Slovakia Data Privacy Laws: GDPR Implementation Guide (2026)

Slovakia takes a distinctly cautious approach to data protection enforcement, with fine amounts that are modest compared to many EU member states. However, the country's data protection law contains some of the strictest provisions in the EU regarding the use of personal identification numbers, reflecting a deep awareness of the risks that universal identifiers pose to individual privacy.

This guide covers Slovakia's complete data protection framework, from its early adoption of implementing legislation through its unique provisions on birth numbers and employee monitoring.

Legal Framework and GDPR Implementation

Slovakia's data protection system operates under the GDPR as supplemented by Act No. 18/2018 Coll. on Protection of Personal Data. This legislation was adopted by the Slovak Parliament on 29 November 2017, well ahead of the GDPR's application date, and entered into force on 25 May 2018.

Slovakia was among the most prepared EU member states for GDPR implementation, having its national legislation finalized months before the regulation became applicable. Act 18/2018 addresses the areas where the GDPR permits or requires member state action, including the structure and powers of the supervisory authority, rules for birth number processing, provisions on employee monitoring, and exemptions for journalistic and academic processing.

The Act also transposes the Law Enforcement Directive (EU 2016/680) for data processing in criminal justice contexts.

Exceptions and Derogations

Slovakia made several notable derogation choices under the GDPR's opening clauses. These include specific provisions on the processing of birth numbers, rules limiting employer monitoring capabilities, and provisions on processing for archiving, scientific research, and statistical purposes.

The UOOU: Slovakia's Data Protection Authority

The Office for Personal Data Protection of the Slovak Republic (Urad na ochranu osobnych udajov, or UOOU) is Slovakia's independent supervisory authority. Based in Bratislava, the UOOU is a state administration body with nationwide competence that operates independently in exercising its powers.

The UOOU has approximately 40 employees and operates on a budget of around EUR 2.9 million. These resource constraints are among the most significant in the EU, and they inevitably affect the authority's capacity to investigate complaints, conduct audits, and pursue enforcement actions.

Powers and Functions

Despite its limited resources, the UOOU holds the full range of GDPR supervisory and enforcement powers. It can initiate and conduct administrative proceedings, carry out inspections, issue compliance orders, impose temporary or permanent processing bans, and levy administrative fines.

The UOOU also maintains advisory functions, providing guidance on data protection compliance and issuing opinions on proposed legislation. It publishes control plans outlining its enforcement priorities for each year.

2025 Enforcement Priorities

The UOOU announced its control plan for 2025, with the first part focusing on data processing in Schengen and European information systems and agencies. This focus reflects Slovakia's position as a Schengen border state and the data protection implications of immigration and border control databases.

Fines and Penalties

Slovakia follows the GDPR's standard two-tier penalty framework. Fines of up to EUR 10 million or 2% of worldwide annual turnover apply to certain violations, while more serious infringements can attract fines of up to EUR 20 million or 4% of worldwide annual turnover.

In practice, the UOOU's enforcement record shows relatively modest fine amounts compared to many other EU member states. The authority considers various factors in determining penalties, including the category of personal data involved, the gravity of the breach, the number of affected data subjects, and the controller's history of previous breaches.

Notable Enforcement Actions

Social Insurance Company (EUR 50,000, 2019): The UOOU's largest known fine was imposed on the Social Insurance Company for violating Article 32 of the GDPR (security of processing). A postal parcel containing personal data of an applicant for a disability pension was lost during communication with foreign social security authorities. The case highlighted the importance of secure data handling in physical communications.

Municipality Email Monitoring: The UOOU investigated a case where a municipality monitored a former employee's email account, claiming the employee had failed to properly hand over her work agenda. Although the municipality presented reasonable justifications, it failed to demonstrate a formal legal basis and had not fulfilled its GDPR obligations. The UOOU ruled that the employee's rights had been violated.

Birth Number (Rodne Cislo) Protections

Slovakia's most distinctive data protection provision concerns the birth number (rodne cislo), a unique personal identifier used across government, banking, and other systems.

Under Slovak law, making a birth number public is explicitly prohibited. The only exception is when a data subject voluntarily makes their own birth number public. This prohibition is absolute and applies to all controllers and processors.

Furthermore, using the birth number as an identifier is only permissible when the purpose of the data processing cannot be achieved without it. This strict necessity test means that organizations cannot routinely collect and use birth numbers simply for convenience. They must demonstrate that no alternative identification method would serve the same purpose.

These provisions reflect Slovakia's recognition that the birth number's widespread use creates significant identity theft and fraud risks, and that limiting its unnecessary exposure is essential for protecting individual privacy.

Employee Monitoring

Slovakia's Labour Code contains specific provisions limiting workplace monitoring. These rules restrict employers' ability to surveil employees and establish conditions that must be met before any monitoring can take place.

An employer may monitor employees only when serious reasons relating to the specific character of the employer's activities justify the monitoring. This standard requires employers to articulate concrete, activity-specific justifications rather than relying on general security or productivity concerns.

Additionally, employees must be notified in advance about any monitoring. The notification must cover what is being monitored, how monitoring is conducted, and the extent of the monitoring.

The UOOU has published a list of data processing activities that require a data protection impact assessment, and employee monitoring is included on this list. This means that employers planning to implement monitoring systems must conduct a thorough assessment before deployment.

Former Employee Email Accounts

The municipality email case established important precedent regarding the handling of former employees' email accounts. Even when an employer has legitimate reasons to access a departing employee's email (such as ensuring business continuity), the employer must have a documented legal basis, follow proper procedures, and comply with GDPR transparency requirements. Informal justifications, even reasonable ones, are insufficient.

Data Protection Officers

Slovakia follows the GDPR's standard DPO appointment requirements. Public authorities, organizations conducting large-scale systematic monitoring, and organizations processing special category data on a large scale must designate a DPO.

The UOOU maintains a DPO registry and has published guidance on DPO qualifications, responsibilities, and the resources that organizations must provide to support the DPO role.

Age of Digital Consent

Slovakia set the age of digital consent at 16 years old, maintaining the GDPR's default threshold. Children under 16 require parental authorization to consent to information society services.

Data Breach Notification

Standard GDPR breach notification requirements apply in Slovakia. Controllers must notify the UOOU within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms. The Social Insurance Company case demonstrated that physical data losses, not just digital breaches, trigger these obligations.

International Data Transfers

Slovakia follows the standard GDPR framework for international data transfers. Transfers outside the EEA require an adequacy decision, appropriate safeguards, or applicable derogations.

Practical Compliance Tips

Organizations in Slovakia should review their use of birth numbers carefully. Eliminate any unnecessary collection or processing of birth numbers, and ensure that where birth numbers are used, there is no alternative identification method that would serve the same purpose. Never publish or make birth numbers accessible to the public.

Employers should document the serious reasons justifying any employee monitoring and ensure that advance notification has been provided. Conduct data protection impact assessments for all monitoring activities, as required by the UOOU's guidance.

When employees depart, establish clear procedures for handling their email accounts and other workplace data that comply with GDPR requirements. The municipality case shows that informal approaches, even well-intentioned ones, create enforcement risk.

Despite the relatively modest fine history, the UOOU's enforcement powers include processing bans and compliance orders that can have significant operational impact beyond financial penalties.

Disclaimer: This article provides general information about Slovakia's data privacy laws and is not legal advice. Data protection laws change frequently. Consult a qualified attorney licensed in Slovakia for guidance on your specific situation.