GDPR Enforcement in Slovenia

Trend: Have the national data protection authorities in Slovenia focused on certain types of non-compliance... Do you see a focus on certain industries/sectors? If so, which ones?

Based on the IP-RS  Annual Report 2024 (Letno poročilo 2024), the supervisory activity in the data protection area in 2024 was primarily driven by cases reported to the authority (including complaints by individuals and reports by “reporters with a special status”), complemented by a smaller number of ex officio procedures, as well as participation in cross-border supervision. The most common topics prompting supervisory action were unlawful video surveillance, unlawful disclosure or forwarding of personal data, insufficient/incorrect information to individuals about processing, unlawful collection of personal data and direct marketing issues.

In terms of the types of non-compliance, the recurring issues reflected in the 2024 report include: (i) unlawful processing (including processing without an appropriate legal basis), (ii) insufficient security of personal data and (iii) unlawful video surveillance. The annual report presents these issues mainly through case categories and aggregated statistics; it does not announce a fixed sector-by-sector enforcement plan for the year. Accordingly, any “sector focus” should be understood as complaint-driven and case-driven rather than as a formally pre-defined list of targeted industries.

Note: The IP-RS’s annual report for 2025 has not yet been published.

_{Source: Information Commissioner (IP-RS), Annual Report 2024 (Letno poročilo za leto 2024), section on personal data protection (varstvo osebnih podatkov).}

Overall, what was the most significant fine in Slovenia to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

Based on a decision issued on 11 December 2025, the highest fine imposed to date was EUR 71,474 on an employer (legal entity), with a fine of EUR 4,000 also imposed on the individual responsible. The employer covertly installed employee-monitoring software on certain employees’ work computers, which for months systematically recorded activities (including screen captures and, in some instances, audio), giving the employer access not only to work-related content but also to employees’ private communications (e.g. private email) and other private-life data. The Information Commissioner found that no condition for lawful processing was met (Article 6(1) GDPR), resulting in a breach of the principle of lawfulness. The case concerns workplace/employee monitoring; the employer’s specific industry/sector was not disclosed in the published materials.

No public information is available on whether the decision was challenged in court.

_{Source: Information Commissioner (IP-RS) news item on the fine for covert employee monitoring ("Delodajalcu, ki je prikrito nadzoroval vse aktivnosti zaposlenih na računalnikih, izrečena globa več kot 70.000 EUR").}

How is the data protection authority organized in Slovenia? Budget, staff, assignment to a ministry?

The IP-RS is an autonomous and independent state authority and is not subordinate to any ministry. The IP-RS is appointed by the National Assembly of the Republic of Slovenia on the recommendation of the President of the Republic of Slovenia and is accountable to the National Assembly for its work, including by submitting an annual activity report (as a rule, by 31 May for the previous year). The IP-RS also performs tasks in both the areas of personal data protection and access to public sector information. According to publicly available budget documents, the allocated budget for 2026 is EUR 3,635,478.00 and the projected budget for 2027 is EUR 3,919,673.00. According to the IP-RS’s latest annual report available at the time of writing (published in May 2025), the IP-RS employs 45 people.

_{Sources: Information Commissioner (IP-RS), latest annual report available at the time of writing (published May 2025) (staffing); publicly available state budget documents for 2026 and projections for 2027 (budget figures).}

How does a fine procedure work in Slovenia? Can the authority impose fines itself? Procedural steps? Legal remedies?

For GDPR/ZVOP-2 infringements, the IP-RS may itself impose fines in a fast-track misdemeanour procedure (hitri postopek) under the Minor Offences Act (ZP-1). Proceedings are initiated ex officio (often following supervisory/inspection findings) or based on a report/proposal, after which the IP-RS collects information and evidence and invites the alleged offender to comment (and to submit evidence) within the statutorily set deadline. The alleged offender must present the relevant evidence at this stage. If the IP-RS finds an offence, it issues a misdemeanour decision. Within 8 days of receiving the decision, the offender must submit a written notice announcing a request for judicial protection; if no notice is filed, the decision becomes final upon expiry of that deadline. If a notice is filed, the IP-RS must prepare and serve a reasoned written decision (with grounds) within 30 days. The offender may then file the request for judicial protection in writing within 8 days of service of the reasoned decision, with the IP-RS; new facts/evidence are allowed only if they could not have been submitted earlier without fault. The IP-RS may supplement the evidence and amend/replace/annul the decision (including discontinuation or replacing the fine with a warning) or forward the case to the competent court. A filed request for judicial protection suspends enforcement. The court usually decides on the file, may take evidence if needed, and cannot worsen the offender’s position; limited appeals may be available within 8 days (e.g. against a rejection decision). If no request is filed, the offender has the option to pay only half of the imposed fine within 8 days of the decision becoming final. The request for judicial review and the option to pay half of the fine are mutually exclusive.

