Data Law Nav­ig­at­or | Slov­e­nia

In­form­a­tion on Data Pro­tec­tion and Cy­ber Se­cur­ity laws from CMS ex­perts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security

Data Protection

Last updated 23 October 2018

Risk scale


  • Personal Data Protection Act (ZVOP-1, Official Gazette of RS, no. 94/07 – official consolidated text)
  • Information Commissioner Act (ZInfP, Official Gazette of RS, no. 113/05 et al)
  • Electronic Communications Act (ZEKom-1, Official Gazette of RS, no. 109/12 et al)
  • Electronic Commerce Market Act (ZEPT, Official Gazette of RS, no. 96/09 et al)
  • GDPR


Information Commissioner of the Republic of Slovenia  

If applicable: stage of legislative implementation of GDPR

In June 2018, the legislative procedure for adoption of the new Personal Data Protection Act (ZVOP-2) has ended due to end of term of office of the Parliament. A new proposal has not been submitted to the Parliament yet.

GDPR and ZVOP-1 both apply and have to be interpreted together at the same time.


ZVOP-1 applies:

  • to the processing of personal data if the data controller is established, has its seat or is registered in the Slovenia, or if a branch of the data controller is registered in Slovenia;
  • if the data controller is not established, does not have its seat or is not registered in a Member State of the EU or is not a part of the EEA, whereby for the processing of personal data the data controller uses automated or other equipment located in Slovenia, except where such equipment is used solely for the transfer of personal data across the territory of Slovenia;
  • to diplomatic-consular offices and other official representative offices of the Republic of Slovenia abroad;

The other laws listed above apply to all processing/marketing activities on the Slovenian territory.



  • Information Commissioner acts as an inspection authority. If, when carrying out an inspection procedure, an Information Commissioner finds out there is a suspicion that a criminal offence or minor-offence has been committed, it shall file a criminal charge or start a minor-offences procedure.
  • fines up to EUR 12,500


  • fines up to EUR 20,000 in reference to direct marketing provisions


  • fines up to EUR 50,000

Criminal Code (KZ-1, Official Gazette of RS, no. 50/12 - official consolidated et al)

  • fine or imprisonment from 1 to 5 years

Main obligations and processing requirements

  • Information requirement
  • Consent requirement

Data subject rights

The scope of data subject rights under ZVOP-1 is very similar to that in the GDPR, whereas the GDPR provides for more detailed provisions and also additional rights (e.g. right to data portability).

Processing by third parties

Similar like GDPR, the ZVOP-1 also provides the data controller must enter into written agreement with data processor. However, the requirements under the GDPR are more specific, therefore these apply.

Since according to the ZVOP-1, data processing activities and appropriate technical and organisational security measures to protect the personal data must be laid down in the agreement, we believe this needs to be included also in the data processing agreement pursuant to Article 28 GDPR.

Data Protection Officer

This was not required according to ZVOP-1. We may expect additional provision with the new proposal of the act implementing GDPR.


GDPR applies, however some provisions of the ZVOP-1 still apply. For example, data controllers must provide in their acts the procedures and measures for the protection of personal data and determine the persons responsible for certain personal databases and persons who, due to the nature of their work, may process certain personal data.

Pursuant to ZEKom-1, providers of public communications services have to implement certain security measures. 

Breach notification

Pursuant to ZEKom-1, provider of public communications services must notify the Communications Networks and Services Agency of the Republic of Slovenia of any personal data breach without delay. The provider of public communications services must notify subscribers or individuals as well, if such breach could adversely affect the personal data or privacy of a subscriber or an individual.

Direct marketing

E-mail: need to obtain prior consent, unless direct marketing can be relied on the soft opt-in exemption (consumer purchased a product or service of the company and provided the e-mail address at the time of purchase). Opt-out option must be provided at the time of collection of the e-mail address and must be included in every future marketing communication.

Addressed mail and phone calls: Without prior consent, the company may use only the following data: personal name, address of residence and phone/fax number, which were collected from the publicly available sources. Opt-out option must be provided to an individual by the company when performing direct marketing.


Need to obtain consent of the user, which must be given clear and comprehensive information in advance about the data controller and the purpose of data processing. This rule does not apply to cookies collecting data solely for the purpose of enabling electronic communication or for providing information society services.

Useful links


Cyber Security

Last updated 23 October 2018

Risk scale

Laws and regulations

  • Electronic Communications Act (ZEKom-1, Official Gazette of RS, no. 109/12 et al)
  • Electronic Commerce Market Act (ZEPT, Official Gazette of RS, no. 96/09 et al)
  • Electronic Business and Electronic Signature Act (ZEPEP, Official Gazette of RS, no. 98/04 et al)
  • Act on information security (ZInfV, Official Gazette of RS, no. 30/18)


  • ZEKom-1 regulates, inter alia, electronic communications networks and services, construction of electronic communications networks, security of networks and services and their operation in emergency situations, protection of the privacy of communications right
  • ZEPT regulates information society services
  • ZEPEP regulates, inter alia, electronic business, including business in an e-form by using information and communications technology and use of electronic signatures in transactions
  • ZInfV regulates, inter alia, security of information systems and measurements for achieving a high level of security of network and information systems, minimum safety requirements and requirements for reporting of incidents and organisation and operating of authorities for information security and security incidents


  • ZEKom-1: Information commissioner of Republic of Slovenia and Agency for Communication Networks and Services of the Republic of Slovenia
  • ZEPT: Ministry of Economic Development and Technology - Market Inspectorate
  • ZEPEP: Ministry of Public Administration
  • ZInfV: the Government Office for the Protection of Classified Information ( will perform the role of the national authority until a new authority body is established. The authority body shall start its activities on 1 January 2020 at the latest.

Key obligations

  • ZEKom-1:
    • Operators should establish security plan to manage the risk on security of networks and services and to prevent and minimise the impact of security incidents
    • Operators must notify Agency for Communication Networks and Services of the Republic of Slovenia of breaches of security or integrity of networks
  • ZEPEP:
    • Safety requirements must be considered in internal rules
    • Use of reliable systems and equipment, ensuring technical and cryptographic security of procedures
  • ZInfV:
    • Need to appoint contact person for information security and its deputy
    • Risk management on security of network and information system should be performed
    • Establishment and maintenance of management system regarding security of information  
    • Reporting of incidents


  • ZEKom-1:
    • fine up to EUR 400,000
  • ZEPT:
    • fine up to EUR 50,000
  • ZEPEP:
    • fine up to EUR 20,000
  • Criminal Code  (KZ-1, Official Gazette of RS, no. 50/12 - official consolidated et al)
    • imprisonment up to 5 years
  • ZInfV:
    • fine up to EUR 50,000

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

SI-CERT (Slovenian Computer Emergency Response Team) provides a role of the national CSIRT. SI-CERT is a service of ARNES (Academic and Research Network of Slovenia).

Si-CERT provides the following activities:

  • coordination of cyber incidents resolving;
  • technical advice on attacks, viruses and other misuse;
  • issuing of alerts for network managers and general public on current threads in electronic networks.

The national CSIRT will start to perform its activities under ZInfV on 1 January 2019. CSIRT of public administration bodies will be established on 1 January 2019.

Is there a national incident management structure for responding to cybersecurity incidents?

Short draft of cyber emergency response plan was included in one of the drafts of the Slovenian National Cyber Security Strategy, however not in the adopted version.

National Cyber Emergency Response Plan has not been adopted yet, however cybersecurity incidents may be reported to SI-CERT in a rather informal procedure.

National strategy on the security of network and information systems should be adopted in a year after ZInfV comes into force.

Useful links


< back to Overview


Picture of Ales Lunder
Aleš Lunder