Slovakia Data Privacy Laws: GDPR Implementation Guide (2026)

Slovakia enforces data privacy through the EU GDPR supplemented by Act No. 18/2018 Coll. on Protection of Personal Data, anchored in constitutional guarantees under Articles 19 and 22 of the Slovak Constitution. The Office for Personal Data Protection (UOOU) supervises compliance and may impose fines up to EUR 20 million or 4% of worldwide turnover.

Information last verified on 2026-05-19. This article has not yet been reviewed by a licensed lawyer.

Jurisdiction scope: This article covers data privacy law in Slovakia under GDPR (Regulation (EU) 2016/679) and Act No. 18/2018 Coll. on Protection of Personal Data. It addresses the UOOU as supervisory authority, constitutional foundations, Slovak-specific derogations, the EU AI Act overlay, and cybersecurity obligations under Act No. 69/2018 Coll. For EU-wide GDPR fundamentals, see EU Data Privacy Laws. For recording consent rules in Slovakia, see Slovakia Recording Laws.

---

Quick Answer: How Does Slovakia Protect Personal Data?

Slovakia's data privacy regime operates at two levels. At the EU level, the GDPR applies directly as a binding regulation requiring no domestic transposition for its core rules. At the national level, Act No. 18/2018 Coll. exercises the approximately 50 areas of member-state discretion the GDPR reserves, covering the UOOU's structure and powers, birth number (rodne cislo) protections, employee monitoring restrictions, age of digital consent, and the transposition of the Law Enforcement Directive (EU 2016/680) for criminal justice data processing. Both layers operate simultaneously, with Act 18/2018 filling the spaces the GDPR leaves to national legislatures and adding distinctly Slovak protections that go beyond the GDPR's baseline.

The regime applies to any controller or processor established in Slovakia and to any controller, wherever established, that targets Slovak data subjects with goods or services or monitors their behaviour.

---

Constitutional Basis for Data Privacy

Slovakia's data protection framework rests on express constitutional guarantees, giving it a status that ordinary legislation cannot override.

Article 19 of the Constitution of the Slovak Republic guarantees every person: (1) the right to preservation of human dignity, personal honour, and good reputation; (2) the right to protection against unwarranted interference in private and family life; and (3) the right to protection against unwarranted collection, publication, or other illicit use of personal data. This third limb directly underpins the statutory scheme in Act No. 18/2018 and the GDPR's application in Slovakia.

Article 22 guarantees the privacy of correspondence, secrecy of mailed messages and other written documents, and protection of personal data. Together, Articles 19 and 22 place privacy and data protection alongside freedom of expression and assembly as fundamental rights that the state must both respect and actively protect.

These provisions are reinforced at the European level by Article 8 of the EU Charter of Fundamental Rights, which guarantees the right to protection of personal data as a distinct right separate from privacy under Article 7. The CJEU treats Article 8 as directly constraining EU secondary legislation and the acts of member states implementing EU law.

Slovakia's Constitutional Court has applied the proportionality principle derived from these constitutional guarantees to strike down disproportionate data disclosure obligations. In a significant ruling, the Court invalidated a government amendment requiring non-governmental organisations to publicly disclose the names of donors contributing more than EUR 5,000 annually. The Court held that "the blanket and broad obligation to disclose all donor data was disproportionate" and that even legitimate transparency interests cannot override privacy protections without careful necessity and proportionality analysis.

---

Legal Framework: GDPR and Act No. 18/2018

Slovakia's data protection system operates under the GDPR as supplemented by Act No. 18/2018 Coll. on Protection of Personal Data. The Act was adopted by the Slovak Parliament on 29 November 2017, among the earliest national implementing acts in the EU, and entered into force on 25 May 2018.

Act No. 18/2018 addresses the areas where the GDPR permits or requires member state action. These include:

• The structure, powers, and independence of the UOOU as supervisory authority
• Rules for birth number (rodne cislo) processing under s. 78(4)
• Employee monitoring restrictions, supplementing the Slovak Labour Code (Act No. 311/2001 Coll.)
• Exemptions for journalistic, academic, artistic, and literary processing
• Disclosure rules for deceased persons' data
• Age of digital consent fixed at 16 years
• Competent authority processing for law enforcement under Part III

The Act also transposes the Law Enforcement Directive (EU 2016/680) through its Part III provisions for criminal justice data processing (defined entities in s. 3(3)), creating a separate compliance track for police, prosecutors, and courts.

Criminal parallel track. Act No. 300/2005 Coll. (the Slovak Criminal Code) treats unauthorised personal data handling as a criminal offence carrying up to two years imprisonment. This criminal track operates alongside GDPR administrative fines, meaning serious breaches can face both regulatory sanctions and criminal prosecution.

---

Legal Bases for Processing Personal Data

Processing personal data in Slovakia requires a lawful basis under s. 13 of Act No. 18/2018, which mirrors GDPR Article 6. The six recognised bases are:

1. Consent -- freely given, specific, informed, and unequivocal. Consent cannot be bundled with service access (unconditional withdrawal must be as easy as granting it). For children under 16 using information society services, parental or guardian authorisation is required.
2. Contract -- processing necessary for the performance of a contract with the data subject, or pre-contractual steps at their request.
3. Legal obligation -- processing necessary to comply with a legal obligation imposed on the controller.
4. Vital interests -- processing necessary to protect the life or physical integrity of the data subject or another person.
5. Public task -- processing necessary for a task in the public interest or in the exercise of official authority.
6. Legitimate interests -- processing necessary for the legitimate interests of the controller or a third party, except where overridden by the data subject's fundamental rights and freedoms.

Special category data (health, genetic, biometric, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation) requires both an Article 6 basis and an Article 9 exception simultaneously.

Slovak derogations. Act No. 18/2018 permits processing without consent for academic, artistic, or literary expression and for mass-media public-interest reporting, subject to the data subject's right to protection of their privacy. Employers may disclose limited work-related employee data (job title, name, work contact details, department) without consent where necessary for employment duties, provided this does not compromise the employee's dignity or security.

---

Data Subject Rights Under Slovak Law

Data subject rights under Act No. 18/2018 follow the GDPR catalogue. Controllers must respond to requests within one month, extendable by a further two months for complex or numerous requests. Responses should use the same communication channel as the request where possible.

The core rights are:

• Right of access (Art. 15 GDPR) -- the right to confirm whether personal data is processed and to obtain a copy.
• Right to rectification (Art. 16) -- correction of inaccurate data and completion of incomplete data.
• Right to erasure (Art. 17) -- the "right to be forgotten" where processing lacks a continuing legal basis.
• Right to restriction (Art. 18) -- temporary suspension of processing pending verification or objection resolution.
• Right to data portability (Art. 20) -- receipt of personal data in structured, machine-readable format where processing is consent- or contract-based.
• Right to object (Art. 21) -- objection to processing based on legitimate interests or public task, and unconditional objection to direct marketing.
• Rights regarding automated decision-making (Art. 22) -- the right not to be subject to decisions based solely on automated processing that produce significant effects, unless the data subject has consented, it is necessary for a contract, or authorised by law with appropriate safeguards.

No Slovak-specific derogations from these rights were enacted in Act No. 18/2018. The UOOU FAQ confirms standard GDPR timelines and procedures apply.

---

The UOOU: Slovakia's Data Protection Authority

The Office for Personal Data Protection of the Slovak Republic (Urad na ochranu osobnych udajov, UOOU) is Slovakia's independent supervisory authority. It operates as a state budgetary organisation headquartered in Bratislava, with nationwide competence and independence in exercising its supervisory powers under Act No. 18/2018 and the GDPR.

The UOOU is led by a president elected by the National Council of the Slovak Republic for a five-year term. A vice-president is elected by the Government on the president's proposal. The office has approximately 40 employees and operates on a budget of around EUR 2.9 million, resource constraints that are among the most significant in the EU and that inevitably affect the authority's capacity to investigate complaints, conduct audits, and pursue enforcement actions.

Powers and Functions

Despite its limited resources, the UOOU holds the full range of GDPR supervisory and enforcement powers. It can initiate and conduct administrative proceedings, carry out inspections, issue compliance orders, impose temporary or permanent processing bans, and levy administrative fines. The office also maintains advisory functions: issuing opinions on proposed legislation, providing compliance guidance, and publishing annual control plans outlining enforcement priorities.

The UOOU maintains a DPO registry, which designated DPOs must notify. It has also published a mandatory DPIA list identifying categories of processing that require a data protection impact assessment before deployment, including employee monitoring and large-scale processing of special category data.

Enforcement Transparency: A Known Weakness

The UOOU's enforcement decisions are delivered only to the parties involved and are not published publicly. Annual reports describe cases in general terms without identifying the organisations involved or disclosing specific fine amounts. Slovakia, Germany, and Austria rank at the bottom of EU member states in GDPR fine disclosure transparency.

This opacity makes it difficult for organisations to learn from enforcement actions. The practical effect is that the deterrent function of GDPR fines is weakened: potential violators cannot readily calculate the risk of a fine for a particular type of breach.

---

Fines, Penalties, and Enforcement Record

Slovakia follows the GDPR's standard two-tier penalty structure. Fines of up to EUR 10 million or 2% of worldwide annual turnover apply to violations of technical and organisational obligations, controller and processor obligations, and DPO and certification requirements. Fines of up to EUR 20 million or 4% of worldwide annual turnover apply to violations of the core principles of processing, legal bases, data subject rights, and cross-border transfer rules.

In practice, the UOOU's enforcement record shows consistently modest fine amounts compared to most EU member states.

Aggregate Enforcement Statistics

In 2022, the UOOU initiated 231 proceedings. Of these, 52 resulted in financial penalties totalling EUR 106,448.78 (average fine: approximately EUR 1,166). Eleven cases were referred for criminal prosecution under Act No. 300/2005 Coll. for unauthorised personal data handling.

In 2024, 38 fine decisions became final and non-appealable, totalling approximately EUR 84,000 (average fine: EUR 2,226). The UOOU had not published its full 2024 annual report as of early 2026.

Notable Enforcement Actions

Social Insurance Company (EUR 50,000, 2019). The UOOU's largest publicly known single fine was imposed on the Social Insurance Company for violating GDPR Article 32 (security of processing). A postal parcel containing the personal data of a disability pension applicant was lost during communication with foreign social security authorities. The case established that physical data handling failures, not just digital breaches, trigger GDPR security obligations. The company challenged the decision in court; no outcome is publicly known.

Municipality Email Monitoring. The UOOU investigated a case in which a municipality monitored a former employee's email account after claiming the employee failed to hand over her work agenda. The municipality presented reasonable justifications but lacked a documented legal basis and had not fulfilled GDPR transparency obligations. The UOOU ruled that the employee's rights had been violated. The case established that informal justifications, even well-intentioned ones, are insufficient under GDPR.

2025 Control Plan

The UOOU's control plan for 2025 has two parts. Part 1 focuses on data processing in Schengen and European information systems and agencies, reflecting Slovakia's position as a Schengen border state and the privacy implications of immigration and border control databases. Part 2 investigates data processing involving customers of public pharmacies, participants in driving-school courses, and visitors of restaurants, cafes, and other facilities under CCTV surveillance.

---

Birth Number (Rodne Cislo) Protections

Slovakia's most distinctive data protection provision concerns the birth number (rodne cislo), a unique personal identifier encoding birth date and sex that has been used across government, banking, healthcare, and other systems since 1946.

Under s. 78(4) of Act No. 18/2018, making a birth number public is explicitly prohibited. The only exception is when the data subject voluntarily makes their own birth number public. This prohibition is absolute and applies to all controllers and processors without exception.

Using the birth number as an identifier is permissible only when the purpose of the data processing cannot be achieved without it. This strict necessity test requires organisations to demonstrate that no alternative identification method would serve the same purpose before collecting or using birth numbers. The UOOU's FAQ confirms the birth number was removed from the "special category" list in Act No. 18/2018 but retains specific protection under s. 78(4) as a national identifier.

The BIFO Transition

Slovakia is phasing out the rodne cislo system. From April 2020, newly issued Slovak identity cards display the replacement BIFO code: a ten-digit randomly assigned identifier with no meaning encoded in its digits. The current system and the BIFO will operate in parallel from 2020 to 2030, at which point citizens will transition exclusively to BIFO. The Interior Ministry justified the change on EU recommendations, noting that encoding birth date and sex in a universal identifier does not constitute adequate privacy protection by modern standards.

Organisations that have built systems relying on birth number-based identification should plan migration to BIFO or other alternatives well before the 2030 deadline.

---

Employee Monitoring

The Slovak Labour Code (Act No. 311/2001 Coll.) restricts employers' ability to monitor employees. An employer may monitor employees only when serious reasons relating to the specific character of the employer's activities justify the monitoring. This standard requires concrete, activity-specific justifications, not general security or productivity concerns.

Employees must be notified in advance of any monitoring. The notification must cover what is being monitored, how monitoring is conducted, and its extent.

The UOOU has included employee monitoring on its mandatory DPIA list. Employers planning to deploy monitoring systems must complete a data protection impact assessment before implementation, identifying and mitigating risks to employees' rights and freedoms.

Former Employee Email Accounts

The municipality email case established that even where an employer has a legitimate reason to access a departing employee's email (such as ensuring business continuity), the employer must have a documented legal basis, follow proper procedures, and satisfy GDPR transparency requirements. Informal justifications, however reasonable, are insufficient. Organisations should adopt written policies governing post-departure email access and notify employees of these policies during onboarding.

---

Data Protection Officers

Slovakia follows the standard GDPR DPO appointment thresholds. DPO appointment is mandatory for:

• Public authorities and bodies (except courts in their judicial capacity)
• Organisations whose main activities involve large-scale systematic monitoring of individuals
• Organisations processing special category data or criminal conviction data on a large scale

Act No. 18/2018 contains no Slovak-specific derogations from these thresholds. DPOs may be internal employees or external contractors. Controllers must provide DPOs with the resources necessary to perform their tasks, maintain their expert knowledge, and operate independently. The UOOU maintains a DPO registry and requires controllers to notify the DPO's contact details; these must also be published to the public.

---

Age of Digital Consent

Slovakia set the age of digital consent at 16 years, retaining the GDPR's default threshold rather than exercising the member state option to lower it to 13. Children under 16 require parental or guardian authorisation before a controller may process their personal data in connection with information society services offered directly to them.

---

Data Breach Notification

Standard GDPR breach notification requirements apply. Controllers must notify the UOOU without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach likely to result in a risk to the rights and freedoms of natural persons. If notification cannot be made within 72 hours, it must be accompanied by reasons for the delay.

Where a breach is likely to result in a high risk to individuals' rights and freedoms, the controller must also notify the affected data subjects directly without undue delay. Processors must notify the controller without undue delay after becoming aware of a breach, enabling the controller to meet its own 72-hour deadline.

The Social Insurance Company case confirmed that physical data handling failures (a lost postal parcel) trigger the same GDPR breach notification obligations as digital incidents.

---

Cross-Border Data Transfers

Transfers of personal data from Slovakia to countries outside the European Economic Area require one of the following mechanisms under GDPR Chapter V:

• An adequacy decision by the European Commission (covering the UK, Japan, Canada (commercial sector), Israel, and others)
• Standard Contractual Clauses (SCCs) adopted by the Commission (most common for commercial transfers)
• Binding Corporate Rules (BCRs) approved by the lead supervisory authority
• Derogations for specific situations (explicit consent, contract performance, important public interest, legal claims)

The FATCA Transfer Finding

In August 2021, the UOOU issued a significant finding: Slovakia-US transfers under the FATCA (Foreign Account Tax Compliance Act) bilateral agreement violated GDPR Chapter V requirements. The UOOU concluded that the agreement "does not contain even the minimum safeguards for the transfer of personal data to third countries" and that "the mere declaration in the law is not sufficient to make the transfer valid."

Despite this finding, the UOOU took no enforcement action over the following years. In December 2025, the CJEU registered related case C-804/25, which may determine the durability of pre-GDPR bilateral transfer instruments and the burden-of-proof standards for Chapter V compliance. In February 2026, the Association des Americains Accidentels formally demanded the UOOU suspend the transfers pending the CJEU's judgment.

The FATCA case illustrates that even transfers compelled by domestic statute can violate GDPR transfer requirements, and that the UOOU's passivity in the face of its own findings creates ongoing compliance uncertainty.

---

EU AI Act Overlay

The EU AI Act (Regulation (EU) 2024/1689), which began phased application in 2025, interacts directly with Slovakia's data protection regime for AI systems that process personal data.

UOOU's Role in AI Oversight

Slovakia did not create a standalone AI regulator. Instead, oversight is distributed across existing authorities. The UOOU handles AI applications involving personal data processing, continuing to apply GDPR requirements for automated decision-making (Art. 22), profiling, and DPIAs for high-risk AI systems. The Ministry of Investments, Regional Development and Informatization (MIRRI SR) serves as the Single Contact Point and general market surveillance authority for the AI Act. Slovak Trade Inspection leads market surveillance for consumer products and services.

National Adaptation

Slovakia enacted Act No. 318/2025 Z.z., amending the Act on Conformity Assessment of Products, effective 1 January 2026, as its primary domestic legislative adaptation to the AI Act. The National Security Authority (NSA) became the market surveillance authority for "products with digital elements" under the Cyber Resilience Act effective 1 January 2026.

Key Compliance Obligations for AI Systems

Organisations deploying AI systems in Slovakia that process personal data should consider the following:

• High-risk AI systems (as defined in AI Act Annex III) used in Slovakia require conformity assessments and registration in the EU database for high-risk AI systems before deployment.
• Automated decision-making systems that produce significant effects on individuals require compliance with both GDPR Art. 22 (right not to be subject to solely automated decisions) and the AI Act's transparency and explainability requirements.
• DPIAs under GDPR Art. 35 are required for systematic automated processing likely to produce high risk, including AI-based profiling. These overlap with the AI Act's fundamental rights impact assessments for public-sector high-risk AI.
• The UOOU's enforcement of GDPR automated-decision provisions will become increasingly relevant as AI adoption grows. Organisations should document their AI systems' logic, training data sources, and decision processes to satisfy both GDPR Art. 13/14 transparency obligations and AI Act transparency requirements.

---

Cybersecurity: NIS 2 and Act No. 69/2018

Slovakia transposed the NIS 2 Directive (EU 2022/2555) through Act No. 366/2024 Coll., amending the Cybersecurity Act (Act No. 69/2018 Coll.). The amendment passed the National Council of the Slovak Republic on 28 November 2024, was published on 19 December 2024, and entered into force on 1 January 2025.

The reform brought over 10,000 Slovak organisations into the cybersecurity compliance framework by expanding regulated entity categories into essential and important entities across critical sectors (energy, transport, banking, health, digital infrastructure, and others). Key obligations include security risk management measures, incident reporting, supply chain security assessments, and cybersecurity audits. Essential entities must undergo their first cybersecurity audit within two years of registration; important entities undergo periodic self-assessment with external audit at least once every five years.

The National Security Authority (NSA) enforces NIS 2 obligations in Slovakia. The interaction with GDPR is significant: NIS 2 incidents that also involve personal data breaches require parallel notification to both the NSA (within 24 hours for early warning, 72 hours for full incident report) and the UOOU (within 72 hours under GDPR Art. 33).

---

Recent Developments: 2024-2026

2025 Control Plan (Both Parts)

The UOOU's 2025 control plan covers data processing in Schengen and European information systems (Part 1) and investigations into pharmacy customer data, driving school records, and CCTV surveillance in hospitality venues (Part 2). This second part signals expanded scrutiny of routine commercial data processing in consumer-facing sectors.

FATCA Transfers and CJEU C-804/25

The CJEU registered case C-804/25 in December 2025 following years of inaction by the UOOU on its own 2021 finding that FATCA transfers violated GDPR Chapter V. The case may clarify whether pre-GDPR bilateral transfer instruments can survive scrutiny under the current adequacy framework.

AI Act Full Application (2025-2026)

The EU AI Act's prohibitions on unacceptable-risk AI practices took effect in February 2025. High-risk AI system requirements began applying in August 2025. Slovakia's Act No. 318/2025 Z.z. operationalised the conformity assessment framework effective January 2026.

NIS 2 Compliance Deadlines

Entities were required to register with the Slovak NSA within 60 days of 1 January 2025 (deadline: 1 March 2025). Full NIS 2 compliance obligations, including technical security measures and governance requirements, must be met by 31 December 2026.

Constitutional Court Donor Disclosure Ruling

The Constitutional Court struck down a legislative amendment that would have required NGOs to publicly disclose the identity of donors contributing more than EUR 5,000 annually. The ruling reinforced that the proportionality principle applies to data disclosure obligations even when justified by transparency interests.

BIFO Transition Progress

The BIFO code has appeared on newly issued Slovak ID cards since April 2020. The parallel operation period runs until 2030, when the rodne cislo will be retired.

---

Business Compliance Checklist

Organisations operating in Slovakia should address these practical compliance priorities:

Birth number review. Audit all systems that collect, store, or transmit birth numbers (rodne cislo). Eliminate unnecessary collection. Where birth numbers are used as identifiers, document why no alternative method achieves the same purpose. Never make birth numbers publicly accessible. Begin planning migration to BIFO identifiers before the 2030 deadline.

Employee monitoring. Document the serious, activity-specific reasons justifying any workplace monitoring. Prepare advance notification for employees covering what is monitored, how, and to what extent. Conduct a DPIA for every monitoring activity before deployment. Establish a written policy on departing-employee email access.

AI system inventory. Identify all AI systems deployed in Slovakia that process personal data. Assess which qualify as high-risk under AI Act Annex III. For high-risk systems, prepare conformity assessments and register in the EU high-risk AI database. Update DPIAs to address AI-specific risks.

NIS 2 registration. Organisations in regulated sectors should have registered with the NSA by 1 March 2025 if they met the essential or important entity thresholds. Full technical compliance is required by 31 December 2026.

Cross-border transfer review. Map all personal data flows to non-EEA countries. Verify that adequate transfer mechanisms (SCCs, adequacy decisions, BCRs) are in place. The FATCA CJEU case suggests that statutory authorisation alone is insufficient under GDPR Chapter V.

Electronic marketing consent. Under Act No. 452/2021 Coll. (Electronic Communications), direct marketing via email, SMS, or automated calling requires prior demonstrable consent. Conditioning service access on marketing consent violates s. 109. Consent withdrawal must be acknowledged within 30 days.

Disclaimer: This article provides general legal information about Slovakia's data privacy laws as of 2026. It is not legal advice. Data protection laws change frequently. Consult a qualified attorney licensed in Slovakia for guidance specific to your situation. Jurisdictions covered: Slovakia (EU GDPR + Act No. 18/2018 Coll., as amended). Information verified: 2026-05-19.

---