News

Definition of the electronic mail has not changed in the New AEC when compared to the previous rules, and thus electronic mail still means a text, voice, audio or image/ video message sent over a public network that can be stored in the network or recipient's terminal equipment until it is picked up by the recipient. It is therefore e-mails, SMS/ MMS messages, so-called push messages, voice messages, etc.

Direct Marketing

When compared to the previous regulation, the New AEC has introduced a definition of direct marketing, which means any form of presentation of goods or services in written or oral form, sent or presented through a publicly available service directly to one or more participants or users (i. e. persons who have concluded a contract with a company providing electronic communications services or a person who uses such services – for example, if the telephone number assigned to the parents is used by a child).

Consent

The new AEC emphasizes and explicitly states the obligation to obtain prior demonstrable consent to direct marketing by strengthening the principle that such consent must be obtained before contacting the recipient.

However, according to the new regulation, the prior consent of the recipient of the electronic mail for the purposes of direct marketing is not required in the case of

• direct marketing of the person's own similar goods and services, if you have obtained contact details in connection with the sale of goods or services in accordance with the law, or
• in the case of direct marketing addressed to the published contact details of a participant or a user who is a natural person – entrepreneur or a legal person.

It follows from the above that the New AEC allows sending of not only the so-called cold mails, but also performance of direct marketing to the published contact details of entrepreneurs and legal persons. However, even in such cases, it will be necessary to comply with the provisions of the New AEC on the possibility of refusing such use of contact data in each case of direct marketing, and to pay attention to the period of use of the contact data obtained in such way.

However, we would like to draw your attention to the opinion of the European Court of Human Rights in the case Amann against Switzerland, according to which both, the GDPR and the ePrivacy Directive, provide protection, regardless of whether it is a private or professional aspect of life. The exception in the New AEC relating to natural persons – entrepreneurs may therefore constitute an invasion of privacy which is not supported by the ePrivacy Directive, the GDPR or the Constitution of the Slovak Republic.

Refusal of Consent

ipient of the electronic mail must be given the opportunity, simply and free of charge, at any time to refuse such use of the contact details at the time of obtaining of such data and by means of each message received, if the recipient has not previously refused such use. We would like to point out that this obligation also applies if you plan to use your customer's contact details for the direct marketing of your own similar goods and services. In practice, this obligation is often overlooked, and non-compliance with the relevant provisions of the law can be severely sanctioned. It is therefore appropriate to carefully consider the wording of each particular marketing communication or the sample texts you use. We will be glad to help you in this important area.

There has also been a significant strengthening of the conditions under which direct marketing consent can be granted. According to the New AEC, the use of automated calling and communication systems without human intervention, fax, e-mail and short message services are prohibited for the purpose of obtaining prior consent. In practice, it will be necessary to pay attention to obtaining consent, especially in the personal presence of the potential recipient, or obtaining consent by the active action of the potential recipient (subscribing to the so-called newsletter, etc.).

Requirements for Consent

The consent granted for marketing communication must meet the requirements of Article 4 (11) of Regulation (EU) 2016/679, i. e. GDPR. Details on the requirements of such consent are described below in connection with the granting of consent to the processing of cookies (part a)). The same rules apply to the granting of consent to contact for purposes of direct marketing. When obtaining consent, it is also necessary to indicate the manner in which the consent can be easily revoked.

It is still forbidden to send an electronic mail, from which the identity and address of the sender is unknown (to which the recipient can send a request to stop sending such messages), and to persuade to visit a website in the manner that is contrary to Act no. 22/2004 Coll. on Electronic Commerce.

The granted consent must be kept on a durable medium (e.g., in the form of a document, recording, in a suitable electronic form – please note: a hyperlink is not supposed to be durable medium) for at least 4 years from the revocation of the consent.

Revocation of the prior consent, or also an objection to calling for the purpose of direct marketing or for the purpose of granting of consent, may be made at any time, and such revocation of consent or acceptance of an objection to calling must be demonstrably confirmed to the person concerned and kept on a durable medium for at least 4 years from the revocation of consent or objection to the call.

Penalties

Legal persons and entrepreneurs face heavy sanctions for violating the aforementioned obligations. Office for the Regulation of Electronic Communications and Postal Services (hereinafter the “Office”) shall impose a fine of between EUR 200 and 5% of the turnover for the previous accounting period on a legal person or natural person – entrepreneur who has violated or failed to fulfil any of the obligations related to privacy protection in connection with direct marketing.

