Slovenia
In this chapter:
Q1/ Applicable legislation
(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?
Slovenia is in the process of adopting new legislation (the “Draft Law”). The latest draft of the legislation was published for comments on 6 March 2019; however, the date of its adoption, as well as the final wording, remains unknown. The answers provided below are based on the current wording of the Draft Law.
———
(b) Relevant legislation includes:
- Personal Data Protection Act (Zakon o varstvu osebnih podatkov; ZVOP-1) (the “Current Data Protection Act”)
- Date in force: 1 January 2005
- Link: see here
- Electronic Communications Act (Zakon o elektronskih komunikacijah; ZEKom-1)
- Date in force: 15 January 2013
- Link: see here
———
(c) What is the status of national pre-GDPR data protection law?
The Draft Law, once it comes into force, will repeal the pre- GDPR legislation, namely, the Current Data Protection Act. Until then, the Current Data Protection Act will continue to apply to the extent that it does not conflict with the provisions of the GDPR (although no binding decision on this issue has been made).
Other legislation with relevant data protection provisions will remain applicable once the Draft Law comes into force.
Q2/ Personal data of deceased persons
Does national law make specific rules regarding the processing of personal data of deceased persons?
The personal data of deceased persons may only be processed by:
- recipients that are authorised by law, or the deceased person’s legal heirs provided that:
- they are able to demonstrate a lawful interest in the processing of the personal data; and
- the deceased person did not prohibit in writing the disclosure of such personal data.
- persons who require such personal data for scientific or historical research purposes, or statistical purposes, provided that the deceased person or their legal heirs of the first or second order did not prohibit in writing the supply of such personal data; and
- third parties with a valid legal basis, provided that such data are demonstrably necessary for the enforcement of their rights against public sector entities.
Q3/ Legal bases for processing
(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?
In the public sector, personal data may be processed for the purposes of performing legal obligations, tasks or responsibilities, provided that such processing does not impact the human rights, fundamental freedoms or obligations of the data subject.
In the private sector, personal data can be processed for the purposes of enforcing or carrying out legal claims or defending against such claims within the framework of formal proceedings.
———
(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?
Processing sensitive personal data is permitted for the purposes of archiving in the public interest, provided that the controller provides adequate and appropriate security measures for the protection of the individuals’ interests. In such cases, individuals will not have the right to access their personal data if doing so would require disproportionate effort; hence, they may not exercise their rights under Arts. 16-18 & 20-21 GDPR.
———
(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?
In the public sector, in the exercise of official authority, personal data may be processed for the purposes of performing legal obligations, tasks or responsibilities, provided that such processing does not impact the human rights, fundamental freedoms or obligations of the data subject.
The provisions on prohibition of discrimination in the context of processing personal data limit the public sector (including public authorities) to act within a strict principle of legality.
———
(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?
There are no specific additional criteria governing this issue.
Q4/ Consent of children
At what age can a child give their consent to processing in relation to ISS?
15 years of age.
Q5/ Processing of sensitive personal data
(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?
All sensitive personal data can be processed if the data subject’s valid consent has been obtained.
———
b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:
(i) Employment, social security and/or social protection law
There are no specific rules on processing this category of data.
While the Draft Law does not deviate from Art. 9(2)(b) GDPR, various statutes provide for mandatory retention periods for such data. Namely:
- personal data must be retained permanently where required by law;
- data relating to past employees must only be retained for so long as absolutely necessary for either party to enforce any rights or obligations from this employment relationship;
- payroll documentation, documents confirming that an employee, or an affiliate, has undergone an occupational health and safety training, record of number of hours worked, post-accident documentation, must be retained permanently; and
- records and registers on accidents at work and occupational diseases must be retained permanently.
(ii) Substantial public interest
There are no specific rules on processing this category of data.
(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services
See Q5(b)(i) above.
(iv) Public interest in the area of public health
Processing sensitive personal data in respect of the public interest in the area of public health is permitted either on the basis of:
- a provision of law; or
- the express consent of the individual.
