Privacy Law at Slovenia
Slovenia, like all EU member states, follows the General Data Protection Regulation (GDPR), which provides a unified framework for data protection across the European Union. However, Slovenia also has its national data protection legislation that complements the GDPR.
Here's a comprehensive look at privacy and data protection law in Slovenia:
🔐 1. Core Legal Framework
GDPR (EU Regulation 2016/679)
Applies directly in Slovenia as an EU regulation.
Covers personal data processing, individuals’ rights, obligations for data controllers/processors, and data transfer rules.
Personal Data Protection Act (Zakon o varstvu osebnih podatkov – ZVOP-2)
Slovenia's new national data protection law: ZVOP-2, adopted in January 2023, replacing the older ZVOP-1.
Aligns Slovenian law with GDPR and addresses national specifics (e.g., video surveillance, biometric data, employment-related processing).
🏢 2. Supervisory Authority
Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec)
Independent body responsible for:
Supervising GDPR and ZVOP-2 compliance
Handling data subject complaints
Issuing guidance and decisions
Conducting inspections and imposing fines
Website: www.ip-rs.si
🧑⚖️ 3. Data Subjects' Rights
Under GDPR and ZVOP-2, individuals in Slovenia have rights including:
Right to be informed (privacy notices)
Right of access
Right to rectification
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to data portability
Right to object to processing
Rights related to automated decision-making and profiling
📋 4. Specific Slovenian Provisions in ZVOP-2
Some key Slovenian-specific rules under ZVOP-2 include:
📹 Video Surveillance
Public and private sector use of video surveillance must meet strict transparency and necessity criteria.
Employers must inform employees clearly about surveillance and may need a legitimate purpose or consent.
🧬 Biometric Data
Use of biometric data (e.g., fingerprints, facial recognition) is restricted and requires high justification.
Special rules apply for using biometric systems in workplaces.
💼 Employment Context
Processing employee data is allowed only if:
Necessary for employment relationship
Based on a legal obligation
Or with valid consent (which must be freely given)
🧒 Children’s Data
For online services offered to children, the minimum age for consent is 15 (higher than the GDPR default of 13).
🚨 5. Data Breach Notification
Data controllers must notify the Information Commissioner within 72 hours of becoming aware of a breach.
Affected individuals must be notified if there is a high risk to their rights and freedoms.
🌍 6. International Data Transfers
Data transfers outside the EU/EEA require adequate safeguards (e.g., EU Commission adequacy decisions, Standard Contractual Clauses).
The Slovenian authority monitors these transfers under GDPR guidelines.
💶 7. Enforcement & Penalties
The Information Commissioner can issue warnings, orders, and administrative fines.
Under GDPR, maximum fines can reach €20 million or 4% of global annual turnover, whichever is higher.
📱 8. Cookies & Electronic Communications
Slovenia also follows the ePrivacy Directive, meaning:
Websites must obtain user consent before placing non-essential cookies.
Users must be informed about cookie usage and have options to manage preferences.
RELATED Blog
0 comments