Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Slovenia - Data Protection Overview
Back

Slovenia - Data Protection Overview

May 2022

1. Governing Texts

Slovenia has long tradition in data protection regulation. Personal data protection is a constitutional and human right, stipulated in Article 38 of the Constitution of the Republic of Slovenia. The special feature of constitutional decrees is the requirement that the collection, processing, purpose, control, and protection of the secrecy of personal data be determined by law (and not by an executive regulation).

The first attempt to regulate the protection of personal data by law can be seen in the Social Information System Act 1983. However, the first comprehensive data protection law was the Law on Personal Data Protection, as adopted on 7 March 1990, both still in the Socialist Federative Republic of Yugoslavia.

After the independence of the Republic of Slovenia, the legal regulation of personal data protection was renewed by the Personal Data Protection Act 1999, and Data Protection Directive (Directive 95/46/EC) ('the Directive') was later transposed with the Personal Data Protection Act 2004 ('the Act'). Although amended several times, the Act still represents the Slovenian national legislation on personal data protection.

Individual derogations from the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which are left to the Member States to regulate, have not yet been imposed by the Slovenian legislator. So far, four drafts of the new data protection law have been prepared, but none have even been discussed in the Slovenian Parliament ('the Parliament').

On the other hand the Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680) was recently transposed in the Act on the Protection of Personal Data in the Area of Treatment of Criminal Offences 2020 (only available in Slovene here) ('the Criminal Offences Act').

The protection of personal data is an important value in Slovenia and the Information Commissioner ('the Commissioner'), which is the supervisory body in the field of personal data protection, enjoys a high level of reputation and public trust.

1.1. Key acts, regulations, directives, bills

  • The Act
  • The Criminal Offences Act
  • The Information Commissioner Act 2005 (only available in Slovene here) ('Information Commissioner Act')
  • The Inspection Act 2007 (only available in Slovene here)
  • The Minor Offences Act (official Slovene version and unofficial English available for download here)
  • The General Administrative Procedure Act 2006 (only available in Slovene here)
  • The Act Amending the Access to Public Information Act (‘ZDIJZ-F') (only available in Slovene here) ('the Public Information Act')

1.2. Guidelines

The Commissioner issues manuals and guidelines. They are accessible on its website (only available in Slovene here). Of these, the most commonly used relate to:

  • Guidance on Data Protection Impact Assessment ('DPIA') (only available in Slovenian here) ;
  • Guidelines on privacy impact assessment in the introduction of new police powers (only available in Slovenian here);
  • Guidelines on the protection of personal data (only available in Slovene here);
  • Guidelines on the protection of personal data in employment relationships (only available in Slovene here);
  • Guidelines on the use of GPS tracking devices and protection of personal data (only available in Slovene here);
  • Guidelines on the creation of a statement on the protection of personal data on websites (only available in Slovene here);
  • Guidelines on contractual processing (only available in Slovene here); and
  • Guidelines on the verification of PCT conditions for employers or managers (only available in Slovene here);
  • Guidelines on the transfer of personal data to third countries and international organizations (only available in Slovene here); and
  • Recommendations of the Commissioner regarding the operation of an authorised person for the protection of personal data (only available in Slovenian here) ('the Recommendations').

