Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Slovenia - Data Protection Overview

Slovenia - Data Protection Overview

April 2024

1. Governing Texts

After several years in the making and four attempts, the Slovenian Parliament ('the Parliament') adopted the new Personal Data Protection Act 2022 (only available in Slovene here) ('ZVOP-2') in December 2022, which came into effect on January 16, 2023. With the ZVOP-2, Slovenia became the last EU Member State to adopt the legislative provisions on the matters left by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') to the competence of EU Member States. In addition to tailoring the GDPR to the specifics of Slovenian national laws, the ZVOP-2 appoints the Information Commissioner ('the Commissioner') as the Slovenian data protection supervisory authority and repealed and replaced the previous Personal Data Protection Act 2004 ('the Act').

In the year since coming into effect, ZVOP-2 did not bring any major changes to the protection of personal data in Slovenia as the rights and obligations stipulated in the GDPR already applied directly beforehand. While its annual report for 2023 is not yet publicly available, the Commissioner recently reported that it is registering a significant increase in complaints and breach notifications in comparison to previous years, partly also due to ZVOP-2 and the accompanying increased public interest in personal data protection.

1.1. Key acts, regulations, directives, bills

The right to data privacy and the protection of personal data in Slovenia is guaranteed by Article 38 of the Constitution of the Republic of Slovenia ('the Constitution'). As one of the fundamental human rights, the protection of personal data is raised to the same position as the right of communication privacy and freedom of expression. The Constitution prohibits the use of personal data contrary to the purpose of its collection, grants each individual the right of access to the information relating thereto, guarantees the right of judicial protection from any abuse of such data, and leaves the particulars on collection, processing, use, supervision, and protection of personal data to the ZVOP-2.

The ZVOP-2 is the key GDPR implementing legislation in Slovenia. While the GDPR is directly applicable therein, the ZVOP-2 supplements the GDPR in areas where so permitted, grants additional rights (e.g., by governing the processing of personal data of deceased persons), governs certain procedural rules on administrative and judicial protection, and stipulates sanctions. The ZVOP-2 applies to data processing in both private and public sectors.

The Act on the Protection of Personal Data in the Area of Treatment of Criminal Offenses 2020 (only available in Slovene here) ('the Criminal Offenses Act'), adopted in 2020, transposed and implemented the Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680) into Slovenian national legislation. The Criminal Offences Act grants the Commissioner the position of the supervisory authority and of appellate authority for individuals' appeals against decisions of competent authorities (i.e., police, state prosecutors, and probation and penal authorities) related to personal data collected, used, and processed in relation to criminal offenses, their discovery, and prosecution.

The Information Commissioner Act 2005 (only available in Slovene here) ('Information Commissioner Act') governs the appointment and the position of the Commissioner and its supervisors, as well as supplements the ZVOP-2 (and General Administrative Procedure Act 2006 (only available in Slovene here) on certain procedural issues.

A number of other sector-specific acts govern the collection and processing of personal data (and individuals' rights in relation thereto) in their respective fields (e.g., the Patients' Rights Act 2008 (only available in Slovene here) ('Patients' Rights Act'), the Electronic Communications Act 2022 (only available in Slovene here) ('Electronic Communications Act'), the Banking Act 2021 (only available in Slovene here), the Classified Information Act 2006 (only available in Slovene here), the Defense Act 2004 (only available in Slovene here), the Slovenian Intelligence and Security Agency Act 1999 (only available in Slovene here), etc.); in these fields, the ZVOP-2 is applied subsidiarily.

1.2. Guidelines

The Commissioner is quite an active authority, and it regularly publishes news, handbooks, guidance notes, and questions and answers ('Q&A') documents on its website. Moreover, the Commissioner responds to requests for opinions and explanations. In its opinions, although not legally binding, the Commissioner usually provides useful and concise guidance on practical issues of data protection and standard practice. The opinions are regularly published online and are available in Slovene here.

