26.1.2022
GDPR
> Personal Data Protection

Slovenia finally one step closer to the new Data protection act

It is no secret that Slovenia is the last EU member state that still does not have the new local law, which would localize some of the data protection related questions which the General data protection regulation (the GDPR) has left to the member states to regulate and most importantly, which would give the local supervisory authority the power to issue the administrative fines provided for by the GDPR.

Slovenia is, however, now finally one step closer to the new Data protection act being passed. The draft law (ZVOP-2) has now been placed into discussion at the government working body. This is the first draft the has made it this far, and it is now less likely that there will be any major changes to the current draft. However, a few questions still remain open and might change.

Among others, the following provisions are included in the current draft ZVOP-2:

  • The age of consent for minors will be 15 years, which is also in line with the local Family Code. For persons under that age, not only the statutory representative but also a foster parent or a representative of an institution in which the minor is placed (this applies to institutions in which the minor is for example placed by the governmental bodies, and not for example for student homes in which the minor lives) will be able to give consent.
  • Provisions on protection of personal data of the deceased will apply for 20 years after the individual’s death. After that, the data will no longer be protected as personal data, however other sector-specific acts might apply.
  • The individual will have the right to judicial protection of his/her rights without having to take any other actions before taking the case to the court. At the moment, the court protection is envisaged only at the administrative court and it is no longer considered as an urgent and priority proceeding as it was/is under the current data protection act (ZVOP-1).
  • Processing logs need to be kept, in case of (i) extensive processing of special categories of personal data, or (ii) regular or systematic monitoring of individuals or (iii) if it is identified with a data processing impact assessment that the identified risks could be successfully mitigated by keeping the logs or (iv) if provided so by the law. Under the current draft, the logs would need to be stored for at least 2 years and no longer than 5 years.
  • The draft provides for special rules on security of personal data in the field of special types of processing, which among others includes controllers/processors which keep mostly special categories of personal data in their filing systems. The way the current draft is written, this would also cover all doctors, regardless of how small their practice is.
  • A shorter deadline to respond to individuals’ request to access data than the one in the GDPR is provided for the private sector – except in special circumstances, the deadline to respond is envisaged to be 15 days (rather than 30 days provided for by the GDPR).
  • Draft ZVOP-2 expressly provides that a head of information security cannot be a DPO.
  • Compared to ZVOP-1, ZVOP-2 no longer regulates direct marketing in a special chapter.
  • The chapter on video surveillance will also be subject to some changes, with the recordings now allowed to be stored for a maximum of 1 year (current ZVOP-1 provides for 2 years), and the notice on video surveillance having to include all information provided for in Article 13 of the GDPR (companies will, however, be able to include a link to a website that includes all such information rather than including it all on the notice itself)
  • With regards to certification process, Slovenian accreditation (slo. Slovenska akreditacija) will be granting accreditations to certification bodies. The accreditations process will begin on January 1st
  • The new draft ZVOP-2 still provides for fines not only for legal entities but also for the responsible persons of such legal entities (such as managing directors or persons responsible for a specific area to which the infringement relates to). Compared to GDPR and other EU member states, this is quite a rare if not only state in which this applies.

Of course, the provisions could still be subject to some changes, so we are monitoring the updates regularly and will again report on the contents of the law once passed.