1.3. Case law

  • Judgment of the High Court no. PRp 345/2019 of 18 June 2020 (only available in Slovene here): in which the High Court absolved the complainant of liability for the misdemeanour in question (breaching data protection rules) because the GDPR provides for the payment of an administrative fine for the violations, which the Commissioner cannot impose under the current legislation (under the Act, only misdemeanour fines are provided and not administrative fines). The complainant also avoided paying the fine. 
  • Judgment of the Supreme Court no. X Ips 78/2011 of 14 November 2011 (only available in Slovene here): Taking into account the definition of personal data from Article 6(1) of the Act and the definition of an individual under Article 6(2) of the Act, it is correct to conclude that for those who have a telephone number, even in the absence of any other data, the natural person using that number is at least (indirectly) identifiable. A phone number can be linked to an individual without disproportionate effort, cost, or time, and so this information is not anonymised.
  • Judgment of the Administrative Court no. IU 213 / 2016-16 of 17 May 2017 (only available in Slovene here): Considering that no law provides the municipality with a legal basis for the implementation of video surveillance of public areas, the municipality may perform such video surveillance only exceptionally, namely as the processing of personal data on the basis of Article 9(4) of the Act (legitimate interest), if all the prescribed legal conditions are cumulatively met. In assessing the justification of the processing of personal data on the aforementioned legal basis, it is crucial to weigh the interests of the controller on the one hand and the interests of the data subject on the other. Irrespective of the applicant's allegations that video surveillance protects municipal property that cannot be secured by milder means, the implementation of video surveillance in question was in contravention of the principle of proportionality from Article 3 of the Act.
  • Judgment of the Administrative Court of 2 June 2020 on the right to erasure (only available in Slovene here): The Administrative Court of the Republic of Slovenia upheld the decision of the Commissioner that an individual cannot obtain the deletion of their personal data from the baptismal register managed by the Roman Catholic Church by invoking the right to erasure under Article 17 of GDPR, and added that the individual is not faced with religious elements by the mere fact that the parish stores his data in the register. Subsequent entry clearly demonstrates that the individual is no longer a member of the church, which is also a representation of his right not to belong to a religion.

2. Scope of Application

2.1. Personal scope

All controllers under the GDPR are obliged to comply with the rules on the protection of personal data under the GDPR and national regulations; including natural or legal persons, public authorities, agencies, or any other body with the exception of personal data processing by a natural person in the course of a purely personal or household activity.

The protection of personal data under the Act is enjoyed by all individuals and natural persons, including the deceased.

Article 23 of the Act regulates processing; more specifically, it sets rules for the transmission of personal data of the deceased, and similar intentions are also indicated in the current proposals for a reformed version of the Act. Thus, Slovenia will continue to maintain the protection of personal data of deceased individuals, which refers primarily to restrictions on their transmission or access to such data.

However, the protection of personal data is not enjoyed by natural persons when they are active on the market; for example, as sole proprietors or other private individuals engaged in gainful activity on the market including artists, doctors. Therefore, data directly related to performing business is not considered personal data, even if the 'business entity' is a natural person.

Such a distinction was accepted on the basis of the decision of the Constitutional Court No. U-I-84 / 03-1 of 17 February 2005 (only available in Slovene here). In this decision, the Constitutional Court of the Republic of Slovenia held, inter alia, that data in the annual report submitted by entrepreneurs on the basis of the impugned provision due to its publication in the public sphere cannot generally be considered personal data, as they do not refer to a natural person as an individual, but to a natural person as an entrepreneur. They therefore refer to one of the forms that the Companies Act 2006 (only available in Slovene here) envisages for performing a gainful activity. Although an entrepreneur can also act as a natural person (in the sense of an individual according to the Act), the two roles cannot be equated in performing a gainful activity. These are two autonomous and independent roles.

2.2. Territorial scope

There are no specificities regarding the territorial scope of the provisions of the GDPR and national regulations. National regulations apply to the entire territory of Slovenia. Slovenia is not divided into administrative units.

2.3. Material scope

In addition to the processing already regulated by the GDPR, the Act, in so far as it still applies, regulates the processing of personal data:

  • by video surveillance (Articles 74 - 77 of the Act);
  • for direct marketing, mainly directing to the application of special provisions in the Electronic Communications Act 2012 (only available in Slovene here) ('ECA') Please note that the draft of a new Electronic Communications Act ('ZEKom-2') (only available in Slovenian here) is currently being prepared within the Ministry of Public Administration. (Articles 72 - 73);
  • in case of biometric measures (Articles 78 - 81);
  • for keeping records of entries and exits of premises (Article 83);
  • in public books (Article 83);
  • in cases of linking personal data files (Articles 84-85); and
  • in cases of implementing expert supervision (Articles 87-90).

It also provides fines for cases of breaches of the rules on the protection of personal data, which are defined in the Act as an offence (Articles 91-103).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The supervisory body is the Commissioner. In accordance with Article 48 of the Act, the Commissioner gives preliminary opinions to ministries, the Parliament, bodies of self-governing local communities, other state bodies, and holders of public authority on the harmonisation of provisions of draft laws and other regulations with laws and other regulations governing personal data.

The functioning of the Commissioner's responsibilities, powers, and appointment of the Information Commissioner, among other things, is regulated by the Information Commissioner Act.

The protection of personal data falls within the Ministry of Justice, which is also the drafter of the reformed Act and the consultative body for sectoral laws.

3.2. Main powers, duties and responsibilities

Investigative powers

The Commissioner may investigate data processing by private persons on their own initiative or on the initiative of a third party. The Commissioner has a wide range of powers to order the controllers and/or processors to provide any information it requires for the performance of its tasks, to conduct investigations in the form of data protection audits, to notify the controller or processor of alleged infringement of the GDPR, to access all personal data and all information necessary, as well as to access the premises of the controller and/or processor. The Commissioner is therefore an inspection organ, in which capacity they pursue the goal of achieving the processing of personal data in accordance with the requirements in law.

Corrective powers

Within the inspection procedures, the Commissioner may impose certain measures on the controller and/or processor in order to ensure that the processing of personal data complies with the law. It does so by issuing an administrative decision specifying the type of measure and the deadlines for its implementation.

Authorisation and advisory powers

At the request of individuals, controllers, and processors, the Commissioner issues non-binding opinions on the processing of personal data. The Commissioner also gives preliminary opinions to ministries, the Parliament, bodies of self-governing local communities, other state bodies, and holders of public authority on the harmonisation of provisions of draft laws and other regulations with laws and other regulations governing personal data. Public authorities also often turn to the Commissioner for advice on bylaws, circulars, and instructions, which include an explanation of the rules in the field of personal data protection.

Imposition of administrative fines for infringements of specified provisions

The Commissioner is also a misdemeanour authority and may issue fines for misdemeanours as defined in the Act. As administrative fines are not part of the Slovenian legal system, the the Commissioner is currently unable/not authorised to impose administrative fines under the GDPR.

4. Key Definitions

There are no specific definitions unique to national data protection law in Slovenia and the same definitions apply as set out in the GDPR.

Personal data: No national variations from the GDPR.

Sensitive data: No national variations from the GDPR.

Data controller: No national variations from the GDPR.

Data processor: No national variations from the GDPR.

Data subject: No national variations from the GDPR.

Biometric data: No national variations from the GDPR.

Health data: No national variations from the GDPR.

Pseudonymisation: No national variations from the GDPR.

5. Legal Bases

The legal bases for the processing of personal data are the same as those in the GDPR, although certain specificities may occur in individual sectoral regulations, or due to interpretations by the Commissioner.

5.1. Consent

The conditions for a valid consent are the same as in the GDPR; however, the condition of informed consent is understood very strictly. The Commissioner states that consent may be considered as informed only when the individual understands the content of the consent (what they agree with) and the way in which the consent shall be given and withdrawn. Informed and consequently valid consent shall, according to Commissioner's recommendations, contain at least the following information:

  • the identity of the controller (for example company name, name of organisation, or association);
  • a specific purpose for each individual processing for which individual consent is required;
  • an indication of the types of personal data to be collected and processed;
  • the existence of the right to withdraw consent;
  • notification to the individual that they have the right not to be subject to a decision based solely on automated processing, including profiling; and
  • notification to the individual of the potential risks of the transfer of personal data to a third country or international organisation.

When the controller seeks consent for the transfer of personal data of an individual to other users and/or controllers (for example in affiliated companies or for a group of contractual partners), it is generally required that information on all recipients of personal data be made available to the individual in the moment of giving the consent (for example, with link to the list of associated companies and the like).

5.2. Contract with the data subject

No national variations from the GDPR.

5.3. Legal obligations

No national variations from the GDPR.

However, it is expected that this legal basis will be regulated in more detail by the Act once it is reformed.

5.4. Interests of the data subject

No national variations from the GDPR.

5.5. Public interest

No national variations from the GDPR.