(v) Archiving purposes, scientific or historical research purposes or statistical purposes
Processing for scientific or historical research purposes or statistical purposes is permitted where:
- consent has been obtained from the relevant data subject;
- the personal data are processed in an anonymised form;
- the processing is required by law; or
- for any of the above reasons, to the extent that the processing carried out by researchers and research organisations, requires these persons to publish an analysis of their research including certain content requirements.
Sensitive personal data may be processed for the purpose of archiving in the public interest if the controller provides adequate and appropriate security measures for the protection of the interests of the data subject. In such cases, the data subject will not have the right to access their personal data if this would require disproportionate effort, and they may not exercise their rights under Arts. 16-18 & 20-21 GDPR.
———
(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?
The following rules apply to the processing of this category of data:
- in the public sector, biometric data can only be processed in accordance with the law for the following purposes, only where such purposes could not be achieved by other means:
- ensuring the security of people or assets;
- ensuring the security of secret data;
- complying with obligations under international treaties;
- enforcing border security;
- identifying missing or dead persons; or
- ensuring the security of business secrets;
- in the private sector, processing biometric data is permitted if it is necessary for the following purposes:
- ensuring the security of people or assets;
- ensuring the security of secret data;
- ensuring the security of business secrets;
- the processing of biometric data is limited to employees and employees of business partners (provided they have been notified in writing in advance); or
- the processing of customers’ biometric data can be carried out only if provided for by the law and if such persons have given their consent;
- for the processing of biometric data in the private sector, controllers and processors should notify the DPA in advance and the DPA will then decide within two months whether the measures are in compliance with the legislation or not; and
- the processing of biometric data for marketing purposes is prohibited, even when it is carried out in exchange for free services.
Q6/ Data relating to criminal offences or convictions
Under what conditions does national law permit the processing of personal data relating to criminal convictions?
The following rules apply to the processing of this category of data:
- strict rules regarding the accuracy and reliability of the data provide that data relating to criminal convictions need to be checked for quality before they are made available for automated retrieval;
- the processing of such data is only lawful for the purposes provided for in the Draft Law (once finalised);
- automated processing for the purposes of decision-making which could possibly have a negative legal effect on, or seriously impact, the data subject is not permitted, unless otherwise provided for by the law and only where there is a subsequent verification of the results of such automated processing as well as other measures put in place to ensure adequate protection of human rights and fundamental freedoms;
- controllers and processors must implement efficient diary systems to keep track of the data processing, including access to data and disclosures of data;
- in certain cases, the controller may have to conduct prior consultations with the DPA before beginning a new processing activity;
- data subjects’ rights may be limited where doing so would be necessary in order to:
- avoid hindering official investigations, surveillance, inquiries or proceedings;
- prevent, investigate, detect or prosecute criminal offences;
- enforce criminal sanctions; or
- effectively exercise the tasks and powers of the police, the security of the State, the protection of the sovereignty and defence of the State or the protection of human rights and fundamental freedoms of other persons, in particular where the exercise of individual rights would constitute an actual and serious risk to the rights and freedoms of others; and
- transfers to third countries or international organisations is permitted provided that:
- the data are being transferred to a jurisdiction subject to an adequacy decision or where adequate safeguards have been implemented; or
- the transfer is necessary for the protection of vital interests of the data subject or for deterring a serious threat to the public security of the country.
Q7/ Exemptions
(a) Does national law specify exemptions to a data subject’s right to erasure?
The following specific exemptions apply to the right to erasure:
- the processing is carried out for the purposes of archiving in the public interest; or
- the exercise of such right to erasure would entail disproportionate interference or achieve only a minimal benefit to the relevant data subject (only provided for in the general comments to the Draft Law).
———
(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?
The data subject does not need to be provided with information in accordance with Arts. 12-14 GDPR if the personal data have been made public in accordance with the law. This is dealt with in the provisions regarding protection of freedom of expression and access to information in relation to data protection.
———
(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?
Where personal data are being processed for scientific or historical research purposes or for statistical purposes, the data subject can object to such processing, unless the processing is required for the performance of tasks carried out in the context of the public interest. The data subject cannot object to automated decision-making in cases where such processing is required for the performance of tasks for the purposes of public interest.
Q8/ Restrictions on data subjects’ rights
Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?
There are no additional restrictions on data subjects’ rights.
Q9/ Joint controllership
Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?
There are no additional rules on apportionment of liability between joint controllers.
Q10/ Processor
In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?
The DPA has issued guidelines on contractual data processing. These do not provide for further obligations other than to conclude a contract (see here (in Slovenian)).
Q11/ Impact Assessments
Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?
The DPA has issued a list of situations in which an Impact Assessment would be required (see here: iprs.si/fileadmin/user_upload/Pdf/Ocene_ucinkov/Seznam_dejanj_obdelav_osebnih_podatkov__za_katere_velja_zahteva_po_izvedbi_ocene_ucinka_v_zvezi_z_varstvom_osebnih_podatkov.pdfe (in Slovenian)).
———:[back to top of page]
Q12/ Prior authorisation and public interest
Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?
In addition to the provisions of the GDPR, prior authorisation from the DPA is required in the following circumstances:
- where the relevant Impact Assessment shows substantial risk or includes the use of new technologies, mechanisms or procedures likely to cause substantial risk in relation to any new data processing activity that is carried out for the following purposes:
- preventing, investigating or detecting criminal acts;
- executing criminal sanctions;
- implementing police powers; or
- ensuring the security and defence of the State; or
- where any new data processing activity is being carried out by a public sector entity which involves the processing of biometric data for the purpose of monitoring the entrance to a building (or parts of a building).
In the latter case, the DPA will decide within two months whether the proposed activity complies with legislation.
Q13/ DPOs
(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?
DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR.
———
(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?
While there are no specific provisions on secrecy or confidentiality obligations imposed on DPOs, DPOs are subject to following general obligations:
- general secrecy and confidentiality obligations imposed on persons acting as lawyers, health care workers and medical staff; and
- obligations relating to confidentiality of business secrets.
Q14/ International data transfers
(a) Does national law make specific rules about transfers of personal data from public registers?
The transfer needs to be made in accordance with applicable law, and can only be made on a one-off basis.
———
(b) Does national law restrict the transfer of specific categories of personal data to third countries?
The DPA may also implement further restrictions on transfers of specific categories of personal data to third countries or international organisations, if it considers it necessary to ensure that the relevant personal data are protected to a different standard than that provided for in the GDPR. No such decision has been published yet.
Q15/ DPAs
(a) Details of the DPA(s).
- Name of DPA: Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec Republike Slovenije)
- Address: Dunajska cesta 22, 1000 Ljubljana, Slovenia
- Website: ip-rs.si/en
———
(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?
Not applicable as there is only one DPA.
———
(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?
Not applicable.
———
(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?
In addition to the powers set out in the GDPR, the DPA also has the power to review hidden areas of the premises it searches, but only with consent or a prior court order.
———
(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?
Decisions issued by the DPA may not be appealed. However, a claim disputing a decision, order or investigation of the DPA may be brought in the Administrative Court.
———
(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?
Where documentation or data are covered by legal privilege, the DPA must submit a list of the relevant materials to a court-appointed expert who will examine the materials and establish which of those can be disclosed to the DPA.
The list must be produced in the presence of two witnesses, or a representative of either the controller, the processor or the Slovenian Bar Association.
An investigative judge must then sanction the decision of the court-appointed expert before forwarding the disclosable materials to the DPA.
Q16/ Claims by not-for-profit bodies
Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?
There are no not-for-profit bodies that are specifically mandated to bring such claims.
Q17/ Administrative fines, penalties and sanctions
(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?
Minor fines may be imposed on public authorities for breaching obligations relating to the processing of biometric data.
Given the DPA’s power to oversee the activities of public authorities, there may be scope for further administrative fines to be imposed on public authorities once the Draft Law is finalised.
———
(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?
The Slovenian Criminal Code contains criminal penalties for abuses of personal data.
Q18/ Freedom of expression and information
(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?
The rights to protection of personal data must be balanced with the rights of freedom of expression, which includes:
- the expression of thought and speech;
- the right to public speaking; and
- the freedom of the press and other forms of public information and expression.
Anyone can freely collect, receive and disseminate news and opinions, and the personal data contained therein, provided the relevant personal data are necessary and properly processed for this purpose.