Some of the amended guidance notes include:

  • guidelines on video surveillance (only available in Slovene here);
  • guidelines on the use of cookies and similar tracking technologies (only available in Slovene here);
  • guidelines for event organizers (only available in Slovene here);
  • guidelines for the managers of multi-apartment buildings (only available in Slovene here);
  • guidelines for the processing of biometric data (only available in Slovene here);
  • guidelines relating to the transfer of personal data to third countries and international organizations (only available in Slovene here);
  • guidelines on the protection of personal data in employment relationships (only available in Slovene here);
  • guidelines on the use of GPS tracking devices and related personal data protection issues (only available in Slovene here); and
  • guidelines on Data Protection Impact Assessments ('DPIAs') (only available in Slovene here).

Moreover, the Commissioner published template forms for data subjects to exercise their rights, as well as several other templates for data controllers and processors. The forms are available in Slovene here.

In addition to this, the Commissioner also published an information page on joint controllership (only available in Slovene here).

1.3. Case law

In its landmark decision No. U-I-180/21 of April 14, 2022 (only available in Slovene here), the Constitutional Court of the Republic of Slovenia ('Constitutional Court') assessed, inter alia, the relation between the GDPR, the Constitution, and the Act, relating to the processing of personal data for the performance of a task carried out in the public interest or in the exercise of official authority. The case was brought to the Constitutional Court by the Commissioner, which claimed that the decrees of the Slovenian Government mandating the verification of the 'recovered, vaccinated, tested' ('RVT') condition for the use of public services during COVID-19, infringed upon the fundamental right of personal data protection (under Article 38 of the Constitution) and were thus unconstitutional.

The Constitutional Court held that the purpose of the GDPR is the protection of an individual against unlawful collection, processing, use, and disclosure of such individual's private details, and not blank permission to the State to collect and process personal data. The GDPR does not constitute a sufficient legal basis for the State's processing of personal data; instead, such legal basis must be created on the basis of the GDPR by an act adopted by the Parliament. Thus, the GDPR is not directly applicable when it comes to the exercise of the State's official authority in the broader sense (including prescribing mandatory obligations or rights of the data controllers or processors). In that regard, the Constitutional Court reiterated that no processing of personal data may be governed by any act other than a legislative act adopted by the Parliament. Finally, the Constitutional Court held that if individuals can conduct their everyday social, religious, or political activities only if they consent to the personal data processing prescribed by the State (in the case at hand, verification of the RVT condition), such consent cannot be deemed as given voluntarily.

Other notable case law include:

  • Judgment no. II U 45/2020 of May 30, 2023 (available in Slovene here), of the Administrative Court of the Republic of Slovenia ('Administrative Court'), whereby the Administrative Court held that the employers are not permitted to conduct video-surveillance exclusively based on employees' consent therewith, but solely within the scope and permissions granted by the applicable laws governing video-surveillance (the Act or now ZVOP-2);
  • Judgment no. IV Ips 2/2021 of March 16, 2021 (available in Slovene here), of the Supreme Court of the Republic of Slovenia ('Supreme Court'), whereby the Supreme Court confirmed that under the GDPR, EU Member States enjoy some discretion in relation to the sanctioning of GDPR's breaches. While the Supreme Court recognized the principle of supremacy of EU law, it also held that the Act and the Misdemeanours Act 2003 (only available in Slovene here)) remain within the boundaries of the discretion conferred upon Slovenia, as an EU Member State, by the GDPR. Thus, according to the Supreme Court, under the Act (and until the enforcement of the ZVOP-2), there were no legal grounds for sanctioning GDPR breaches with the administrative fines prescribed by the GDPR; instead, persons and/or entities breaching the GDPR could only be fined with (substantially milder) fines under the Act;
  • Judgment No. I Cp 811/2021 of September 16, 2021 (available in Slovene here), of the Higher Court in Ljubljana (Ljubljana Higher Court'), whereby the Ljubljana Higher Court explained that the information in the email inbox of a former employee should be considered a personal data filing system and should thus be subject to protective measures under Article 32 of the GDPR. The Ljubljana Higher Court further held that the employer has the right to access such information (whether or not it contains personal data) under significantly milder conditions in comparison to its access to a 'live' email inbox, provided that the employer has a valid reason for such access, and the information is reviewed by an authorized person of the employer; and
  • Judgment No. I U 985/2020 of September 8, 2021 (available in Slovene here), of the Administrative Court, whereby the Administrative Court confirmed the Commissioner's position that an individual does not have the right to request and obtain deletion of their personal data from the register of baptisms maintained by the catholic church by invoking the right to erasure under Article 17 of the GDPR.