However, it is expected that this legal basis will be regulated in more detail by the reformed version of the Act.

5.6. Legitimate interests of the data controller

No national variations from the GDPR.

However, controllers should take into account that processing personal data via electronic communication means is regulated in the ECA. Therefore, legal interest as a legal basis may not suffice, if the controller intents to, for example send direct marketing messages via short massages, emails, or telephone.

5.7. Legal bases in other instances

The ECA regulates the processing of personal data when using electronic means of communication.

As a rule, the legal basis is only the consent of the individual (it can be preliminary or possibly presumed with the possibility of so-called opt out). The recording of telephone calls is allowed only in cases explicitly permitted by the ECA (calls to numbers 112 and 113, calls at which a legal transaction is concluded or changed, etc.).The processing of personal data in the employment relationship is regulated by the Employment Relations Act 2013 (only available in Slovene here) ('ERA'). Personal data of employees may be collected, processed, used, and passed on to third parties only in cases determined by the ERA or if it is necessary for the exercise of rights and obligations arising from the employment relationship or in connection with the employment relationship. When concluding an employment contract, the employer may not request the information on family or marital status, pregnancy, family planning, or other information, if they are not directly related to the employment relationship.

The Public Information Act has been in force in Slovenia since March 2003 and recently amended in 2018. Among other things, it stipulates that the personal data of individuals that are related to the performance of a public function, the employment relationship of a public servant, or are related to the use of public funds are freely accessible information.

6. Principles

As the new national law on personal data protection has not yet been adopted by the Parliament, the principles of data processing are the same as in the GDPR.

The Commissioner emphasises that the key novelty of the GDPR is the principle of accountability, which imposes a duty on controllers to be able to demonstrate at all times that they process personal data in a consistent manner and meet all the requirements set out in the GDPR and national regulations. However due to wide inspection powers of the Commissioner already provided during the validity of Act and the Directive, controllers and processors in Slovenia always carried the burden of demonstrating compliance with regulations. In practice, in fact, nothing has changed.

Previously, the Commissioner often focused its attention to the proportionality principle, that was replaced with the data minimisation principle. The tendency will remain the same - principle of data minimisation is to be interpreted narrowly - in direct connection with the purpose of processing personal data. 

7. Controller and Processor Obligations

7.1. Data processing notification

The obligation of controllers to register databases with the Commissioner has ceased with the entry into force of the GDPR. According to the interpretation of the Ministry of Justice from then on, only controllers in the field of dealing with criminal offenses were obliged to register the databases to the Commissioner. For them, too, this obligation ceased upon the entry into force of the Act. 

7.2. Data transfers

No national variations from the GDPR.

7.3. Data processing records

The register of personal data files created under the Directive is still available on the Commissioner's website, (only available in Slovene here).

The Commissioner prepared an optional sample of records of processing activities for controllers and processors. Both are available on its website, (only available in Slovene here).

Data controllers are obliged to register their processing operations in the Commissioner's Register of Filing Systems (only available in Slovene here) ('the Register') at least 15 days prior to the establishment of a filing system or prior to the entry of a new type of personal data to the filing system (Articles 27(1) and 28 of the Act).

Data controllers must keep a filing system catalogue for each of their processing operations which must also be registered in the Register, and include the following information (Article 26(1) of the Act):

  • the title of the filing system;
  • the contact details of the data controller;
  • for natural persons: personal name, address where activities are performed, or address of permanent or temporary residence, and for a sole trader, his or her official name, registered office, seat, and registration number;
  • for legal persons: title or registered office and address or seat of the data controller and registration number;
  • the legal basis for processing personal data;
  • the category of individuals to whom the personal data relate; the type of personal data processed in the filing system;
  • the purpose of the processing;
  • the duration of the storage of personal data;
  • the restrictions on the rights of individuals with regard to personal data in the filing system and the legal basis for such restrictions;
  • the data recipients or categories of data recipients of personal data contained in the filing system;
  • whether the personal data is transferred to a third country, to where, whom and the legal grounds for such transfer;
  • a general description of security of personal data;
  • information on whether the filing system contains data from official or public records; and
  • information on the data protection representative;
  • for natural persons: personal name, address where activities are performed, or address of permanent or temporary residence, and for a sole trader, his or her official name, registered office, seat, and registration number; or
  • for legal persons: title or registered office and address or seat of the data controller and registration number.

The data controller must ensure that the information provided in the Register remains accurate and up to date, and any modifications to the data must be reported to the Commissioner no later than eight days from the date of modification (Articles 26(2) and 27(2) of the Act). 

Exceptions

The requirement to register does not apply to (Article 7 of the Act):

  • personal data which is processed by political parties, trade unions, associations, or religious communities relating to their members;
  • personal data which is processed by the media for the purpose of informing the public; and
  • data controllers with less than 50 employees.

However, this exemption does not apply to filing systems kept by data controllers in the public sector, public notaries, attorneys, detectives, bailiffs, private security providers, private healthcare workers, healthcare providers, and to data controllers that keep filings systems containing sensitive personal data and processing of sensitive personal data is a part of their registered activity.

7.4. Data protection impact assessment

No national variations from the GDPR.

The European Data Protection Board ('EDPB') has published the following Opinion for Slovenia:

Based on the EDPB's recommendations, the Commissioner has also developed guidelines on DPIAs (only available in Slovene here) as a tool for the timely identification and management of risks related to personal data processing, which explain legal provisions and provide answers to who, when, why, and how they should carry out DPIA.

The Commissioner has also issued a list of activities which require a DPIA ('Blacklist'):

The Slovenia Blacklist provides the following criteria for types of processing operations requiring a DPIA, if the processing operation meets at least two of the following criteria:

  • extensive evaluation and profiling of individuals;
  • automated decision making with legal or similar significant effect;
  • systematic monitoring of individuals;
  • processing of special categories of personal data;
  • data processed on a large scale;
  • matching or combining of different datasets (e.g. obtained through different activities of data controllers) and big data analytics;
  • imbalance of power;
  • innovative use or applying new technological or organisational solutions;
  • when the processing in itself prevents data subjects from exercising a right or using a service or contract;
  • processing of biometric data which is processed for the purpose of uniquely identifying a natural person in conjunction with at least one other criterion from the Guidelines; and
  • processing of genetic data in conjunction with at least one other criterion from the Guidelines.

The Commissioner has not issued a list of activities which do not require a DPIA (Whitelist).

7.5. Data protection officer appointment

No national variations from the GDPR.

A data controller that is not established in Slovenia, but uses equipment situated in Slovenia for the processing of personal data, must appoint a natural or legal person in Slovenia to represent the data controller in respect of the processing of personal data in accordance with the Act (Article 5(3) of the Act).

The Recommendations outline that a data protection officer ('DPO') is appointed to monitor internal compliance with the GDPR and other regulations on the protection of personal data, as well as the implementation of educational and advisory tasks concerning the protection of personal data.

Furthermore, the Recommendations outline, among other things, the following with regard to DPOs:

  • the DPO's contact details shall be published on the company's website, in an internal directory, and communicated to the Commissioner through an online form;
  • the contact details published on the website (optional) should include the name of the DPO;
  • it is recommended to communicate the name and contact details of the DPO to their staff (e.g. on the intranet, in the internal telephone directory), and their mission, what tasks they perform and what responsibilities they hold; and
  •  in the case of outsourcing to a DPO, it should be borne in mind that these are contract processors of personal data with whom the contractual relationship must be properly regulated in the light of the requirements of Article 28 of the GDPR.

More instructions can be found (only available in Slovene here), including who must appoint a DPO as well as the duties and professional qualities and skills required of the same. 

Additionally, the above mentioned instructions also highlight the importance of the independence of an appointed DPO to ensure conflict of interest arises when carrying out the role. More specifically, the instructions specify the following as good practices with regard to ensuring independence:

  • define incompatible positions;
  • create internal rules to prevent conflicts of interest;
  • provide an explanation of a conflict of interest; 
  • provide a statement that the DPO does not have a conflict of interest; and
  • include relevant clauses in tenders for a DPO.

Notably, the DPO does not need to be named in the public-facing privacy notice.

Moreover, the draft of the reformed Act indicates that some specifics will be in place for data protection officers ('DPOs') in the public sector. Special requirements relate to level of education and experience in the field of personal data protection. Notice of the appointment of the DPO needs to be sent to the Commissioner with the following data:

  • postal address;
  • telephone number;
  • contact email address; and
  • the name of the DPO

7.6. Data breach notification

No national variations from the GDPR.

7.7. Data retention

The obligation is generally the same as set out in the GDPR - personal data should be kept only for as long as is necessary for the purposes for which the personal data is processed.

In case of processing personal data on the basis of a contract the retention period is usually related to the general limitation period in obligation law (five years counted from the ending of the relationship or other relevant circumstances).

In highly regulated fields such as banking, insurance, education, healthcare, electronic communications, and employment relationships, the retention period of personal data is determined by sectoral law.

7.8. Children's data

No national variations from the GDPR. 

7.9. Special categories of personal data

No national variations from the GDPR. 

7.10. Controller and processor contracts

The obligation is generally the same as set out in the GDPR, however the Commissioner, as the second European Data Protection Supervisor, has developed standard contractual provisions to regulate the contractual relationship between data controllers and processors. The standard contractual provisions have been approved by the EDPB as required by the GDPR.

The standard provisions follow the requirements of Article 28 of the GDPR and can be used by controllers as appropriate for contracts when hiring the services of contractual processors, such as, accounting services, providers of IT services, call centres, and other personal data processing, and for hiring the services of sub-processors. The standard contractual provisions (only available in Slovene here).

8. Data Subject Rights

8.1. Right to be informed

No national variations from the GDPR. 

We emphasise only the custom that information on the processing of personal data for employees or for the internal public is regulated in the internal act of the controller, which also regulates the security of personal data and is still mandatory under the Act.

8.2. Right to access

No national variations from the GDPR. 

Access to one's own medical records is regulated by a special law – Article 41 of the Patients' Rights Act 2008 (only available in Slovene here). Special provisions regulate shorter deadlines for responding to a request, as well as the circle of individuals who may access the patient's personal data on the basis of the Act and under certain conditions.

8.3. Right to rectification

No national variations from the GDPR. 

8.4. Right to erasure

No national variations from the GDPR. 

8.5. Right to object/opt-out

No national variations from the GDPR. 

However, attention should also be drawn to the regulation of opt-out according to the ECA, for example when processing personal data by electronic means of communication. It refers mainly to direct marketing, but also to the use of personal data for research purposes (for example, in direct marketing by email and in entering a note in the public telephone directory prohibiting the use of data for direct marketing and/or research purposes).

8.6. Right to data portability

No national variations from the GDPR. 

8.7. Right not to be subject to automated decision-making

No national variations from the GDPR. 

8.8. Other rights

As in Slovenia we also protect the personal data of the deceased, certain entitlements in relation to such data may extend to their close persons, as defined in the Act, or will be determined by the reformed Act.

The Commissioner acts as an appellate body in the field of exercising the rights from the protection of personal data, applying the rules of general administrative procedure. Thus, individuals who are not satisfied with their assessment still have access to the dispute at Administrative Court of Slovenia.

9. Penalties

The Commissioner may impose misdemeanour fines under the Act relating to video surveillance, biometric measures, database interconnection, and data security. The maximum penalty is €4,170 for legal entities and €830 for responsible person (see Article 93 of the Act).

For violations of Article 158 of the ECA the maximum penalty is up to €20,000 for legal entities and for the responsible person €500 (see Article 235 of the ECA).

9.1 Enforcement decisions

The Supreme Court of Slovenia Judgment IV Ips 51/2011 of 21 June 2011 (only available in Slovene here) dealt with the question of whether a violation affecting several individuals constitutes a single offence or whether there are several offenses. The court ruled that in such instances there are as many offences as there are injured individuals. Thus, a fine for the offence is set and multiplied by the number of individuals affected. In doing so, the Commissioner observes the upper admissible limit of the fine as determined by the Act.