Blacklist (so called „Robinson’s List“)

According to the New AEC, the Office shall establish and operate a list of telephone numbers listed for the purpose of expressing disagreement with calling for direct marketing purposes (hereinafter "Blacklist") on its website. For direct marketing purposes, any call is prohibited if someone has provided a phone number in the Blacklist, or if someone has objected to such calls towards a person for whose benefit direct marketing is made (for example, another company that does not carry out direct marketing itself, but uses an intermediary).

Neither the new AEC nor other related legislation distinguishes between natural persons, natural persons – entrepreneurs or legal persons in connection with the Blacklist, and therefore, if the Office does not state any exceptions in the generally binding legal regulation mentioned below, contact details of any of these persons will be capable to be listed in the Blacklist.

However, the provisions on the Blacklist do not apply to the direct marketing of a person's own similar goods and services who has obtained contact details in connection with the sale of similar goods or services or with whom the person has a contractual relationship or for direct marketing purposes to a person who – itself – has demonstrably requested it in advance.

The provisions of the New AEC concerning the Blacklist come into force on November 1, 2022. The Office shall issue a generally binding legal regulation, in which it will lay down the details of the Blacklist. The Office is currently preparing the regulation, but the details are not yet known. Access to the Blacklist data will be charged for direct marketers.

Numbers Identified by the National Target Code for Direct Marketing Purposes in the Numbering Plan (so called "Prefixes")

On August 1, 2022, the provisions of the New AEC concerning uniform numerical prefixes denoting marketing calls will also enter into force. The obligation will apply to the persons conducting direct marketing through calls, automated calling and communication systems without human intervention, facsimile or short message services, or the person who is obtaining the prior consent to the call for direct marketing purposes. It applies in this case too, that the above obligation does not apply to calls for the purposes of direct marketing, if the call is made to the published contact details of a natural person – entrepreneur or legal person.

As in the case above, the provisions on prefixes do not apply to the direct marketing of the own similar goods and services of a person who has obtained contact details in connection with the sale of similar goods or services or with whom the person is in a contractual relationship or for direct marketing purposes to a person who – itself – has demonstrably requested such communication in advance.

Consents Obtained Before February 1, 2022

At the same time, the new AEC provided that consent to calls, use of automated calling and communication systems without human intervention, e-mail, fax or short message services for direct marketing purposes obtained prior to the entry into force of the New AEC remains valid until it is revoked or the telephone number is listed in the Blacklist.

2. Cookies

As the legislator stated in the explanatory memorandum to the New AEC, in the digital economy, market participants increasingly consider information about users (their preferences, behaviour, movement, etc.), which are processed in the form of cookies (i. e. short text files stored on the device of the website visitor) for information that has a monetary value. At the same time, in many cases, these are personal data and it is therefore necessary to pay attention to the processing of cookies. We will be glad to help you get a closer look in this area as well.

Types of Cookies

Cookies can be divided into technical (necessary, those related to the functionality of the site itself), analytical (related to the performance of the site and its monitoring) and marketing (targeted). Changes in the New AEC basically affect all types of cookies that are used on websites on a computer or other device (mobile phone, tablet), except for technical ones. In the case of technical cookies, it still applies that it is not necessary to obtain the consent e. g. in case of storing data about the items in the shopping cart or data which enable remembering the preferred language or logging in to the user account in the e-shop, but – on the other side – it is necessary to obtain prior consent for example in case of data used for remarketing purposes.

Opt-in versus opt-out

The so far valid opt-out principle (from which the user does not unsubscribe, that remains active) has been changed to opt-in from February 1, 2022 (the direct consent of the site visitor is required). Thus, almost every website is subject to the obligation to update the wording of the cookie policy, but also to adjust the so-called cookies bar and the information contained in it, so that it is in accordance with the New AEC.

Consent to the Use of Cookies

The granting of consent by the website visitors must be demonstrable, and therefore, in the case of administrative proceedings, the operator (of the website) must be able to prove that he has been granted consent from the user to use the particular service. At the same time, revoking a consent should be as simple as granting it (if the user gives one-click consent, it should also be possible to revoke it in this way).

According to the New AEC (in general, the same applied under the Old AEC), the provider of a publicly available service is obliged to ensure the technical and organizational confidentiality of messages and related traffic data. In particular, the recording, interception, storage of messages or other forms of interception or monitoring of messages and associated data by persons other than users, or performed without the consent of the users concerned, shall be prohibited, unless otherwise provided by law. It still applies that this does not prevent the technical storage of data which is necessary for the transmission of messages, without prejudice to the principle of confidentiality and subject to other conditions laid down by law.

However, as we have outlined above, the change affected the provisions on how the consent of the user have to be given. If the use of the appropriate settings of a web browser or other computer program has been considered for granting a consent so far, this possibility has been omitted from the New AEC and, therefore, anyone who stores or accesses information, stored in the user's terminal device, is entitled to do so only if the user concerned has given demonstrable consent. At the same time, it does not prevent the technical storage or access to data the sole purpose of which is to transmission or facilitation of the transmission of a message over a network or where this is strictly necessary for an information society service provider to provide an information society service explicitly requested by the user (therefore, no special consent is required for the storage of technical cookies).

As the New AEC also takes into account the principles set out in the ePrivacy Directive (Directive 2002/58 / EC of the European Parliament and of the Council), the above-described provisions practically stipulate that the prior consent of the site visitor is required for cookies processing, and such consent must meet GDPR requirements.

a) Requirements for Consent

The consent must be:

• freely given (i. e. the user must really have the option to choose and control, must not be forced into consent, for example, by not accessing the content of the site without clicking consent – for example through the so-called cookie wall with a single click option, such forced consent shall be considered invalid),
• specific (i. e. there must be a specifically, clearly and understandably defined purposes, as if consent is being given for more than one purpose, the person concerned must be able to choose consent for each purpose; if appropriate, the visitor may be hyperlinked to one or more separate documents or webpages where the individual ways and purposes of using personal data will be precisely described, e. g. about marketing, advertising targeting, personal preferences of the visitor; a very brief, unclear, "non-committal" declaration and formal statement is not enough; this part of the website needs to be properly addressed),
• informed (the visitor must be provided with at least the following information in advance: (i) the identity of the processor, (ii) the purpose of all processing operations for which consent is sought, (iii) what data, or type of data, will be collected and used, ) the existence of the right to revoke the consent; and (v) information on the use of data for automated decision-making, where applicable; and (vi) information on possible risks of data transfer due to the absence of a decision on adequacy and reasonable assurance under Article 46 GDPR; information are also required on (a) the types of cookies and their functions, (b) who operates them, (c) the retention period from the date of consent, and (d) whether the data obtained will be provided to the third parties – separate consent is required in such case) and
• a clear expression of the will of the affected person, in the form of a declaration or unambiguous confirmatory act, that he or she consents to such processing of the personal data.

The legal regulation in the New AEC therefore introduced higher demands on the cookies policy. The wording of the notifications displayed to site visitors before February 1, 2022 must therefore be carefully reviewed, amended or supplemented, and all requirements required by law and the GDPR regulation must be taken into account when processing cookies. It is no longer possible to rely on web browser settings as it has been acceptable so far.

b) Form of the Consent

Consent may be given in writing, orally, by audio messages and other suitable forms, but, in practice, using of the so-called cookie bars is the most common way for obtaining of the consent. Consent must be obtained in advance (before uploading files to the device), it must be possible to revoke it at any time, as easily as it has been granted, it must be expressed by active action (e. g. by clicking the yes/ no, I agree/ I disagree), it must be possible to modify it at any time and it must allow the activation of only some categories of cookies.

c) Validity of the Consent

Neither the Old AEC nor the New AEC determine the duration of the consent, but in practice there is a consensus (especially with the use of foreign resources) that the period for which the consent is granted should not exceed 13 months, and in case of non-consent the visitor should be questioned by the website again after 6 months at soonest.

d) Retention Period of the Consent

The New AEC has set the retention period for direct marketing purposes at 4 years; accordingly, this period should also apply to consent in relation to cookies. The granted consent must be kept for 4 years (if we take into account the provisions of the New AEC), or 5 years (if we take into account the provisions of the Personal Data Protection Act) from the expiry of its validity, based on the period during which it is possible to carry out inspections by inspection authorities.

e) Competences of Authorities

As the compliance with the rules of personal data protection is the responsibility of the Office for Personal Data Protection and monitoring of compliance with the rules set by the New AEC is the responsibility of the Office for Regulation of Electronic Communications and Postal Services, and the rules for using cookies fall within the competency of both offices, inspection can be performed by both offices, until a uniform and clear rule is set as to which office is to perform the inspection and in what extent. While a fine can be imposed under the New AEC within 4 years from the date of the breach (maximum fine up to 10% of the previous year's turnover), according to the Personal Data Protection Act this period is up to 5 years from the date of the breach (maximum fine 4% of the previous year's turnover).

The implementation of the GDPR Regulation[1], which entered into force in May 2018, posed a major challenge for the European public and private sector, including Slovak entrepreneurs.

The Slovak Republic has been characterized by relatively strict legislation in the field of personal data protection. Despite this fact, the GDPR Regulation also brought a different perspective on the personal data processing in the local area. Crucial was primarily the understanding of the processing of personal data from the optics of the data subject.

The aim of this newsletter is to summarize the practical aspects related to the processing of personal data, which, despite the time frame lapsed since the entry into force of the GDPR Regulation, are often neglected in the business environment or remained misunderstood.

What does it mean to be a "GDPR compliant"?

Acting as a "GDPR compliant" entity is a set of actions and systems set up both internally and externally, in relation to the data subjects.

At the time of implementation of the GDPR Regulation, achieving compliance with the GDPR Regulation required several steps, including in particular:

(a) identification of the scope of the personal data processed and the individual purposes of their processing;

(b) verification of the legal bases for the personal data processed;

(c) mapping personal data flows throughout their life cycle and documenting them in the required form;

(d) the destruction of personal data whose purpose of processing has ended or for which the company does not have an adequate legal basis;

(e) setting the retention period of personal data;

(f) the identification of third parties to whom personal data are provided and the conclusion of any personal data processing agreements with intermediaries;

(g) instructions for authorized persons processing personal data;

(h) setting up internal security, personnel and organizational arrangements; and

(i) retraining of authorized persons.

The most problematic aspects of personal data processing from the perspective of our practice

As legal advisors, we are increasingly observing that the perception of the personal data processing agenda as a purely formal matter prevails among Slovak entrepreneurs. The absence of a material understanding of the processing of personal data and the distinction of the data subjects at all levels (at least at employee and client level with respect to end customers) in the performance of business activities is perhaps the most common problem. Below we summarize some other aspects that entrepreneurs should not forget.

The necessity to update personal data flows

Companies often overlook that personal data flows are an active agenda. The scope of processed personal data or new purposes of processing, also result from changes in legislation (especially the obligations of entrepreneurs arising from newly adopted COVID- 19 legislation).

A typical example is the introduction of a new purpose of personal data processing in connection with the fulfillment of the employer's obligations under Act no. 355/2007 Coll. on the protection, support and development of public health and on the amendment of certain laws and the relevant decrees of the Public Health Office of the Slovak Republic regulating the entry of employees into the workplace and the employer's obligation to check the COVID-19 vaccination certificate, the COVID-19 disease test result, or to enable the COVID-19 disease test. In addition to documenting this flow of personal data, it is also necessary to instruct the authorized person who will perform the said inspection on the handling of personal data.

"Legitimate interest" as the legal basis for the processing of personal data for the marketing agenda

In connection with the entry into force of the GDPR Regulation, many entrepreneurs were faced with the decision on how to deal with their (potential) contacts in CRM or marketing databases. Some cautiously and at considerable expense obtained consent to the processing of personal data from data subjects and often deleted thousands of personal data records without an adequate legal basis. Others relied on the so-called "legitimate interest" and on this legal basis they have continuously contacted their (ex) customers (and often potential customers).

As it has been shown in application practice, a company can use the legal basis of a legitimate interest on the basis of a performed and documented proportionality test vis-à-vis its former customers who have already purchased goods / procured services from it in the past. [2]

The use of a legitimate interest vis-à-vis "non-customers" in application practice has not yet been established and, in our legal opinion, is only possible within very strict limits. However, in the case of e-mail addressing potential customers, for example, the sad limits imply not only from the GDPR Regulation, but also from the legal regulation concerning advertising and marketing in electronic communications. In practice, it is based on the admissibility of the so-called "plain-text" e-mail message containing a proposal for establishment, cooperation or request for consent to send the company an offer.

There are only few formulations used by sales representatives and marketers to awake interest which comply also with the applicable legislation.

Storage and disposal of personal data

As part of our profession, we also often reflect that companies either do not have internally set appropriate retention periods for records or do not have an internal system in place on who disposes of personal data after retention periods.

Managers often have only a paper license to perform these acts, but in reality, they are not performed at all. Such an approach is in serious conflict with the GDPR Regulation.

Formally determined responsible person and insufficient instruction of persons authorized to process personal data

Similarly, DPO for this agenda are often appointed in companies only formally. However, if a security incident occurs or the data subject contacts and exercises some of his/her rights, they often do not know which procedure to choose and how to react. Embedding an internal policy for these cases in an internal directive can be very helpful in such cases.