When fines are imposed: Where does the money go? (state treasury / authority budget / other)

The fines count towards the state budget.

Is there an official calculation methodology for fines in Slovenia?

There is no fixed, official calculation model for fines. The IP-RS applies the general criteria under the Minor Offences Act together with Article 83(1) GDPR and Article 114 ZVOP-2 (for infringements under Article 83(4)–(6) GDPR). In addition to case-specific circumstances, the authority must ensure the fine is not a disproportionate or incomparable burden compared to sanctions for comparable human-rights infringements; assess intent (profit motive or intent to harm data subjects); and take the effectiveness of corrective measures and any voluntary action taken before supervision into account. For natural persons, the general income level in Slovenia and the person’s economic position are particularly relevant. The authority also considers whether infringements are repeated or severe  and the level of fine needed to ensure a deterrent effect.

Can public authorities be fined in Slovenia? If yes: Where does this money go?

Under the Minor Offences Act state authorities cannot be held liable for minor offences. Accordingly, fines cannot be imposed on them. Where a violation occurs, liability may instead be attached to the responsible individuals within the relevant state authority or self-governing local community. Notwithstanding the above, public authorities remain obliged to cooperate with the Information Commissioner on matters relating to the protection of personal data and may act as controllers or processors.

Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

The IP-RS does not publish specific, extrapolated data from each decision on its website, but rather publishes the anonymised decision in its entirety. A significant amount of data is redacted from the decision so that the offender (an individual or legal entity) and their activities for the most part cannot be identified. The nature of the violation and the sanctions imposed (in the form of a fine or a warning) are visible. In its annual report, the IP-RS publishes only an aggregate of all decisions in the form of a table. It lists only the number of violations, the number of warnings and fines issued and the type of each violation along with the number of such violations for each type.

If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).

• 2025*: 70 decisions, 51 fines
• 2024: 91 decisions, 47 fines
• 2023: 77 decisions, 38 fines
• 2022: 116 decisions, 75 fines
• 2021: 37 decisions, 18 fines
• 2020: 89 decisions, 58 fines
• 2019: 65 decisions, 44 fines

Recent reports note that enforcement statistics were significantly influenced by the absence of a comprehensive national framework implementing the GDPR in Slovenia until late 2022. Although the GDPR applied directly from May 2018, the delayed adoption of ZVOP‑2 constrained sanctioning practice. Full and systematic GDPR enforcement has therefore only been possible since the entry into force of ZVOP‑2 in January 2023.

Does Slovenia have model declaratory proceedings/class actions in data protection law?

Class actions are not available for decisions issued in personal data protection proceedings. Under the Collective Actions Act, collective actions are permitted only in expressly designated areas, which do not include personal data protection.

However, Slovenian law provides for model proceedings in administrative disputes where more than 20 lawsuits challenge administrative acts on the same (or similar) factual and legal basis. After the defendant has responded, the court may designate one case as the model case and stay the remaining proceedings. Once the model judgment becomes final, the court decides the stayed cases without a hearing, provided they do not materially differ in facts or law and the relevant facts have already been established.

Where the circumstances are identical, the court may rule on all remaining claims in a single judgment.

What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?

Based on the data available in the IP-RS’s annual reports, it appears that relatively few individuals choose to seek legal redress against decisions imposing fines on them. Court proceedings in personal data protection are not as significant as those conducted by the IP-RS.

In practice, individuals rarely initiate legal proceedings due to alleged violations of personal data protection. 
Legal entities can also seek legal protection against issued administrative penalty decisions. In recent years, the number of lawsuits filed against the IP-RS’s decisions has remained steady, as has the number of administrative violation proceedings, particularly since the law implementing the GDPR took effect in 2023.

It can be expected that this trend will continue, with the IP-RS’s decisions playing an increasingly prominent role as data protection awareness grows.