Slovenia as the last EU country that does not yet have a GDPR implementing law
More than 2 years have passed since the first article on this topic (link below), and the situation (with the exception that we have read and commented on some additional versions of the Personal Data Protection Act (ZVOP-2) draft in the meantime) has still not changed. We are currently the last EU Member State not to have such a law, so all eyes are on us.
Despite the absence of ZVOP-2, the General Data Protection Regulation (GDPR) has been directly applicable in Slovenia since 25 May 2018, ZVOP-1 (the current data protection law) is only valid to a limited extent, and many companies have already prepared and harmonized their operations with the GDPR before May 2018. Still others, when reading the explanations of the Ministry of Justice mentioned in the first article, probably thought that it was not (yet) worthwhile to invest their time and resources in harmonizing their personal data processing processes with the GDPR, as (i) ZVOP-2 may bring certain minor changes and (ii) the Information Commissioner cannot impose high fines under the GDPR anyway.
In addition, such thinking was strengthened by the decision of the Local Court of Ljubljana dated 30 September 2019, which amended the decision of the Information Commissioner and stopped the minor offences proceedings against the legal entity and its responsible person for obtaining certain personal data in accordance with Article 10 of the Attorneys Act (ZOdv). The court did not specifically comment on the possibility of imposing administrative fines from the GDPR, but took the position that GDPR is a milder law than ZVOP-1, as it provides only for administrative fines (which are significantly higher than the penalties from ZVOP-1, but nevertheless), it does not define the violations as minor offences and does not provide for a fine for the responsible person.
Thus, we are in a situation where the adoption of ZVOP-2 (especially now, when most are dealing with regulations due to the COVID-19 epidemic) is not even in sight, and controllers do with personal data almost whatever they want, as they risk only inspections and potential issued warnings.
Such thinking can save some time and money today, but it may not pay off in the long run. Namely, despite the fact that currently the Information Commissioner cannot impose administrative fines under the GDPR, it cannot be ruled out that ZVOP-2 will be adopted before the expiry of the general limitation periods for minor offences and the Information Commissioner will then be able to impose fines for such infringements retrospectively (current ZVOP-2 proposal for example provides, that the supervisory authority decides on infringements and administrative fines under Article 83 of the GDPR as on minor offences).
Further; no matter how much our data processing activities are GDPR compliant, there can always be unplanned situations, or even situations that we were not aware of when making sure our data processing was GDPR compliant, and as a result a situation arises where we are in violation. One such example is when Privacy Shield was found to be invalid and the potential problems that companies may have with (unknowingly) exporting personal information to the U.S., for example due to their use of Facebook cookies.
We advise our clients to make sure they are compliant already at this moment (or ideally, they should have been fully compliant as of 25th May 2018 already), and to monitor the situation on a regular basis and react quickly and correctly to the (threatening) violation.
There are several benefits of such an approach, including on the one hand avoiding potentially high fines, which can be imposed by the Information Commissioner when ZVOP-2 is adopted but before the statute of limitations expires, and on the other hand the cost of harmonization with ZVOP-2 will later on be so much lower, given that it will only be able to regulate a few minor details differently, while most of matters will remain regulated by GDPR, which is already applicable.