2. Scope of Application

2.1. Personal scope

The ZVOP-2 applies to both public and private controllers and processors. The ZVOP-2 applies to the processing of personal data in the Slovenian public sector comprising of state authorities, authorities of local communities, entities entrusted with public authority, public agencies, funds, institutions, universities and other tertiary education entities, private kindergartens, and primary and secondary schools to the extent they provide publicly approved and financed programs, as well as any other entity established by law.

All natural persons (individuals) are entitled to data protection; the protection also applies to deceased individuals.

Legal entities are not entitled to data protection. Moreover, data protection also does not extend to individuals performing registered commercial activities on the market (e.g., sole proprietors, independent attorneys, doctors, artists, etc.) insofar as the data is directly related to such individuals' commercial activity.

2.2. Territorial scope

The ZVOP-2 applies in the entire Slovenian territory.

The ZVOP-2 applies to the processing of personal data:

  • in the private sector (i.e., duly registered persons or entities performing commercial activities, including, but not limited to, commercial companies and public enterprises), if the processing of personal data is conducted in relation to a data controller or processor's commercial activities registered in Slovenia, irrespective of whether the processing takes place in Slovenia or not; and
  • conducted by the data controller or processor with registered commercial activity outside the EU if such activities are related to the supply of goods or services to individuals in Slovenia (regardless of whether such goods or services are provided for a fee or free of charge) or are related to the monitoring of individuals' activities and/or behavior if such monitoring is performed in Slovenia.

2.3. Material scope

The ZVOP-2 applies to the processing of personal data in both the public and private sectors, either in whole or partly by automated means, and to the processing, other than by automated means, of personal data that form part of a filing system or are intended to form part of a filing system.

Moreover, the ZVOP-2 also provides special rules for the processing of personal data for scientific, historical, artistic, and statistical purposes, and governs the processing of personal data in relation to the freedom of expression and thought. The ZVOP-2 also contains provisions on video surveillance (including the prohibition of automatic number-plate recognition ('ANPR') systems in public areas), processing of biometric and genetic data, processing of contact information and personal documents, processing of personal data in relation to access control, and permits the processing of personal data in public registers, if the collection of data in such registers is permitted under the applicable law.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The main regulator for data protection in Slovenia is the Commissioner.

3.2. Main powers, duties and responsibilities

The Commissioner is an independent authority established by the Information Commissioner Act, authorized to regulate and supervise the protection of personal data and access to public information (under the Access to Public Information Act (only available in Slovene here) ('the Public Information Act').

Key competencies of the Commissioner under the Information Commissioner Act are:

  • deciding on the appeals against the decisions by which another body has refused or dismissed an applicant's request for access, or violated the right to access or re-use of public information;
  • supervising the implementation of the Public Information Act and regulations adopted within the framework of appellate proceedings;
  • inspecting/supervising the implementation of the ZVOP-2 and other regulations governing the protection or processing of personal data or transfer of personal data from Slovenia to third countries, as well as carrying out other duties, defined therein; and
  • deciding on individuals' appeals under the ZVOP-2 when the respective individual's rights request under the same has been rejected or denied by a data controller.

Moreover, under the ZVOP-2, the Commissioner is also authorized to, inter alia:

  • supervise and conduct regulatory surveillance and inspections in relation to compliance with the ZVOP-2, the GDPR, and other regulations relating to the protection of personal data;
  • order corrective or other measures to ensure compliance with the applicable regulations, including, but not limited to, ordering restrictions to data processing (e.g., by ordering anonymization, deletion, or archiving of data), prohibition of data transfer to a third county or party, etc.);
  • prepare and give advisory opinions to governmental authorities in relation to the compliance of draft legislation with the ZVOP-2, the GDPR, and other regulations relating to the protection of personal data;
  • decide in the administrative proceedings on compliance of processing of biometric data in the private sector with the ZVOP-2;
  • raise awareness of the general public on the risks, rules, protective measures, and rights of individuals with respect to data processing and privacy; and
  • notify the competent court of identified breaches or non-compliance with the ZVOP-2, provide expert opinion thereon to the court, and request criminal prosecution if the identified violations constitute a criminal offense.

