THE LAW on personal data protection will change after being in effect for less than a year, as the government has responded to employers’ complaints that it is impossible to implement in practice. Though employers say parts of the law are still problematic, they consider the revised legislation an improvement.
The amended law does away with several requirements for businesses processing personal information. For example, companies will no longer have to prepare a set of guidelines, called a safety directive, for working with sensitive information, or pay to register their information systems used for processing personal data with the Office for Personal Data Protection (ÚOOÚ). Fines imposed by the law will also change. Under the new rules, the ÚOOÚ will be free to decide over sanctions for violating the law. Moreover, it will only fine companies and not individuals, as the current law does. The fines will be lower, too.
The new measures will come into force on April 15.
“The adopted amendment is a compromise between the requirements of employers’ associations and the Office for Personal Data Protection,” Vladimír Očenáš from the Federation of Employers’ Associations (AZZZ) told The Slovak Spectator.
The law was dubbed “bureaucratic nonsense of the decade” by employers because of its numerous problems, as well as its administrative and financial burdens. They complained that the law was impossible to apply in practice, and that it came with absurd requirements for firms and disproportionally increased their costs, said Martin Hošták, secretary of the National Union of Employers (RÚZ).
Employers also cited high fines, which they claimed were severe enough to force some companies out of business, and expressed doubts about the law’s ability to actually protect personal information. They also claimed that some of the law’s measures were even stricter than the rules required by the European Commission, the SITA newswire wrote.
This will now change, as the new rules enabled “the law on personal data protection to reach the level required by the directives of the European Union”, Tibor Gregor, executive director of Klub 500, an association for companies with more than 500 employees, told The Slovak Spectator.
The Confederation of Trade Unions (KOZ) also welcomed the new law, but criticised the way it was adopted. Though they called on the government to arrange a meeting with the ÚOOÚ to discuss possible legislative changes along with employers, the negotiations took place without the trade unions, KOZ informed on its website on March 31.
The government proposed at its March 19 session to pass the amendment in a fast-tracked proceeding. The reason was “the severity of the problem and the fact that the businesses were threatened with economic damage”, Justice Ministry spokesperson Alexandra Donevová told The Slovak Spectator.
MPs cleared the new rules on March 27, but President Ivan Gašparovič returned the law to parliament on April 3. He explained that the adopted changes might be in conflict with the constitution, since they allow the processing of personal information without the consent of the respective person in some specific cases, especially information pertaining to the rights of employers or operators: data processed for monitoring an employee, reporting murky practices at the workplace or work effectiveness. According to him, every person has the right to protection from unauthorised invasion of privacy.
Parliament accepted the president’s proposal and passed the revised amendment on April 3. Gašparovič signed it into law on April 7.
KOZ spokesperson Martina Nemethová told The Slovak Spectator that the president proposed the change also based on the union’s letter, in which members pointed to a possible violation of the constitution and other international documents.
Changes should relieve employers
Under the original rules that came into force in July 2013, companies had to pay about €250 to get a safety directive, which they consider administrative hassle, as reported by the Sme daily. MPs scrapped this requirement in the revised law.
Moreover, businesses had to pay €20 or €50 for registering information systems for processing personal information, according to Sme. The new law eliminates these fees and simplifies the whole registration system. The companies will also be able to register the system online. Businesses will, however, still have to pay for special registration.
Another change pertains to so-called responsible persons. The old law stipulated that every company with 20 or more employees working with personal data must appoint a responsible person, i.e. someone who undergoes mandatory training for working with sensitive information. Such a person then monitors other people working with personal data and alerts them of any mistakes. Companies without a responsible person were fined.
Under the new rules, companies will be able to decide for themselves whether to appoint a responsible person.
Moreover, businesses will not have to employ people authorised to work with personal information. This means that those hired through limited working agreements, called “na dohodu” in Slovak, will also be able to perform the work, the Hospodárske Noviny daily wrote.
The revised law will also reduce the fines, decreasing the upper limit from €300,000 to €200,000. Additionally, the ÚOOÚ will be free to decide whether to fine a company, basing its decision on the severity of the violation. Moreover, fines will be imposed on the whole company, not on individuals, Hospodárske Noviny wrote.
The amendment also contains suggestions made by the ÚOOÚ concerning issues they encountered during the law’s implementation, Lucia Kopná, the office’s spokesperson, told The Slovak Spectator.
Though employers welcome the changes, they say the law still contains measures that could cause problems in the future. Gregor, for example, pointed to measures that are defined too generally, which could result in differing interpretations. But, he added that he understands that it is too difficult to define all the measures covered by the law in detail.
Očenáš said some measures do not even solve personal data protection, but are only an administrative burden, like the content and the extent of the safety measures. According to him, some of the measures may change in the future “if the application shows that the amendment did not bring the required drop in the bureaucratic burden”.
14. Apr 2014 at 0:00 | Radka Minarechová