DLA Piper Intelligence

Data Protection
Laws of the World

Law

Slovenia
Slovenia

Personal Data Protection Act (Zakon o varstvu osebnih podatkov, Official Gazette of the Republic of Slovenia no. 86/2004, no. 113/05, no. 51/07, no. 67/07 and no. 94/07; "ZVOP-1")

Last modified 30 Jan 2018
Law
Slovenia

Personal Data Protection Act (Zakon o varstvu osebnih podatkov, Official Gazette of the Republic of Slovenia no. 86/2004, no. 113/05, no. 51/07, no. 67/07 and no. 94/07; "ZVOP-1")

Last modified 30 Jan 2018
Definitions

Definition of personal data

Personal data means any data relating to an identified or identifiable private individual (natural person) to whom personal data relates, irrespective of the form in which the data is expressed.

Definition of sensitive personal data

Sensitive personal data means data relating to racial, national or ethnic origin, political, religious or philosophical beliefs, trade-union membership, health status, sexual life, the entry in or removal from criminal record or records of minor offences. Furthermore, biometric characteristics are also considered sensitive personal data if their use allows to identify an individual on the basis of any of the aforementioned circumstances.

Last modified 30 Jan 2018
Authority

Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec, "the Commissioner"). The Commissioner has a registered seat in

Zaloska 59
SI-1000 Ljubljana
https://www.ip-rs.si/en/

Last modified 30 Jan 2018
Registration

Before processing personal data or adding a new type of personal data to the catalogue, all data controllers must notify the Commissioner. The notification must be made no later than 15 days prior to commencing data processing. All modifications to the personal data shall be notified to the Commissioner no later than eight days from the date of modification.

The notification shall include the following information:

  • title of the filing system;
  • data on the data controller;
  • legal basis for processing personal data;
  • the category of individuals to whom the personal data relate;
  • the type of personal data in the filing system;
  • purpose of processing;
  • duration of storage of personal data;
  • restrictions on the rights of individuals with regard to personal data in the filing system and the legal basis for such restrictions;
  • data recipients or categories of data recipients of personal data contained in the filing system;
  • whether the personal data are transferred to a third country, to where, to whom and the legal framework for such transfer;
  • a general description of security of personal data;
  • data on linked filing system from official records and public books;
  • data on the representative of data controller.

An exemption applies to personal data, which (i) are processed by political parties, trade unions, associations or religious communities and relate to their members, (ii) are processed by the media for the purposes of informing the public, or (iii) are processed by data controllers that have 50 or less employees (this exemption is however not applicable in all cases, especially when data controllers keep filling systems containing sensitive personal data as a part of their registered activity).

Last modified 30 Jan 2018
Data Protection Officers

There is no obligation to appoint a data protection officer under ZVOP-1, data controllers however define in their internal acts, the persons responsible for individual filing systems and the persons who shall process individual personal data.

Last modified 30 Jan 2018
Collection & Processing

Personal data may only be processed if the processing of personal data and the personal data being processed are provided by statute. Furthermore, personal data may also be processed if the personal consent of the individual has been given for the processing of personal data. The purpose of processing personal data must be provided by statute, and in cases of processing on the basis of personal consent of the individual, the individual must be informed in advance of the purpose of processing personal data.

Sensitive personal data may however only be processed in the following cases:

  • if the individual has given explicit personal consent in writing;
  • if the processing is necessary in order to fulfil the obligations and special rights of a data controller in the area of employment in accordance with statute;
  • if the processing is necessarily required to protect the life or body of the data subject;
  • if they are processed for the purposes of lawful activities by institutions, societies, associations, religious communities, trade unions or other non-profit organisations, but only if the processing concerns their members;
  • if the data subject publicly announces such data;
  • if the data is processed by health-care workers and health-care staff in compliance with statute;
  • if this is necessary in order to assert or oppose a legal claim;
  • if so provided by another statute in order to implement the public interest.

Sensitive personal data must be specially marked and protected, so that access to them by unauthorised persons is prevented.

Last modified 30 Jan 2018
Transfer

The transfer of personal data outside the EU/EEA is allowed provided it is in accordance with the statute and if the third country to which the data are transferred ensures an adequate level of protection of personal data. Generally, the Commissioner’s approval that a sufficient level of protection is ensured is needed in order to be allowed to transfer personal data to a third country. In particular the Commissioner will assess the type of personal data being transferred, the purpose and duration of proposed processing, the legal arrangements in the country of origin and the recipient country and measures to secure personal data used in such countries.

