Data & Privacy · Slovakia
Data protection & GDPR compliance in Slovakia (2026)
Slovakia shaded by its data & privacy status
Data protection in Slovakia: comprehensive law, under EU GDPR (Regulation 2016/679) directly applicable; national implementation via Act No. 18/2018 Coll. on the Protection of Personal Data; supervised by the Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov SR, UOOU).
Slovakia's data-protection regime is anchored in the directly applicable EU GDPR, supplemented by Act No. 18/2018 Coll. on the Protection of Personal Data, which entered into force on 25 May 2018 and replaced the prior Act No. 122/2013 Coll. The UOOU, an independent state body based in Bratislava, acts as the national supervisory authority and is a full member of the European Data Protection Board (EDPB). The regime grants individuals the full GDPR catalogue of rights and imposes controller/processor obligations consistent with the Regulation, with several Slovak-specific derogations on birth numbers, employee monitoring, and special-category data.
GDPR & data protection in Slovakia
In Slovakia, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Office for Personal Data Protection of the Slovak Republic.
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the Office for Personal Data Protection of the Slovak Republic
- Applies to
- any organisation processing the personal data of people in Slovakia, wherever the organisation is based
- Maximum fine
- €20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Slovakia supplements it with a national data-protection act and its own supervisory authority.
GDPR in Slovakia: FAQ
Yes. As an EU/EEA member, Slovakia applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Office for Personal Data Protection of the Slovak Republic.
The Office for Personal Data Protection of the Slovak Republic.
Up to €20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
Act No. 18/2018 Coll. on the Protection of Personal Data (adopted 29 November 2017, in force 25 May 2018) transposes the GDPR into Slovak law, sets out permissible national derogations, and defines the powers and structure of the UOOU. It replaced the prior Act No. 122/2013 Coll.
The Office for Personal Data Protection of the Slovak Republic (UOOU) is Slovakia's independent supervisory authority with nationwide competence. Its President, Zuzana Valková, represents Slovakia on the EDPB. The UOOU may impose fines up to €20 million or 4% of global annual turnover, whichever is higher.
Act 18/2018 introduces specific rules for the Slovak rodné číslo (birth identification number): it may only be processed where strictly necessary for the purpose; consent-based processing requires explicit (rather than standard) consent; and publication of the birth number is prohibited except when voluntarily disclosed by the data subject.
Workplace monitoring by employers is permitted only where serious reasons relating to the specific character of the employer's activities justify it, a stricter standard than the GDPR default. Employees must be notified in advance about the nature, method, and extent of any monitoring.
Controllers must carry out a Data Protection Impact Assessment for high-risk processing. The procedural requirements are governed by Decree of the UOOU No. 158/2018 Coll. on the procedure for data protection impact assessment, and the UOOU maintains the national list of processing operations requiring a mandatory DPIA.
In 2025 the UOOU's enforcement concentrated on public-sector entities unlawfully publishing birth numbers in the Central Register of Contracts; over 500 fines became final, totalling approximately €470,000. The highest single fine on record (€50,000) was imposed on the Social Insurance Company for inadequate processing security under Article 32 GDPR. Slovakia has low fine-disclosure transparency, limiting public visibility of individual decision details.
Slovakia - other topics
Data & Privacy in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →