Skip to content
World Watch/Slovakia/Data & Privacy

Data & Privacy · Slovakia

Data protection & GDPR compliance in Slovakia (2026)

Comprehensive lawEU GDPR (Regulation 2016/679) directly applicable; national implementation via Act No. 18/2018 Coll. on the Protection of Personal Data; supervised by the Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov SR, UOOU)Country index 93 · A+

Slovakia shaded by its data & privacy status

Data protection in Slovakia: comprehensive law, under EU GDPR (Regulation 2016/679) directly applicable; national implementation via Act No. 18/2018 Coll. on the Protection of Personal Data; supervised by the Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov SR, UOOU).

Slovakia's data-protection regime is anchored in the directly applicable EU GDPR, supplemented by Act No. 18/2018 Coll. on the Protection of Personal Data, which entered into force on 25 May 2018 and replaced the prior Act No. 122/2013 Coll. The UOOU, an independent state body based in Bratislava, acts as the national supervisory authority and is a full member of the European Data Protection Board (EDPB). The regime grants individuals the full GDPR catalogue of rights and imposes controller/processor obligations consistent with the Regulation, with several Slovak-specific derogations on birth numbers, employee monitoring, and special-category data.

GDPR & data protection in Slovakia

In Slovakia, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Office for Personal Data Protection of the Slovak Republic.

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the Office for Personal Data Protection of the Slovak Republic
Applies to
any organisation processing the personal data of people in Slovakia, wherever the organisation is based
Maximum fine
€20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Slovakia supplements it with a national data-protection act and its own supervisory authority.

GDPR in Slovakia: FAQ

Does the GDPR apply in Slovakia?

Yes. As an EU/EEA member, Slovakia applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Office for Personal Data Protection of the Slovak Republic.

Who enforces data protection law in Slovakia?

The Office for Personal Data Protection of the Slovak Republic.

What are the GDPR fines in Slovakia?

Up to €20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Slovakia?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Slovakia?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

National implementing law

Act No. 18/2018 Coll. on the Protection of Personal Data (adopted 29 November 2017, in force 25 May 2018) transposes the GDPR into Slovak law, sets out permissible national derogations, and defines the powers and structure of the UOOU. It replaced the prior Act No. 122/2013 Coll.

Supervisory authority, UOOU

The Office for Personal Data Protection of the Slovak Republic (UOOU) is Slovakia's independent supervisory authority with nationwide competence. Its President, Zuzana Valková, represents Slovakia on the EDPB. The UOOU may impose fines up to €20 million or 4% of global annual turnover, whichever is higher.

Slovak birth-number derogation

Act 18/2018 introduces specific rules for the Slovak rodné číslo (birth identification number): it may only be processed where strictly necessary for the purpose; consent-based processing requires explicit (rather than standard) consent; and publication of the birth number is prohibited except when voluntarily disclosed by the data subject.

Employee monitoring rules

Workplace monitoring by employers is permitted only where serious reasons relating to the specific character of the employer's activities justify it, a stricter standard than the GDPR default. Employees must be notified in advance about the nature, method, and extent of any monitoring.

DPIA obligation and Decree 158/2018

Controllers must carry out a Data Protection Impact Assessment for high-risk processing. The procedural requirements are governed by Decree of the UOOU No. 158/2018 Coll. on the procedure for data protection impact assessment, and the UOOU maintains the national list of processing operations requiring a mandatory DPIA.

Enforcement practice

In 2025 the UOOU's enforcement concentrated on public-sector entities unlawfully publishing birth numbers in the Central Register of Contracts; over 500 fines became final, totalling approximately €470,000. The highest single fine on record (€50,000) was imposed on the Social Insurance Company for inadequate processing security under Article 32 GDPR. Slovakia has low fine-disclosure transparency, limiting public visibility of individual decision details.

Slovakia - other topics

Data & Privacy in other countries

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →