The new Civil Code introduces a fundamental change for digital services: a consumer’s personal data may constitute consideration for a digital service. See the legal and practical recommendations for platform operators, e-commerce businesses, and fintech companies.
1. Why is this change happening and what prompted it
Slovak contract law has long lacked a clear legal classification for a model in which a consumer provides access to their personal data in lieu of monetary compensation. Apps, news portals, social media platforms, and freemium tools operate in a contractual gray area: The GDPR regulates data processing, but contract law is silent on what happens legally when this data serves as the actual consideration for a digital service. The result is legal uncertainty on both sides—consumers do not know what rights they have, and operators do not know what obligations they bear.
The new Civil Code (hereinafter the “new CC”) explicitly changes this situation. For the first time in the history of Slovak private law, it codifies a model in which a consumer’s personal data constitutes contractual consideration—and the contract in which this consideration is agreed upon becomes a distinct type of contract with its own rules and its own protective mechanisms. This change is not isolated. It is part of a broader digital reform of Slovak civil law that responds to the European legislative framework.
2. Scope: Who Is Affected by the New Regulation
The new legal regulation applies to any business model where a consumer receives digital performance without monetary consideration, providing personal data in its place. This primarily concerns freemium applications—mobile and web tools with a free basic function funded by data—news and content portals providing access to content in exchange for registration, as well as social media platforms, PFM-type fintech applications, investment and insurance tools, as well as online marketing solutions provided “for free” in exchange for access to users’ behavioral data.
It is important to emphasize what does not fall under the new regulation. If a consumer grants consent to data processing within the framework of a monetary contract, only the GDPR framework remains applicable. The subject of the new contractual regulation is exclusively the model where data is the sole and actual consideration for a digital service—not a supplementary element of an otherwise monetary relationship.
3. Three Key Obligations for Controllers
The new legislation establishes three distinct obligations for controllers, which together form a comprehensive protective mechanism for the consumer.
The first is the prior information obligation. Before concluding a contract, the trader will be required to clearly and explicitly inform the consumer about the scope, purpose, and conditions of the processing of their personal data as part of the contractual performance—not merely in the form of GDPR consent, but directly as a contractual term with legal consequences for its breach. While this obligation builds on the GDPR’s principle of transparency, it goes beyond it—it is not merely a matter of providing information, but a contractual component of the agreement, the absence of which may affect the validity of the entire contract.
The second obligation is to notify consumers of changes to digital performance. If the controller makes any change that affects the scope or manner of data processing—such as a change in the advertising model, an adjustment to the personalization algorithm, or an expansion of data sharing with third parties—it is obligated to notify the consumer of this change in advance and provide them with a reasonable period to respond. A unilateral change without prior notice will be classified as a breach of contract, which establishes the operator’s liability and the consumer’s right to redress.
The third and legally most novel change is the consumer’s right to withdraw from the contract. Since monetary consideration is absent in this model, the mechanism for “restitution” consists of the withdrawal of consent to the processing of personal data and the controller’s obligation to erase such data without undue delay. This is a legal construct without precedent in Slovak contract law to date, which in practice imposes fundamental technical and procedural requirements on controllers—the ability to identify and actually delete a specific consumer’s data must be technically ensured, not merely declared contractually.
4. Where current practice falls short: GDPR consent vs. contractual performance
The core of the problem lies in what most digital companies have conflated until now. GDPR consent and contractual consideration function as one and the same thing in their Terms and Conditions—by clicking “I agree to the terms and data processing,” it is impossible to distinguish what constitutes a contractual obligation and what constitutes consent under Article 6(1)(a) of the GDPR. The new Civil Code explicitly prohibits this conflation, as the legal consequences of the two categories are fundamentally different.
Contractual performance—i.e., data as consideration—is governed by contract law: it establishes claims for performance, liability for defects, the right to remedy, and the right to withdraw from the contract. GDPR consent, on the other hand, is governed by data protection law: it establishes the right to withdraw consent, portability, and erasure. These two regimes have different conditions, different time limits, and different penalties. Merging both into a single text will not only be legally incorrect—it may directly lead to the invalidity of the relevant contractual arrangements and liability toward the consumer.
5. Timeline and Urgency of Preparation
The new Civil Code and the associated digital reform of Slovak private law will take effect in 2027. From a preparation standpoint, this timeline is shorter than it appears at first glance. A realistic timeline for implementing the necessary changes—including legal analysis, preparation of new documentation, redesign of information architecture, and internal testing—ranges from six to twelve months.
This means that companies that begin preparations in 2026 will have sufficient time for systematic preparation. Those that wait until the last minute will be forced to change legal documentation, internal processes, and technical systems simultaneously and under deadline pressure—which exponentially increases the risk of errors and legal deficiencies.
6. What to Do: A Practical Framework for Preparation
For operators of digital platforms and freemium applications, the first step is a legal audit of existing Terms of Service, focused on identifying all instances where GDPR consent is mixed with contractual terms. Based on this audit, it is necessary to establish a separate contractual section for the “data-as-consideration” model with an explicit definition of the scope of processing and to implement a prior notification mechanism for any change affecting data processing.
For fintech applications and PFM tools, a key step is to reassess whether the business model falls under the new contractual category, and if so, to completely revise the contractual framework, including separating consents from contractual obligations. In this area, it is also advisable to consider consulting with the Office for Personal Data Protection regarding the correct interpretation of the boundary between the GDPR and the new contractual category, as this boundary will be subject to interpretative disputes in practice.
For news portals and content platforms, a particular challenge is the technical feasibility of the consumer’s right of withdrawal—the ability to actually delete a specific registered user’s data must be technically implemented, not merely stated in the terms and conditions. Therefore, it is essential to reassess registration and login processes in accordance with the new information obligations and, at the same time, update internal data processes so that the deletion mechanism is feasible.
7. Conclusion: A New Contractual Paradigm for Digital Business
The codification of personal data as a contractual consideration represents a fundamental shift for the digital business model in the history of Slovak contract law. It does not come as an obstacle—it comes as a rule of the game that has always existed, only it was not written down. Those who prepare systematically and in a timely manner will turn the regulatory burden into a competitive advantage in the form of trustworthiness and legal certainty vis-à-vis customers. Those who wait will be playing catch-up.
