SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS
1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?
Slovakia
The EU General Data Protection Regulation (2016/679) (the GDPR) is directly applicable in this jurisdiction.
A number of provisions in the GDPR have particular relevance in the context of investigations. For example, processing of personal data must have a valid legal basis under GDPR. Establishing a legal basis in the context of an investigation is not always straightforward, particularly where investigations involve foreign authorities or courts and where the relevant data includes sensitive data. Restrictions on international transfers create additional complexity in the context of cross-border investigations, both in relation to transfers within an organisation (and with its advisers) and in relation to transfers to foreign authorities, courts and counterparties in litigation. All processing must comply with the data protection principles under the GDPR, including the principle that processing must be fair, lawful and transparent and the principle of data minimisation. It can be challenging to ensure compliance with these principles in the context of an investigation.
Additionally, alongside GDPR, Act No. 18/2018 has been adopted, which provides further details regarding data processing for situations not captured by the GDPR. The Act also sets out further details that the GDPR permits EU member states to govern (ie, derogations).
Answer contributed by
Michal Porubsky
Allen & Overy LLP
2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?
Slovakia
Regulations that may prevent data sharing in the context of an investigation are not specifically set out in the GDPR. Whether the data may be shared or not will depend on the circumstances of each individual case.
Bank secrecy
Financial institutions in Slovakia are subject to a duty of confidentiality.
Bank confidentiality is a statutory duty that a bank has towards its customers. Save for limited purposes set out under Act No. 483/2001 on Banks as amended (the Banking Act); client data can be transferred by a bank only with the client’s prior written consent or upon an explicit written instruction by the client given for a specific purpose and within the terms and limits of such consent or instruction.
Similar rules apply to transfers of client data by other financial institutions. These rules are contained in specific legislation applicable to certain types of financial institutions, for example:
- the Securities and Investment Services Act (in respect of stock brokerage firms);
- the Payment Services Act (in respect of payment institutions and e-money institutions);
- the Insurance Act (in respect of insurance and reinsurance undertakings);
- the Collective Investment Act (in respect of collective investment undertakings); and
- the Pension Savings Act (in respect of pension fund managers).
The transfer restrictions under the Securities and Investment Services Act, the Payment Services Act and the Collective Investment Act also apply to foreign stock brokerage firms (MiFID investment firms), payment institutions and collective investment undertakings when carrying out their activities in the Slovak Republic on a cross-border basis.
The restrictions under these laws are broadly similar to the restriction in the Banking Act (subject to certain exceptions).
The confidentiality rules under these laws apply to all information about clients that is not publicly accessible. This includes information on balances or assets on customers’ accounts and information on any transactions entered into with, or for, the customers.
In general, a financial institution is allowed to transfer client data without a client’s written consent or instruction in certain circumstances, including where:
- the data is already publicly available and therefore not confidential;
- the transfer is necessary for the proper provision of payment services and settlements through a designated legal person by a payment service provider;
- the transfer of the data is to the Slovakian authorities in certain circumstances;
- the transfer is in compliance with obligations under anti-money laundering or sanctions rules; or
- the transfer is in connection with litigation or court proceedings, or to obtain legal advice, if this is either in the interests of the bank or under compulsion by order of court, but only if the relevant dispute concerns the client or its assets.
Legal privilege
Under Act No. 586/2003 on Advocacy (Advocacy Act), any attorney-client communication is privileged and therefore prevented from being shared in the context of investigation.
Other confidentiality duties
Slovak law contains several other confidentiality duties and secrecy rules that may prevent data sharing in the context of investigation, including audit secrecy, tax secrecy, mail secrecy or business sensitivity.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
3. What constitutes personal data for the purposes of data protection laws?
Slovakia
The definition of personal data for the purposes of data protection laws in the Slovak Republic is the same as the definition of personal data contained in the GDPR.
According to article 4 of the GDPR:
’personal data’” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In the Slovak Republic, as per GDPR, personal data protection relates only to natural living persons. It does not apply to legal entities or deceased natural persons
Data that is truly anonymised – information that no longer relates to an identified or identifiable individual, or is rendered in such a way that individuals are not or are no longer identified or identifiable – will not be “personal data" for the purposes of GDPR, as it does not identify the individual.
Data is not truly anonymised if the data may re-identify the individuals to which the data relates by reasonably available means. Pseudonymised data – information no longer attributable to a specific data subject without the use of additional information, kept separately and subject to appropriate measures – remains personal data for the purposes of the GDPR.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?
Slovakia
In the territory of the Slovak Republic, as a member of the European Union, the GDPR primarily applies within the framework of personal data protection.
Additionally, alongside GDPR, Act No. 18/2018 has been adopted, which provides further details regarding data processing for situations not captured by the GDPR. However, this law is largely only a translation of the GDPR itself.
The GDPR applies to "processing", which is defined broadly and includes any activity in relation to personal data (whether or not by automated means). A number of examples are provided in the GDPR, including the collection, use, disclosure and destruction or erasure of personal data.
The direct obligations under the GDPR apply primarily to controllers. A controller is defined in the GDPR as a person who (either alone or jointly with others) determines the purposes for which and the manner in which any personal data are processed.
However, the GDPR also imposes certain direct obligations on processors. A processor is defined in the GDPR as a person who processes personal data on behalf of the controller.
As regards the territorial scope, the GDPR applies to processing of personal data, as defined above, in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not.
Further, the GDPR applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to: (i) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Union; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the European Union.
The GDPR also applies to the processing of personal data by a controller not established in the European Union, but in a place where member state law applies by virtue of public international law.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
5. What are the principal requirements under data protection laws that are relevant in the context of investigations?
Slovakia
There are no special requirements that should be relevant in context of investigations. In this case, the general principles contained in the GDPR will apply.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.
Slovakia
The process of internal investigation is not specifically regulated by law in the Slovak Republic. Act No. 311/2001 Labour Code, contains a partial adjustment and instructions on how to proceed in such a case.
According to the Labour Code:
The employer may not, without serious grounds based on the specific nature of the employer's activities, infringe on the employee's privacy at the workplace and in the employer's common areas, by monitoring him, recording telephone calls made by the employer's technical work equipment and checking e-mail sent from and delivered to the work e-mail address, without notifying him in advance. If the employer implements a control mechanism, he is obliged to discuss with the employees' representatives the scope of the inspection, the method of its implementation, as well as its duration and inform the employees about the scope of the inspection, the manner of its implementation and its duration.
In addition, the general principles of the GDPR will apply. The data protection requirements applicable to the different parties involved in the investigation depend on their role under the GDPR, ie, whether they qualify as controller or processor. Under the GDPR, the role of the parties involved in the processing must be assessed on a factual basis. It cannot be determined for instance based on contractual provisions.
The organisation, on whose behalf the investigation is carried out, presumably qualifies as the controller (ie, the party that determines the purposes and means of the processing). This is, in principle, the case for the company carrying out an internal investigation. The party assisting with the investigation either qualifies as a controller or processor, notably depending on the level of influence that party exerts on the essential means of the processing, such as which and whose data shall be processed, for how long shall they be processed and who shall have access to them. Law firms and auditing firms typically qualify as independent controllers particularly given the level of independence their role requires. A processor, on the other hand, processes personal data on behalf of the controller and does not pursue own purposes when doing so. Where more than one controller is involved in the processing, it must also be verified, in light of the available guidance and jurisprudence, whether these controllers qualify as joint controllers.
The relationship between a controller and a processor must be governed by a data processing agreement in accordance with article 28 GDPR. The relationship between joint controllers must be governed by a joint-controllership agreement in accordance with article 26 GDPR.
Most data protection requirements are directed towards controllers. The controller is notably responsible to determine the lawful basis for the processing and to ensure compliance with the rights of the data subjects, such as by informing the data subjects about the processing of their personal data and by responding to their requests to exercise their rights. The controller must also carry out a data protection impact assessment where the processing is likely to result in a high risk to the rights and freedoms of natural persons, such as in the case of employee monitoring, and must ensure that the transfer of personal data to countries outside of the European Economic Area do not undermine the level of data protection afforded in the European Union.
Certain data protection requirements are specifically directed towards processors. Under the GDPR, these requirements mostly stem from the mandatory terms that the data processing agreement with the controller needs to include in accordance with article 28 GDPR. For example, the processor must not process the personal data otherwise than on the instructions of the controller. The processor must also assist the controller with responding to requests for exercising the data subject’s rights and with the compliance of the controller’s obligations with regard to the security of the processing, data protection impact assessments and prior consultations with the supervisory authorities. When engaging another processor, whether with the general or specific authorisation of the controller, the processor must impose the same data protection obligations onto the other processor as set out in the data processing agreement with the controller
In addition, the GDPR also imposes certain obligations that apply directly to controllers and processors. These include an obligation to: (i) implement appropriate technical and organisational measures to protect personal data, (ii) maintain a written record of processing activities carried out on behalf of each controller; (iii) designate a data protection officer where required; (iv) appoint a representative (when not established in the EU) in certain circumstances; and (v) notify the controller without undue delay on becoming aware of a personal data breach.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
RIGHTS OF INDIVIDUALS
7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?
Slovakia
The consent of the data subject is one legal basis for processing of personal data under the GDPR. Data subject consent is therefore not mandatory for the processing of personal data, but consent must be obtained if no other legal basis exists.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
8. If not mandatory, should consent still be considered when planning and carrying out an investigation?
Slovakia
Consent may be considered as an enabling action when planning an investigation. However, obtaining consent to the processing of personal data can be practically challenging, and proceeding with processing of personal data in reliance solely on this ground is rarely appropriate. One reason is that consent must be capable of being withdrawn at any time (a right that it is not possible to contract out of, which would be difficult to manage in the context of the investigation).
Answer contributed by
Michal Porubsky
Allen & Overy LLP
9. Is consent given by employees likely to be valid in an investigation carried out by their employer?
Slovakia
Consent is not freely given (and so is invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties. Consent included within an employment contract, or obtained generally by an employer from an employee, is unlikely to be valid for this reason.
This reflects guidance produced by the European Data Protection Board (Guidelines 05/2020):
Given the dependency that results from the employer/employee relationship, it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal. It is unlikely that an employee would be able to respond freely to a request for consent from his/her employer to, for example, activate monitoring systems such as camera observation in a workplace, or to fill out assessment forms, without feeling any pressure to consent.… For the majority of such data processing at work, the lawful basis cannot and should not be the consent of the employees (Article 6(1)(a)) due to the nature of the relationship between employer and employee.
As stated in question 6, according to the Slovak Labour Code, an employer does not need the consent of employees for the process of monitoring them. Only their notification in advance is sufficient.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?
Slovakia
There is no prescribed form for the consent, but it should be freely given, specific, informed and unambiguous. In addition, to the extent relied upon as a basis for international transfers, consent must also be explicit. Consent can also be withdrawn at any time and must be as easy to withdraw as to give.
In the case of sensitive data, where consent is relied on to provide a legal basis under article 9 GDPR, it must also be explicit. A controller may therefore wish to obtain consent by means of an additional formality to demonstrate “explicit” consent (eg, a wet ink signature or a tick box that expressly uses the word “consent”).
Consent can be obtained through a website or other electronic means.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?
Slovakia
Right of access
A data subject has a right to request information regarding whether their personal data is being processed, known as a data subject access request. The information that can be requested includes a description of the data, the purpose for which it is being processed and to whom it may be disclosed. The controller must also provide a copy of the personal data to the data subject.
A controller is not required to provide personal data in response to a “manifestly unfounded or excessive” request from a data subject (article 12(5) of the GDPR). If relying on this exemption, a controller should retain evidence to demonstrate why it considers the request to be unfounded or excessive. If a controller refuses to act on a request, they must also inform the data subject of the reason why and tell the data subject that they can complain to their relevant supervisory authority and enforce their right through judicial remedy.
Right to rectification
Data subjects have the right to request rectification of any personal data relating to them that is inaccurate, and completion of any incomplete data, including by way of a supplementary statement. There is an obligation on a controller under the GDPR to ensure the personal data it keeps is accurate (see question 7).
Right of erasure
Data subjects have the right to obtain from the controller the erasure of their personal data without undue delay if one of the specified grounds applies. This includes where the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, or where the data subject has withdrawn consent (and there is no other legal ground for the processing).
Right to object
In certain circumstances, such as when a controller is relying upon their legitimate interests (or those of a third party) or the processing is necessary for performing tasks in the public interest or in the exercise of official functions (see question 7), data subjects have a right to object to the processing of personal data concerning them at any time. A controller must adhere to this objection unless it can demonstrate a legitimate basis for the processing that overrides the interests of the data subject, or if the processing is necessary within legal proceedings.
A data subject also has a right to obtain a restriction of processing from the controller where it believes the relevant personal data is inaccurate, the processing is unlawful or the controller no longer needs the data for the purposes of the processing. If the latter is the case, the data subject can require the controller to limit the processing to that required in the context of legal proceedings.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
EXTRACTION, LEGAL REVIEW AND ANALYSIS BY THIRD PARTIES, INTERNATIONAL TRANSFER
12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?
Slovakia
In the Slovak Republic, the process of internal investigation is not regulated by a specific law.
The process of such investigation will depend on the internal policies adopted within the particular company and will be informed and regulated by various statutes such as GDPR and the Labour Code. The process will also be subject to general human rights principles (ie, right to privacy).
Additional provisions of the GDPR apply where the third party qualifies as a processor (ie, where the third party processes personal data on behalf of the controller without pursuing its own purposes).
The controller must use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing meets the requirements of the GDPR. A written contract to this effect must be entered into between the processor and controller (article 28 GDPR). This contract must include a description of the data processing activities and require the processor, among other things, to:
- act only on the documented instructions of the controller (including with regard to international transfers of data to a third country);
- ensure that persons who process the data have committed to confidentiality or are under a statutory duty of confidentiality;
- implement appropriate security measures in accordance with the GDPR;
- engage a sub-processor only with the prior authorisation of the controller;
- assist the controller in carrying out its obligations to respond to requests by data subjects to exercise their rights under the GDPR; and
- assist the controller in ensuring its compliance with its data security obligations.
Where a processor engages a sub-processor, the contract between them must reflect the same data protection obligations as set out in the contract between the controller and the processor.
These provisions of the GDPR apply to processors within the same corporate group in the same way as to other third-party processors.
Another aspect to consider is the location of the third party. If it is located outside of the European Economic Area (EEA), this entails the applicability of the provisions regarding the international transfer of personal data.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
13. Is it permitted to share personal data with law firms for the purpose of providing legal advice?
Slovakia
According to Act No. 586/2003 on Advocacy (Advocacy Act), a lawyer is entitled to process personal data for the purposes of providing legal services. The transfer of personal data is therefore not hindered.
However, a transfer of personal data to a third-party law firm of personal data for the purposes of providing legal advice needs to be analysed in the same way as any other transfer of personal data, and so must be carried out in compliance with the GDPR and the principles relating to the processing of personal data.
This means that sharing personal data with law firms for the purpose of providing legal advice is in principle permitted, however, the controller must ensure that it complies with the general requirements of GDPR. Particularly relevant here is the data minimisation principle, which requires that no more data is shared than what is necessary in relation to the purpose pursued. Where the law firm resides in a country outside the EEA, the controller must ensure that the country concerned is covered by an adequacy decision of the European Commission or that the transfer is otherwise protected by appropriate safeguards, such as standard contractual clauses.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
14. What is the position and status of law firms under data protection laws? Are law firms directly accountable for data processing under data protection laws, or is responsibility for processing by law firms shared between the law firm and the client?
Slovakia
In Slovakia, a lawyer processes personal data of clients and other natural persons to the extent necessary for the purposes of advocacy in accordance with the Advocacy Act and the GDPR.
While the qualification of a party as either controller or processor depends on the case by case analysis of the factual situation, a generally adopted position is that during this process, the lawyer or law firm have the status of a “controller” according to the GDPR and are directly accountable for data processing under data protection laws.
A lawyer is entitled to obtain and process personal data necessary for the purposes of advocacy by copying, scanning or otherwise recording official documents on an information carrier without the consent of the data subject.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
15. What is the position and status of legal process outsourcing firms under data protection laws?
Slovakia
If outsourcing firms are processing personal data on behalf of a controller, they would have the status of a “processor” as defined in GDPR.
However, the qualification of a party as either controller or processor depends on the case-by-case analysis of the factual situation, in particular of the question of whether the party factually (not only contractually) “determines the purposes and means of the processing of personal data” (article 4(7) GDPR).
Answer contributed by
Michal Porubsky
Allen & Overy LLP
16. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?
Slovakia
As described above, the process of an internal investigation is not regulated by a specific statute in the Slovak Republic (see questions 6 and 12).
General legal principles on secret information, privilege and data protection would apply to the process of reviewing documents.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
17. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?
Slovakia
Rules governing the transfer of data held in jurisdiction of the Slovak Republic are regulated by GDPR. The GDPR distinguishes between transfers to other jurisdictions within the EEA and transfers of data to jurisdictions outside the EEA.
Within the EEA
A transfer of personal data from this jurisdiction to a processor or controller in another EEA member state must comply with the same requirements as if the transfer was made within the jurisdiction.
Outside the EEA
Personal data subject to the GDPR cannot be transferred to a country or territory outside the EEA unless that third country or territory provides an adequate level of protection for personal data.
The European Commission has determined that certain non-EEA countries and recipients ensure an adequate level of protection for personal data and so a transfer can be made to such countries in compliance with the rules that provide restrictions on transfers outside the EEA.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay, and the UK as providing adequate protection.
Alternatively, the controller as transferor could ensure an adequate level of protection through:
- entering into standard contractual clauses (SCC) approved by the European Commission, supplemented, where appropriate, with additional measures to ensure that the level of data protection afforded in the European Union is not undermined; or
- the adoption of binding corporate rules.
Controllers transferring personal data and looking to rely on standard contractual clauses approved by the European Commission (or another article 46 GDPR international transfer mechanism) must assess on a case-by-case basis whether additional safeguards are needed to remedy any identified deficiency and ensure adequate data protection.
In the absence of other possibilities, and subject to strict interpretation, personal data can be transferred outside the EEA if one of the following derogations, among others, applies:
- the data subject has consented to the transfer (as noted above, this consent should be explicit as well as freely given, specific, informed and unambiguous);
- the transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject’s request;
- the transfer is necessary for the conclusion of a contract between the controller and a person other than the data subject, which is entered into in the data subject’s interests;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defence of legal claims; or
- the transfer is necessary to protect the vital interests of the data subject.
Where none of the above derogations is available, a transfer to a third country may take place if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests of the controller (which are not overridden by the interests or rights and freedoms of the data subject), and the controller has assessed all the circumstances surrounding the transfer and has, on the basis of that assessment, provided suitable safeguards with regard to the protection of personal data. This ground for processing may only be relied upon where no other legal basis is available. The controller shall inform the supervisory authority of the transfer and, in addition to providing the information referred to in articles 13 and 14 GDPR, shall inform the data subject of the transfer and on the compelling legitimate interests pursued. As such, this derogation is unlikely to be of practical application in the context of an investigation.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
18. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?
Slovakia
Local counsel is not aware of any specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES
19. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?
Slovakia
The transfer of personal data to regulators and enforcement authorities within the jurisdiction must comply with the GDPR in the same way as any other processing. In particular, a legal basis must be established under article 6 GDPR.
While there is no specific exemption to the data transfer rules in the GDPR for transfer to a regulator or enforcement authority within the jurisdiction, there are a number of possible exemptions and conditions that may be used for a transfer to regulators and enforcement authorities in the jurisdiction. These include where the disclosure is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
20. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?
Slovakia
The provisions applying to cross-border data transfer generally also apply to the transfer of data to regulators and law enforcement authorities out of the jurisdiction. Any transfer to an overseas regulator would have to comply with the GDPR in the same way as any other processing.
Any disclosure of personal data to an overseas regulator or law enforcement authority would engage the first data protection principle (including the requirement to establish a legal basis under article 6 GDPR) and prohibitions on cross-border transfers of personal data. In particular, the first principle provides that processing of personal data must be fair, lawful and transparent.
Any transfer of personal data to an overseas regulator or law enforcement authority may breach this principle on the basis that this is not a purpose of processing, or recipient of data, about which the data subjects will have been sufficiently informed. The GDPR sets out exemptions to providing a privacy notice where this is impossible or would involve disproportionate effort on the part of the controller, but these exemptions are interpreted narrowly.
The cross-border transfer of personal data would additionally require safeguards for the relevant transfer and a legal basis for processing. There is no clear exemption or derogation from either the first principle, the requirement for a legal basis for processing, or the prohibition on cross-border transfers that will routinely cover requests for data by a foreign regulator or law enforcement authority.
The prohibition on cross-border transfers provides that personal data should not be transferred to a country outside the EEA that does not provide an adequate level of protection, unless an exemption applies or safeguards for the personal data are in place (see question17). Article 49 of the GDPR provides for derogations to the requirement for an adequacy decision or implementing safeguards in certain circumstances, including where the transfer is necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims.
However, without prejudice to other grounds for international transfers, a decision from a third country authority, court or tribunal does not in itself justify the transfer of personal data to a non-EEA country. This is the case unless the transfer is based on an international agreement, such as a mutual legal assistance treaty. The European Data Protection Board guidelines state, in relation to article 48: “In situations where there is an international agreement, such as a mutual legal assistance treaty (MLAT), EU companies should generally refuse direct requests and refer the requesting third country authority to existing MLAT or agreement.”
Answer contributed by
Michal Porubsky
Allen & Overy LLP
21. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?
Slovakia
The recipient of such a request may consider taking the following steps, among others:
- consider if there is a legal obligation to respond to the request and, if so, to what extent;
- seek further information in writing from the requesting regulator to evaluate the purpose of the request;
- if possible, negotiate the scope of the request: for example, to target the specific information required for the purposes of the regulatory investigation;
- in accordance with principles of data minimisation and anonymisation, limit the scope of any data disclosed and transferred to that necessary for the purpose;
- consider whether it is practicable to obtain data subject consent and/or give a further privacy notice.
- put in place a data processing agreement if data will be transferred to an affiliate or third party (acting as a processor); and
- consider transfer via an MLAT as, in some cases, it may be possible to request that the requesting court or regulator requests data via an MLAT or other international agreement.
Answer contributed by
Michal Porubsky
Allen & Overy LLP
