Better late than never: Slovenia last EU Member State to adopt GDPR implementing act

Since the GDPR became directly applicable in 2018, the scope of applicability of the legacy Data Protection Act from 2004 ("ZVOP-1") was reduced to a handful of topics, including CCTV and processing of biometric data. The failure to update the national data protection legislation following the enactment of the GDPR generated a fair share of practical issues. Notably, these included uncertainty about the possibility to impose fines for breaches of the GDPR. Initially, the prevailing view had been that these breaches cannot be sanctioned at all, whether by means of administrative penalties under the GDPR or by fines set out in ZVOP-1, before an implementing law has been enacted. This changed in 2021 when leading courts took the view that a breach of GDPR provisions may carry fines set out in ZVOP-1 after all (incidentally, these fines are considerably lower than those in the GDPR).

Key takeaways

Some of the most notable changes brought about by ZVOP-2 include:

• Data processing log (Art 22): separate from the data protection impact analysis (DPIA) governed by the GDPR, controllers will be required to keep a data processing log (dnevnik obdelave) for certain categories of data processing, including collection, change and disclosure. This obligation applies (i) where automized systems for large-scale data of special categories of personal data are used, (ii) where there is systematic and regular monitoring of individuals, (iii) where a DPIA has shown a risk that can be efficiently managed by keeping a processing log, or (iv) when otherwise so required by law (e.g. for CCTV). As a rule, processing logs must be kept for two years after the expiry of the calendar year when the corresponding processing was recorded. This can in some instances be extended to five years.
• Additional security requirements for "special processing" (posebne obdelave) (Art 23): ZVOP-2 introduces a new category of data processing, categorised as "special processing", which covers specific large-scale data processing within information systems. This includes systems processing personal data of more than 100,000 individuals on the basis of a statute or processing special categories of personal data of more than 10,000 individuals, as well as instances where processing is based on a specific set of laws (such as financial administration, health care or mandatory health insurance). On top of GDPR requirements, special processing is subject to heightened security and incident reporting requirements laid out in the legislation governing information security. In some cases, the filing systems of such data must not be stored outside Slovenia.
• Sanctions (Art 95-115): ZVOP-2 provides grounds to impose administrative fines (upravne globe) set out in Art 83 GDPR. Slovenia has localised these as minor offences (prekrški) punishable by (standard/non-administrative) fines (globe). Idiosyncratic to the Slovenian legal system (which treats liability of an entity as accessory to that of its responsible person), fines for responsible persons within the breaching entity have been legislated in addition to the fine that may be imposed on the breaching entity under the GDPR. The former fines are considerably lower than the latter (the maximum penalty that may be imposed on a responsible person is EUR 8,000). ZVOP-2 also introduces additional mitigating factors that must be given due regard when deciding on the amount of the fine (e.g. a fine should not be disproportionate as compared to those levied for violations of other similar human rights). 
• Accreditation and certification bodies (Art 52-53): ZVOP-2 provides grounds for the accreditation of competent certification bodies (accredited by Slovenian accreditation – Slovenska akreditacija), which may issue approvals of GDPR-compliant business processes (pursuant to Art 42-43 GDPR).
• The age of consent for minors for use of information society services has been set at 15 years (a parent or trustee's approval is required for children below that age), unless a service provider's terms of use set out a higher age limit (Art 8).
• Processing of publicly available contact data or data obtained at public events (Art 93): ZVOP-2 allows for the processing of publicly available contact data or contact data obtained upon previous individuals' consent or voluntary disclosure, for the purposes of organising official meetings, education, training and events or other similar activities, except for direct marketing purposes. Personal data (including name, photographs and video materials) obtained at events carried out within the scope of the entity's operations can be processed and published for public information purposes, except if the individual prohibited such processing (opt-out system).
• Processing of individuals' requests (Art 14): ZVOP-2 specifically requires the controller's response to an individual's request made pursuant to Art 15-22 GDPR (or other requests related to data protection) to be substantiated and to provide information on the individual's right to lodge a complaint with the supervisory authority. Such a complaint may be lodged within a deadline of 15 days after being informed of the controller's response.
• CCTV (Art 76-80): this subject had already been regulated under ZVOP-1 but has been slightly expanded in ZVOP-2. Information about CCTV must be made available to individuals at a distance that still enables them to not enter an area being monitored by CCTV if they so prefer. CCTV in public spaces has been made subject to more detailed regulation. ZVOP-2 also introduces a prohibition of automatic licence plate recognition in public spaces (e.g. public parking lots). On the other hand, the retention period for personal data originated through CCTV has been reduced from two years to one year, with the controller of the CCTV now being required to keep a data processing log.
• Use of biometric data (Art 81-84): ZVOP-2 expands the possibility of biometric data processing in the private sector. Under ZVOP-2, the use of biometric data in the private sector is subject to certain requirements, including certification of the controller, prior written notice to the individuals and, as a general rule, prior approval from the supervisory authority. The prior approval requirement does not apply if the processing of biometric data remains under the sole and exclusive control of the relevant individual. Biometric data cannot be solicited or processed for marketing purposes, even if marketing services are delivered free of charge.

Undeniably, the adoption of a GDPR implementing act has been long overdue. ZVOP-2 will enter into force on 26 January 2023. The applicability of certain provisions has been postponed or made subject to a transition period. This includes provisions governing the keeping of processing logs and requirements regarding special processing activities where compliance must be ensured within an additional period of two and three years, respectively.

author: Marko Frantar, Miriam Gajšek