———
(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?
Personal data may be processed for the purpose of academic, literary, artistic or scientific expression in the following situations:
- where a data subject has given consent for the use, publication or disclosure of such personal data;
- where the data subject has already publicly disclosed such personal data or made them available to the public;
- where such personal data have already been made available to the public in a lawful manner;
- where such personal data have been obtained through publicly accessible places or events where it is unreasonable to expect the protection of privacy and where the data was not obtained by significant interference with a data subject’s reasonably expected privacy;
- where it is a legitimate publication of an opinion or valuation and the processing such personal data is necessary to justify this opinion or valuation;
- where such personal data have been obtained in another legitimate manner;
- where the public interest of informing the public, the right to information and the freedom of expression outweigh the legitimate interests of the protection of privacy and other personality rights of the data subject; or
- where such personal data may be processed in accordance with another law.
Q19/ National identification numbers
Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?
When processing personal data in areas relating to health, police, defence, the judiciary and the State prosecutor’s office, national law does not permit national identification numbers to be exclusively processed as the only identifier. This does not apply to personal data processed for the following purposes, where permitted by law:
- official records;
- the land registry;
- the court and business register; and
- where such processing may enable an offence to be detected or prosecuted.
Q20/ Processing in the context of employment
(a) For what purposes can employees’ personal data in the employment context be processed under national law?
There are no specific provisions governing the processing of employee data.
———
(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?
The following safeguards apply in order to protect employees’ dignity, legitimate interests and fundamental rights:
- CCTV in the workplace is only permitted if it is absolutely necessary for the following purposes, and if such purposes cannot be achieved by any other means:
- ensuring the security of people or assets;
- preventing or identifying violations relating to gambling activities;
- protecting classified information; or
- protecting business secrets.
- the following additional restrictions apply to CCTV in the workplace:
- live monitoring of spaces can only be performed by authorised security personnel or other specifically authorised and trained personnel of the controller;
- employees should be notified in advance and in writing that CCTV will take place; and
- prior to implementing CCTV the employer must carry out consultations with the representative of a trade union, a work council or a worker representative within at least 30 days of the relevant CCTV being implemented.
Q21/ Other material derogations
Are there any other material derogations from, or additions to, the GDPR under national law?
The Draft Law applies to CCTV and direct marketing.
Q22/ Current legal challenges
Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?
There are currently no legal challenges ongoing.
Q23/ Enforcement
Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?
The DPA has yet to take enforcement action for breaches of the GDPR.
Q24/ Regulatory Guidance
Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?
The DPA has issued the following guidance on the application of the GDPR and/or GDPR implementation law:
- practical guidance on when and how to carry out Impact Assessments (see here (in Slovenian));
- guidance on joint controllership (see here (in Slovenian)); and
- template documents, including privacy notices and registers of processing, as well as guidance on consent and legal bases in the public sector (see here (in Slovenian)).
Jadek & Pensa Law Office contributors
Eva Gostiša |
|
Eva Gostiša is a partner at Jadek & Pensa Law Office. Her work is focused mainly on intellectual property; with regard to trademarks and designs she covers both protection and right enforcement, and with regard to patents the enforcement of the latter in court proceedings. She has also gained vast experience in the field of job-related inventions, copyright law and unfair competition, on which she advises clients and represents them in disputes. Her work also encompasses personal data protection. Furthermore, Eva covers the regulation in the field of medicinal products and health care, and in the last years, she has been working on real estate transactions as well. |
Urša Horvat |
|
Urša Horvat is a senior associate at Jadek & Pensa Law Office who advises clients on different legal fields. She specialises in advising clients on their compliance, especially in the area of personal data protection, including performing due diligences in the area of privacy, preparing required documentation for GDPR and local law compliance, and preparing legal opinions as well as advice for clients in all areas relating to personal data protection and ePrivacy legislation. She also works on intellectual property matters; with regard to trademarks and designs she covers both protection and right enforcement. |
Other chapters
- Foreword and issue-by-issue comparison
- Country-by-country guides:
———
See also:
Our Global Data, Privacy & Cybersecurity Practice »
GDPR Handbook: Unlocking the EU General Data Protection Regulation »
———
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP