been so far triggered mainly by media reports.
Appeals
A decision may be appealed by filing a special type of appeal (rozklad). The appeal is decided by the President of the Slovak DPA.
Practical Information
The official website of the Slovak DPA contains information in English including templates: https://dataprotection.gov.sk/uoou/en
Statistics
The Slovak DPA issued a Report on the status of personal data in Slovakia from 25 May 2018 to 24 May 2019 (‘The Report’) in September 2019. The Report is issued annually and is subject to a debate in the National Council. The latest Report contains information emphasizing the issues concerning GDPR in the practice of Slovak DPA.
Slovak DPA provided an electronic form for controllers to report personal data breaches on its website. The form has been used 95 times during the specified period. A similar form was provided to notify the authority about the designated data protection officer. The form has been used 8431 times. In the area of prior consultations, the Slovak DPA has received 5 requests for prior consultation. Two requests have been denied.
The Slovak DPA has conducted 51 inspections during the determined time frame. 6 inspections were in line with the plan of the inspections, 26 inspections were based on the suspicions of the breach of processing personal data and 19 inspections were carried out within the administrative procedure.
When it comes to administrative procedures, the Slovak DPA conducted 126 administrative procedures. In terms of sanctions, the Slovak DPA has issued penalties in an amount of 132 600 €. The highest penalty imposed on the controller was an amount of 50 000 € for breaching obligations related to the security of personal data.