Data & Privacy · Slovakia
Data protection & privacy laws in Slovakia (2026)
Slovakia shaded by its data & privacy status
Slovakia's data-protection regime is anchored in the directly applicable EU GDPR, supplemented by Act No. 18/2018 Coll. on the Protection of Personal Data, which entered into force on 25 May 2018 and replaced the prior Act No. 122/2013 Coll. The UOOU, an independent state body based in Bratislava, acts as the national supervisory authority and is a full member of the European Data Protection Board (EDPB). The regime grants individuals the full GDPR catalogue of rights and imposes controller/processor obligations consistent with the Regulation, with several Slovak-specific derogations on birth numbers, employee monitoring, and special-category data.
Key points
Act No. 18/2018 Coll. on the Protection of Personal Data (adopted 29 November 2017, in force 25 May 2018) transposes the GDPR into Slovak law, sets out permissible national derogations, and defines the powers and structure of the UOOU. It replaced the prior Act No. 122/2013 Coll.
The Office for Personal Data Protection of the Slovak Republic (UOOU) is Slovakia's independent supervisory authority with nationwide competence. Its President, Zuzana Valková, represents Slovakia on the EDPB. The UOOU may impose fines up to €20 million or 4% of global annual turnover, whichever is higher.
Act 18/2018 introduces specific rules for the Slovak rodné číslo (birth identification number): it may only be processed where strictly necessary for the purpose; consent-based processing requires explicit (rather than standard) consent; and publication of the birth number is prohibited except when voluntarily disclosed by the data subject.
Workplace monitoring by employers is permitted only where serious reasons relating to the specific character of the employer's activities justify it — a stricter standard than the GDPR default. Employees must be notified in advance about the nature, method, and extent of any monitoring.
Controllers must carry out a Data Protection Impact Assessment for high-risk processing. The procedural requirements are governed by Decree of the UOOU No. 158/2018 Coll. on the procedure for data protection impact assessment, and the UOOU maintains the national list of processing operations requiring a mandatory DPIA.
In 2025 the UOOU's enforcement concentrated on public-sector entities unlawfully publishing birth numbers in the Central Register of Contracts; over 500 fines became final, totalling approximately €470,000. The highest single fine on record (€50,000) was imposed on the Social Insurance Company for inadequate processing security under Article 32 GDPR. Slovakia has low fine-disclosure transparency, limiting public visibility of individual decision details.
Slovakia - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →