The abbreviation GDPR means General Data Protection Regulation, the Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The Regulation is applicable in all Member States in the European Union or the European Economic Area.

Its goal is to specify the responsibilities of controllers and processors in processing of personal data, specify the rights of data subjects, and to ensure the protection of personal data throughout the Union.

The Regulation entered into force on May 25th, 2018. Along with the Regulation, the Act No. 18/2018 Z. z. on Personal Data Protection entered into force which forms a comprehensive legislative framework for personal data protection in the Slovak Republic.

GDPR concerns anyone who processes personal data. In practice, often we come across the opinion: "My company is small, it does not need GDPR". Company size or number of employees do not matter. GDPR concerns any controller processing personal data of employees, customers, business partners, or even newsletter subscribers.

GDPR does not apply to the processing of personal data as part of personal or domestic activities. This is the data that an individual processes for their own use, such as keeping a personal directory, home monitoring by means of a CCTV system, or personal correspondence.

Personal data means any kind of information that concerns a person and is related to that person's private, work and public life.

According to GDPR, personal data means any information relating to an identified or identifiable natural person such as a name, an identification number, location data, an on-line identifier or a reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data also includes a photo or video recording if it can be used to identify an individual. As regards the form of personal data, it can be paper, electronic, numerical, graphical, and so on.

A special category of personal data (sensitive personal data) includes data revealing racial or ethnic origin, political opinions, religion, philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation of the natural person.

Processing of special category of personal data shall be prohibited unless it is possible to apply at least one of the exceptions according to Section 16(2) of the Act No. 18/2018 Z. z. on Personal Data Protection.

Processing of sensitive personal data could result in compromising the rights of data subjects and therefore the processing of such data requires a higher level of protection and security.

Processing of personal data is any set of operations and activities with personal data. The most common operations include acquisition, collection, dissemination, recording, organisation, adaptation or alteration, retrieval, consultation, alignment, combination, transfer, use, storage, blocking, destruction, cross-border transfer, provision, disclosure or publication.

The controller may be a body of state administration, self-government body, other public authority or any other legal or natural person who alone or jointly with others defines the purpose and conditions of personal data processing and processes personal data of natural persons in their own name

​The controller is responsible for compliance with the basic principles of personal data processing, conformity of the personal data processing with the principles of personal data processing, and is obliged to prove this conformity with the principles of personal data processing at the request of the Office.

A data subject is any natural person whom the personal data concerns. A data subject may be only a natural person – an individual, not a legal entity.

An employee may be in the position of a data subject in relation to an employer processes personal data in the respective systems. A data subject may also be a customer whose personal data is processed, for example, for the purposes of sale. A data subject is also an individual who has given consent to the processing of his or her personal data for marketing purposes within a scope including name, surname, and e-mail address.

The fine can reach up to 20 million euros, or 4% of the annual turnover of the company, depending on which amount is higher.