The Commissioner is also authorized to independently monitor and supervise the implementation of the Schengen Agreement and compliance with the provisions on the protection of personal data not entered in a data file (Article 128 of the Convention Implementing the Schengen Agreement of 14 June 1985).

4. Key Definitions

Data controller: There are no national variations from the GDPR.

Data processor: There are no national variations from the GDPR.

Personal data: There are no national variations from the GDPR.

Sensitive data: There are no national variations from the GDPR.

Health data: There are no national variations from the GDPR.

Biometric data: There are no national variations from the GDPR.

Pseudonymization: There are no national variations from the GDPR.

5. Legal Bases

In principle, the legal bases for the processing of personal data are the same as in the GDPR. There may be certain national specifics in individual sector regulations, mainly due to the regulations' interpretation by the Commissioner or the national courts.

5.1. Consent

While there are no national variations from the GDPR in relation to the definition of consent (the ZVOP-2 does define 'admissibility of consent' in the public sector and provides for additional regulation of children's consent in relation to e-services), in practice, the Commissioner has developed a relatively strict understanding of informed consent. As explained in the Commissioner's guidelines (only available in Slovene here), in order to be valid, each declaration of consent must be voluntary, specific, informed, clear, and made for each intended processing separately.

According to the Commissioner, consent is informed when the individual understands the contents thereof (i.e., what the individual consents to) and of the terms of consent's withdrawal. Informed consent includes at least the following information (in simple and clear language, separate from any other statements or declarations of consent):

  • the data controller's identity;
  • the defined purpose of each processing requiring individual consent;
  • a clear indication of the types of personal data to be collected and processed;
  • information on the right to withdraw consent;
  • information to the individual on their right not to be subject to a decision based exclusively on automated processing (including profiling); and
  • information on potential risks of personal data transfer to a third country or organization.

Consent in the public sector

In the public sector, personal data may be processed on the basis of consent for the purposes set forth in the applicable laws. If the purposes are not prescribed by law, personal data may only be processed pursuant to an individual's consent, insofar as the data is not processed for the execution of a public sector authority's statutory tasks, competencies, duties, and responsibilities.

Children's consent in relation to e-services

Under Article 8 of the ZVOP-2, only a child aged 15 years or older is able to give valid consent to the processing of their personal data for the use of e-services (where such e-services are offered or addressed to children directly or it can be reasonably assumed that such services will be used by children). For children under the age of 15, such consent can only be validly given (or approved) by one of the child's parents or legal guardian; if the e-services are provided free of charge, consent may also be given by the child's foster parent.

Parents' consent ceases to be valid as soon as the child reaches the age of 15, and the data controller must obtain new consent from the child directly.

5.2. Contract with the data subject

There are no national variations from the GDPR.

5.3. Legal obligations

There are no national variations from the GDPR.

5.4. Interests of the data subject

There are no national variations from the GDPR.

5.5. Public interest

There are no national variations from the GDPR.

5.6. Legitimate interests of the data controller

There are no national variations from the GDPR.

While direct marketing by regular post is governed by the ZVOP-2, the processing of personal data via means of electronic communication is regulated separately in the Electronic Communications Act. The data controller's legitimate interest is thus not necessarily a sufficient legal basis for, e.g., direct marketing messages by SMS, emails, or phone calls.

5.7. Legal bases in other instances

Processing of contact information

The ZVOP-2 permits the processing of an individual's contact information under the following conditions:

  • the data controller obtained the individual's contact information from a publicly available source, or in the course of exercising its public authority, have been disclosed thereto by the respective individual, or the respective individual consented to such processing;
  • the contact information is processed for the purpose of organizing official meetings, training, education, or other events, or for the purpose of making statements to the public; and
  • the scope of processed data is limited to the individual's name, telephone number, email address, or other communication number/designation, information about the employer/organization, and information on the individual's field of work, position, function, club membership, or hobby.

For the purpose of informing the public, a data controller may process (and publish) names, titles, photographs, and videos of individuals, if such data was obtained at events organized by the data controller within the scope of its duties, responsibilities, or activities, provided that the individual has not objected to such processing.


The ZVOP-2 permits the processing of personal data for the purposes of:

  • informing the public by the media;
  • literary, artistic, or research activities;
  • serious criticism;
  • defense of any right; or
  • protection of legitimate interests, if:
    • the individual has consented to the processing, publication, or disclosure;
    • the individual has published or made its data publicly available;
    • the personal data was previously (lawfully) published or made publicly available;
    • the personal data was obtained in a public place or event, where an individual, considering the relevant circumstances, could not reasonably expect the protection of their privacy;
    • the personal data is processed, disclosed, or published in a lawful opinion or an assessment, provided that the publication of personal data is necessary for the justification of such opinion or assessment;
    • the personal data was obtained by any other lawful means;
    • the public interest in informing the public, and the right to information and freedom of expression outweigh the individual's legitimate interest in the protection of their privacy or any other right relating to the individual's personality; or
    • permitted by law.

Individuals may enforce and protect their rights in judicial proceedings.

The data controllers are prohibited from unlawfully disclosing or disclosing personal data for the purpose of exercising their right to expression.

Deceased persons

Deceased persons' data may be transferred or disclosed to:

  • users authorized to process such data by a legislative act adopted by the Parliament;
  • users who are able to demonstrate their legitimate interest in such data in any official proceedings; or
  • the deceased spouse, domestic partner, child, parent, or heir, unless the deceased person prohibited disclosure of their data.

Moreover, the deceased person's data may also be used for scientific, educational, historical, statistical, or archiving purposes, but only if the deceased consented to such processing before their passing or if the consent is given by their spouse, domestic partner, child, or parent. If the deceased was a public figure, the processing of their data for publication or other processing in historical or other educational publications is permitted by the ZVOP-2.

The rights and limitations apply for 20 years upon the individual's death.

Processing of biometric information and genetic material

Processing of an individual's genetic material and the information related thereto (e.g., individual's DNA material) is only permitted if:

  • it is allowed by a legislative act adopted by the Parliament;
  • it is necessary to provide healthcare services; or
  • the individual, the genetic material whereof is to be processed, explicitly consented thereto, and such consent is given in the form of a written agreement concluded for the processing of such individual's genetic information.

In the public sector, biometric information (other than genetic material) may be processed if explicitly allowed by a legislative act adopted by the Parliament for:

  • the protection of individuals' safety, of belongings, or confidential information and trade secrets, or identification of missing or deceased persons, provided that such purposes cannot be achieved by milder means;
  • individual's identification for the purpose of issuing electronic identification document to such an individual;
  • individual's identification in cross-border movements or if such identification is required under international laws; or
  • access control into a public building or part thereof (if necessary for the protection of individuals' safety or for the protection of belongings or confidential information and trade secrets).

In the private sector, biometric information (other than genetic material) may be processed only if the processing of such data is necessary:

  • for the operation of private entity's commercial activity;
  • for the protection of individuals' safety; and
  • for the protection of belongings or confidential information and trade secrets.

Moreover, the biometric data may be processed for identification purposes, if permitted by a legislative act adopted by the Parliament or with the individual's consent. Before processing of biometric information, private entities must apply for the Commissioner's approval; no approval is necessary if the processing of biometric data remains under an individual's control and the processing activities are verified by the Commissioner under the relevant certification mechanism. Accreditations to the certifying organizations will be awarded by the Slovenian Accreditation by mid-2024, and the private sector processors should apply for certification by June 30, 2024.  

Collection or processing of biometric information for marketing purposes or in exchange for goods or services is prohibited.

Data of employees

The Employment Relationships Act 2008 (only available in Slovene here) permits an employer's collection, processing, use, and transfer of employees' personal data to third parties only insofar as it is necessary for the execution of rights and obligations arising from the employment relationship or in connection with the employment relationship.

Under the Labour and Social Security Registers Act 2006 (available in Slovene here), employers are required to maintain registers of employees, labor costs, use of working time, and available collective dispute resolution mechanisms.

Electronic communications

The Electronic Communications Act permits the use of automated calling or communication systems to subscribers' phone numbers (including text messages) or email services for direct marketing purposes, only upon prior explicit consent of the subscriber or the user. Use of a customer's email address for direct marketing purposes is permitted if such marketing targets pre-existing customers and, provided that each email gives the customer the option to opt out of marketing free of charge. A third party may use the individual's email address for communications only if a legal entity publicly indicates such email address as its official contact address.

Under the Electronic Communications Act, calls to emergency numbers (general emergency number: 112, police emergency number: 113, and missing children emergency number: 116 000) are exempt from the mandatory notice to the caller that the calls are recorded. Moreover, the communication services providers must provide the emergency responders with certain personal data (full name and address of the subscriber, as well as the telephone number and the actual location of the caller, obtained from the mobile device, where technically available) of either the caller to the emergency numbers or any person for which it is reasonably presumed they are in distress or it is vital for them to be located as soon as possible (e.g., reported missing children, any person whose life is likely to be in danger and their localization is necessary to prevent significant harm to their life or body functions).

Access to public information

Under the Public Information Act, certain individuals' personal data, related to the performance of public office, function, or authority, are public/freely accessible (including the information on public servants' employment). Moreover, the personal data of certain individuals is also public if such information is directly linked to the use of public funds.


ZVOP-2 prohibits the use of Automatic Number Plate Recognition (ANPR) systems and systems for processing of biometric data in public areas. In 2023, the Commissioner adopted and published a number of non-binding opinions, in which it held that such prohibition should be construed as preventing the processors from claiming lawfulness of personal data processing under Article 6(1)(c) or Article 6(1)(d) of the GDPR. However, nothing in ZVOP-2 should be construed as to prohibit the use of ANPR systems and systems for processing of biometric data on another legal basis (e.g. individual's consent) in the private sector. As an individual's consent cannot constitute a valid legal basis for processing personal data in the public sector, the use of such systems in the public sector is, in principle, permitted only when explicitly authorized by an act of Parliament.   

Public parking areas and areas surrounding shopping centers (even if owned and/or managed by private entities or individuals) are considered public areas.

6. Principles

There are no national variations from the GDPR.

7. Controller and Processor Obligations

7.1. Data processing notification

The ZVOP-2 abolished the previously mandatory notification and registration of databases and personal data processing activities to the Commissioner.

7.2. Data transfers

In principle, there are no national variations from the GDPR.

The Commissioner prepared Standard Contractual Clauses ('SCCs') for contracts between a data controller and a data processor (available in Slovene here); the European Data Protection Board ('EDPB') approved the clauses pursuant to the GDPR. The SCCs implement the GDPR requirements and can be used in most sectors.

7.3. Data processing records

There are no national variations from the GDPR.

7.4. Data protection impact assessment

There are no national variations from the GDPR.

7.5. Data protection officer appointment

In principle, there are no national variations from the GDPR. In addition to the data controllers and processors referred to in Article 37 of the GDPR, the appointment of a data protection officer ('DPO') is mandatory for:

  • data controllers and processers in the public sector; and
  • data controllers and processers, whose activities consist of processing of special categories of personal data.

Any person with sufficient knowledge and experience in the field of data protection, who is capable to perform the tasks and duties of a DPO and has not been sentenced for a criminal offense related to the violation of personal data or for another criminal offense to more than six months imprisonment, may be appointed as DPO. If the person is to be appointed as a DPO in the public sector, they must be employed there as well – this condition does not apply to outsourced DPOs.

The data controller or processor must publish the contact information of the DPO online and notify such information to the Commissioner within eight days of the DPO's appointment.

7.6. Data breach notification

There are no national variations from the GDPR.

7.7. Data retention

In principle, there are no national variations from the GDPR: personal data should only be kept or retained until the purpose for which they are processed is achieved. The data controller must periodically review whether the processing of personal data is still necessary.

7.8. Children's data

In principle, there are no national variations from the GDPR.

The age of consent is 15 years old.

7.9. Special categories of personal data

In principle, there are no national variations from the GDPR.

Data that falls within the special categories of personal data (including criminal convictions data) may not be kept outside the territory of the Republic of Slovenia.

7.10. Controller and processor contracts

There are no national variations from the GDPR.

8. Data Subject Rights

8.1. Right to be informed

There are no national variations from the GDPR.

8.2. Right to access

There are no national variations from the GDPR.

The right to access medical records and related information is governed by the Patients' Rights Act.

8.3. Right to rectification

There are no national variations from the GDPR.

8.4. Right to erasure

There are no national variations from the GDPR.

8.5. Right to object/opt-out

There are no national variations from the GDPR.

Under the Electronic Communications Act, individuals have the right to opt out of the use of their personal data for marketing purposes, and for research purposes.

8.6. Right to data portability

There are no national variations from the GDPR.

8.7. Right not to be subject to automated decision-making

There are no national variations from the GDPR.

8.8. Other rights

An individual who reasonably believes that their rights arising from the GDPR, the ZVOP-2, or any other law governing personal data protection, are breached by a controller or a processor, has the right to request judicial protection at any time, without first exercising any other right or legal remedy, and to request the court to order immediate cessation of the breach, remedy of the breach, and reimbursement of any damages incurred thereto. The petition must be filed with the Administrative Court, and the rules of the administrative dispute proceedings apply.

9. Penalties


Administrative sanctions

In addition to the administrative sanctions under the GDPR, the Commissioner may impose fines under the ZVOP-2. In accordance with Slovenian legislative practice, a breach or non-compliance with the ZVOP-2 constitutes a misdemeanor, for which the ZVOP-2 prescribes fines of varying amounts, depending on the severity of the misdemeanor and the financial strength of the offender. For a breach of the key principles and provisions of the ZVOP-2, the fines range from €4,000 to €12,000 for micro or small enterprises, whereas for mid-sized and large enterprises, the fines range from €8,000 to €36,000; the fines for legal entities' responsible persons range from €400 to €4,000. Sole proprietors may be issued with fines from €3,000 to €9,000.

The highest fines (up to €40,000 for mid-sized and large enterprises, up to €20,000 for sole proprietors, and up to €4,000 for the responsible persons of commercial entities) may be imposed for the most severe breaches of provisions on video surveillance and on biometric and genetic data (especially in relation to the use of such data for marketing purposes).

The ZVOP-2 also authorizes the Commissioner to impose fines against responsible persons of commercial or legal entities for breach of GDPR provisions committed by such entities. The responsible persons may be sanctioned with a fine between €100 and €5,000 for breaches under Article 83(4) of GDPR, or a fine between €200 and €8,000 for breaches under Articles 83(5) and 83(6) of GDPR.

Criminal sanctions

Under Article 143 of the Criminal Code 2008 (available in Slovene here), any person who publishes, or causes to be published, personal data processed on the basis of a legislative act or the personal consent of the individual to whom the personal data pertain, without a legal basis provided by a legislative act or without the individual's consent, shall be punished by a fine or imprisonment for up to one year; if the offense is carried out by publishing or causing to be published sensitive personal data, the responsible person shall be sentenced to imprisonment for up to two years.

The same punishment shall apply to anyone who breaks into a computerized database in order to acquire personal data on their own behalf or on behalf of a third person.

If any of the offenses are committed by an official through abuse of office or official powers, they shall be sentenced to imprisonment for up to five years.

9.1 Enforcement decisions

Since ZVOP-2 came into force, the Commissioner issued about 50 enforcement decisions: apart from two, in which the Commissioner rejected the complaints against the processors of personal data, in most of the decisions, the Commissioner sanctioned individuals and/or private entities for misdemeanors conducted in the breach of their obligations under the GDPR and ZVOP-2. Most of the issued sanctions are official warnings. No major fines have been issued so far.

Please see the section titled 'case law' above for relevant case law.