In some cases the approval of the Commissioner is not needed, namely if the country is listed as one of the countries which the Commissioner considers provide an adequate level of protection for personal data (currently only Switzerland and Macedonia have been put on the list). The approval of the Commissioner is also not needed if (i) the transfer is provided by another statute or binding international treaty, (ii) the individual to whom the data relates (data subject) gave its consent (provided that the data subject was made aware of the consequences of the transfer), (iii) the transfer is necessary for the performance of a contract relating to the data subject, (iv) the transfer is necessary to protect the data subject, (v) the transfer is made from a public register.

As for the transfer of personal data to the U.S., the EU-US Privacy Shield requirements apply, provided that a company in the U.S. is part of the Privacy Shield program.

Last modified 30 Jan 2018
Security

Security of personal data comprises organisational, technical and logical-technical procedures and measures to protect personal data, and to prevent accidental or deliberate unauthorised destruction, modification or loss of data, and unauthorised processing of such data.

The ZVOP-1 thereby lists particular measures as for example protecting premises and equipment, preventing unauthorised access, ensuring destruction, deletion, or anonymization of personal data etc.

Employees of data controllers and data processors are bound to protect the secrecy of personal data with which they become familiar in performing their tasks.

Last modified 30 Jan 2018
Breach Notification

There is no obligation under ZVOP-1 to notify the security breach to the Commissioner or the concerned individuals.

Last modified 30 Jan 2018
Enforcement

The Commissioner is a competent authority to enforce the data protection provisions and has the power to (i) issue orders as part of its supervision to eliminate irregularities or deficiencies, (ii) order the prohibition of processing of personal data, (iii) order the prohibition of the transfer of personal data to a third country, or (iv) order other measures, such as deciding on the appeal of an individual when the data controller refuses his request to disclose data relating to the individual.

Failure to comply with the ZVOP-1 may result in a fine up EUR 12,510 for legal persons and individual entrepreneurs. Unlawful usage of personal data may also result in an imprisonment sentence of one year pursuant to the Slovenian Criminal Code (the competent official may face imprisonment sentence of up to five years).

Last modified 30 Jan 2018
Electronic Marketing

Direct marketing by means of electronic communications is regulated by the Consumer Protection Act (Zakon o varstvu potrošnikov, Official Gazette 98/04 et seq.), the Electronic Commerce Market Act (Zakon o elektronskem poslovanju na trgu, Official Gazette 19/15), the Electronic Communications Act (Zakon o elektronskih komunikacijah, Official Gazette no. 109/12 et seq.) and the Personal Data Protection Act.

The consent of an individual is required for the purposes of electronic marketing. Direct marketing is allowed where the "similar service/product" exemption applies, however customers must be given clear and distinct opportunity to refuse the use of their electronic mail address at the time of the collection of these contact details, and on the occasion of every message in the event that the customer has not initially refused such use. Additionally, the sending of electronic mail for the purposes of direct marketing, which disguises or conceals the identity of the sender, or is sent without a valid address, is prohibited.

Last modified 30 Jan 2018
Online Privacy

Traffic data

Traffic Data must be erased or made anonymous as soon as it is no longer needed for the purpose of the transmission of a communication, except in cases where a longer period of retention is statutory allowed. Nevertheless, an operator may, until complete payment for service is made but no later than by expiry of the limitation period, retain and process traffic data required for the purposes of calculation and of payment relating to interconnection.

Location data

Location Data may only be processed for the purposes of providing the value-added service and when it is made anonymous, or with the prior consent of the user or subscriber, who may withdraw this consent at any time. Prior to issuing consent, a user or subscriber must be informed on (i) the possibility of refusing consent, (ii) the type of data to be processed, (iii) the purpose and duration of processing, and (iv) the possibility of the transmission of location data to a third party for the purpose of providing the value-added service.

Cookie compliance

The Electronic Communications Act (ZEKom-1) provides rules on the usage of cookies and similar technology for data storage.

Pursuant to ZEKom-1 the retention of information or the gaining of access to information stored in a subscriber’s or user’s terminal equipment (cookies) is only permitted if the subscriber or user gave their informed consent after having been given clear and comprehensive information about the information manager and the purpose of the processing of this information. However, an exception is provided in case of carrying out the transmission of a communication over an electronic communications network, or if this is strictly necessary for provision of service of information society explicitly requested by the subscriber or user.

Last modified 30 Jan 2018
Contacts
Dr. Jasna Zwitter-Tehovnik
Dr. Jasna Zwitter-Tehovnik
Partner
T +43 1 531 78 1042
Last modified 30 Jan 2018