Introduction to Slovenian data protection law regime

The Republic of Slovenia (hereafter referred to as Slovenia) is one of the European Union Member-States that has still not implemented a new law on data protection regarding the adoption of the General Data Protection Regulation 2016/679 (hereafter referred to as GDPR). While GDPR is directly applicable in the whole territory of the European Union, it has left several issues for consideration of its particular country. Unfortunately, in Slovenia there is a pending legislative procedure, at the end of which the new Data Protection Act (hereafter referred to as ZVOP-2) should be passed. Despite the fact that the legislative process had been started in April 2018, later on it was stopped due to the Parliamentary Elections in country. As of March 2019, there is no final outcome in that behalf.

Currently, legal regulation of Slovenian data protection regime is presented by the Personal Data Protection Act (hereafter referred to as ZVOP-1), especially in questions that are not covered by provisions of GDPR. To that extent the following points could be indicated: biometrics matters, protection of personal data of deceased, judicial protection of rights, direct marketing, video surveillance etc. In addition, the Inspection Act (2002, amended 2014), the Access to Public Information Act (2003, amended 2015), the Mass Media Act (2006), the Classified Information Act (2006), the Electronic Communications Act (2014) somehow relate to the legal regulation of the topic under discussion.

With regard to ZVOP-2, its draft presupposes that the Information Commissioner (hereafter referred to as Commissioner) – presently effective national supervisory authority – will continue to act and represent Slovenia on the European Data Protection Board. As a competent authority, it has a right to perform inspections under GDPR, but it does not have a power to impose administrative fines and sanctions for violations of GDPR. This is because the Information Commissioner Act does not entitle the Commissioner to act as a minor offence authority for infringements of GDPR.

Notwithstanding the fact that the ZVOP-2 has not yet been passed, several national data protection specifications can be emphasized. For instance, it is expected that in Slovenia the age, at which a child can provide consent to online services, is likely to be reduced to 15 or 14 years.

Data protection officers must also be appointed where required by national law. Also, a proposed draft of ZVOP-2 prescribes that a data protection officer shall be compulsorily appointed in case that:

  • Controllers and Processors are a public authority, or Processors in the private sector, that perform duties of processing for Controllers in the public sector; or
  • Controllers and Processors in the private sector perform activities of processing personal data, which due to their nature, scope or purpose comprise regular, systematic and extensive supervision of individuals, to which the data pertains, or their activities comprise extensive processing of special types of personal data or personal data pertaining to criminal judgments and misdemeanours.

In relation to Controller’s duty to provide Data subjectwith a privacy notice regarding the processing of individual’s personal data in the enhanced transparency manner, Slovenian legal entities in the public and private sector, by virtue of compliance with the Public Use of the Slovene Language Act, have to use the Slovenian language in all communications with others in the territory of the Republic of Slovenia. Corresponding to aliens, a particular foreign language can be used in along with Slovenian. Regardless of the foregoing, information on such significant points as rules for: processing sensitive personal data and information about criminal offences, notice of breach laws, fines and imprisonment is currently not available. However, for any GDPR infringements as of 25 May 2018 and up to new data protection legislation entry into force, the perpetrators could be imposed with the GDPR administrative fines, if these procedures will be started or finished within the general limitation periods for dealing with minor offences. Thereafter, persons only have a possibility to appeal for judicial protection under ZVOP-1, but not to file a complaint with the supervisory authority under GDPR.

Questions regarding Slovenian business or data protection law? We are happy to assist you with our partner:

Ana Lešnik Sitar attorney at law

Aleš Avbreht attorney at law