New personal data protection law(s) in Slovakia – what does the draft amendment bring?

Two laws, two areas

1. Draft law on the protection of individuals with regard to the processing of personal data and on amendments to certain laws (LP/2025/305) – will be applied together with the GDPR to all controllers and processors outside law enforcement authorities (hereinafter referred to as the “Draft”).
2. Draft new law on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data (LP/2025/306) – a new separate law that will regulate the rules for the processing of personal data in the field of criminal law, implementing the so-called Police Directive (Directive 2016/680).

What specifically is changing?

Key changes compared to the current law:

• Separation of the police regime – Special rules for law enforcement authorities are being moved from the general law to a separate regulation, thereby clearly separating the scope of application of the GDPR from the police directive regime (Section 4(1) of the Proposal).
• Elimination of duplication with the GDPR – Several parts of the current law, which essentially only repeat or unnecessarily expand the GDPR, are being deleted.
• Narrowing the purposes of personal data processing – Sections 2(1), (2), and (4) reduce the possibilities for using the purposes of personal data processing under Article 6 of the GDPR.
• Changes in impact assessments (DPIA) – The proposal regulates how the impact on personal data protection should be assessed if processing is a legal obligation (Section 3 of the Proposal).
• More precise rules for DPOs (data protection officers) – More detailed definitions are provided as to who is required to appoint a DPO and how the notification to the authority should be carried out (Section 4(2) of the Proposal).
• Reduction of penalties for cooperation – The possibility of reducing the fine to 80% is introduced if the entity waives its right to appeal and agrees to the penalty – if the person pays 80% of the imposed fine within 15 days of receiving the decision to impose the fine, the fine shall be deemed to have been paid in full (as amended in Section 45(1) of the Proposal).
• New criminal offense – The Act proposes a new criminal offense (misdemeanor) aimed at preventing digital forgery through AI and so-called deepfake technologies.
• Extension of the term of office of the President of the Office – the term of office of the President is changed from 5 to 7 years and the restriction of 2 terms of office for the President is abolished (Section 11 of the Proposal).
• Obligation to impose a fine – The possibility for the Office to impose a fine at its discretion is removed, and the Office must now impose a fine in every case (Sections 42 and 43 of the Proposal).

Apparent progress, old problems

Although at first glance the proposals appear to be a step in the right direction, their implementation faces several fundamental problems.

For example, the new law requires that the legal basis for data processing be expressly regulated in a separate regulation. This means that, for example, Act No. 311/2001 Coll. Labor Code, as amended (hereinafter referred to as the “Labor Code”), which currently serves as the legal basis within the meaning of Article 6 of the GDPR, would no longer be sufficient under the new rules—until it is amended. This information is derived directly from Section 2 of the Proposal, which states that “The legal basis for the processing of personal data in a specific regulation must specify the purpose of the processing of personal data, the category of data subjects, and the list of personal data processed or the scope of personal data processed.” This approach goes beyond the GDPR, which only allows (and does not require) supplementary national rules.

Conclusion: Promising ambitions, unclear reality

Slovakia has an opportunity to finally bring order to the area of personal data protection. The objectives of the new laws are correct—clear separation of regimes, elimination of duplication, reduction of administration, and response to new threats such as AI fraud.

As the legislative history to date shows – six laws and 21 amendments in less than three decades – it is not enough to simply want to make a good law. It must be prepared in such a way that it is practical, legally comprehensible, and consistent with the European framework.

Instead of creating further exceptions and national specifics (which is partly what this proposal aims to do), Slovakia could take the path of a minimalist law that only procedurally supports the GDPR, but this would require incorporating a significant portion of the proposed comments. We have room for special rules, but we must prepare them thoroughly, systematically, and in accordance with the entire legal system, not just in the form of a few paragraphs.

If the text of the Proposal is approved, it is proposed that it take effect on January 1, 2026. However, it should be noted that the Proposal is still likely to change, as there are nearly 300 pages of comments published in the legislative process.