On May 25, 2018, the General Data Protection Regulation (GDPR) enters into effect. The GDPR applies automatically and uniformly to all EU countries as soon as it enters into force, without needing to be transposed into national law. The GDPR is binding in its entirety on all EU countries.

On the same date, also Slovak Act No. 18/2018 Coll. on Personal Data Protection becomes effective. The Slovak Act harmonizes national legislation with the GDPR and also covers the areas where the GDPR gives EU Member States latitude to decide on local exceptions in light of their national legislations. It is therefore necessary to read the GDPR and the Slovak Act side by side.

Organizations that operate within the EU must carry out processing of personal data in accordance with the GDPR. However, the GDPR also applies to organizations outside the EU that offer goods or services to individuals in the EU.

The GDPR aims, in particular, to extend, set out in detail and strengthen the rights of individuals (‘data subjects’) as regards personal data. ‘Personal data’ include any information relating to an identified or identifiable natural person; the latter being one who can be directly or indirectly identified in particular by reference to an identifier, such as name, identification number, location data or online identifier, etc.

The GDPR applies to both ‘controllers’ (who determine the purposes and means of processing personal data) and ‘processors’ (who are responsible for processing personal data on behalf of a controller).

Even if processors are involved, controllers are not relieved of their obligations; they must ensure that their contracts with processors comply with the GDPR.