Data protection and cybersecurity laws in Slovenia

• The EU General Data Protection Regulation (“EU GDPR”)
• The Personal Data Protection Act (“ZVOP-2”)
• The Information Commissioner Act (“ZInfP”) sets the competences and powers of the Information Commissioner.
• The Electronic Communications Act (“ZEKom-2”) sets the requirements for electronic communications networks and services, including cookies and direct marketing by electronic means. ZEKom-2 implemented the EU Privacy and Electronic Communications Directive (e-Privacy Directive) in Slovenia.

Information Commissioner of the Republic of Slovenia https://www.ip-rs.si/en/

N/A

ZVOP-2 introduces sanctions for the EU GDPR violations also for responsible persons and individuals.

Fines under ZVOP-2 amount up to EUR 40,000.

In the event of a criminal offence of misuse of personal data, a fine or imprisonment from one to five years may be imposed.

The Information Commissioner also has the powers under the Inspections Act. 

An individual who considers that his or her rights under the EU GDPR or under the laws governing the processing or protection of personal data have been infringed by a controller or processor, whether in the public or private sector, may seek judicial protection of his or her rights throughout the duration of the infringement, without first exercising his or her rights under other provisions ZVOP-2 or seeking other remedies. In addition to the cessation of the infringement and the restoration of the lawful situation, the individual may also seek damages by way of judicial remedy under the provisions of this Article. 

N/A

Watch out for specifics regarding video surveillance, biometrics and employment.

There are no substantive derogations from the EU GDPR.

ZVOP-2 does not specifically or otherwise regulate contractual relationship between controller and processor; however, the processors should be aware that they are also a subject to number of provisions of the GDPR and ZVOP-2.

There are no substantive derogations from the EU GDPR.

The scope of persons obliged to name a DPO is broader than under the EU GDPR. ZVOP-2 stipulates a time limit for registration, publication and communication of the DPO to the regulator. ZVOP-2 also includes certain requirements for the DPO qualification, but they mostly refer to the public sector.

ZVOP-2 regulates protection of personal data that are subject to a procedure - it is essential that the obliged person may not delete or modify the necessary data while the procedure is ongoing (until the decision becomes final).

There are no substantive derogations from the EU GDPR.

If by email: ZEKom-2 prohibits the use of email addresses for direct marketing purposes without the customer’s prior consent, unless:

• the customer purchased a product or service from the person proposing to undertake the marketing;
• the direct marketing relates to an offering of the person proposing to undertake the marketing their own similar goods or services; and
• the customer was given a clear and explicit possibility to opt out of the use of its email address for direct marketing purposes free of charge and in a simple manner, both when their details were collected and in each subsequent marketing communication.

If by regular mail: the EU GDPR applies.

Cookies and similar technologies are covered by ZEKom-2. The basic rule is that organisations must:

• clearly and comprehensively inform the user in advance about the data controller and the purpose of data processing in line with data protection rules;
• get the user’s prior consent, unless the cookie is:
  • used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • strictly necessary for the provision of a service explicitly request by the user.

Duration of cookies should also be specified.

Cookies consent under ZEKom-2 means consent to the same standard as is required under the EU GDPR.

These rules will apply to adtech and online marketing that is cookies-based (whether or not personal data is used). Where personal data is processed, the requirements of the EU GDPR will also need to be complied with.

Severe.

• Information Commissionner: https://www.ip-rs.si/en/  

The key cybersecurity law in Slovenia is the Information Security Act (Zakon o informacijski varnosti; "ZInfV-1", Official Gazette of RS, no. 40/25), which implements the Network Information Systems Directive 2022/2555 ("NIS2") and introduces a comprehensive cybersecurity framework.  

Other relevant laws include:  

• Critical Infrastructure Act (Zakon o kritični infrastrukturi; "ZKI-1", Official Gazette of RS, no. 102/24 et al
• Electronic Communications Act (Zakon o elektronskih komunikacijah; "ZEKom-2", Official Gazette of RS, no. 130/22 et al) - implementing the ePrivacy Directive 2002/58/EC;
• Electronic Commerce Market Act (Zakon o elektronskem poslovanju na trgu; "ZEPT", Official Gazette of RS, no. 96/09 et al);
• General Data Protection Regulation, GDPR (Regulation (EU) 2016/679 of 27 April 2016) and Personal Data Protection Act (Zakon o varstvu osebnih podatkov; "ZVOP-2", Official Gazette of RS, no. 163/22); – see “Data Protection” section above for full details of data protection laws;
• eIDAS Regulation (Regulation (EU) No 910/2014) and Electronic Identification and Trust Services Act (Zakon o elektronski identifikaciji in storitvah zaupanja; "ZEISZ", Official Gazette of RS, no. 121/21 et al).

N/A

ZInfV-1 

• The NIS2 was implemented in Slovenia by ZInfV-1, which entered into force on 19 June 2025.
• ZInfV-1 scope largely mirrors Article 2 of the NIS2. In general, ZInfv-1 applies to entities that:
  • belong to a type listed in Annex I (sectors of high criticality, e.g. energy, transport, banking, financial market infrastructure, health, etc.)) or Annex II (other critical sectors, e.g. postal and courier services, waste management, production, processing and distribution of food, etc.); and
  • have at least 50 employees and annual turnover or annual balance sheet of at least EUR 10 million.
• Certain entities, however, fall within the scope of ZInfV-1 regardless of their size - the list of such entities essentially mirrors the categories in the NIS2 (such as providers of public electronic communications networks, trust service providers, TLD name registries, the entities being sole providers of a service from Annex I or Annex 2 in Slovenia, entities whose disruption would significantly affect public safety, critical entities, etc.), with an addition of entities defined in national protection and rescue plans as services of national importance.
• The ZInfV-1, inter alia, provides institutional framework for national system of information security, risk management and incident reporting, and operating of authorities for information security and security incidents.

ZKI-1

• Sets out the framework for identifying and determining critical entities and critical infrastructure, defines the national framework for the resilience of critical entities and critical infrastructure, and lays down measures to ensure the resilience of critical entities in the provision of essential services.

ZEKom-2

• Regulates, inter alia, electronic communications networks and services, construction of electronic communications networks, security of networks and services and their operation in emergency situations, protection of the privacy of communications right, etc.

ZEPT 

• Regulates electronic commerce.

• Government Information Security Office (Urad vlade za informacijsko varnost)
  https://www.gov.si/drzavni-organi/vladne-sluzbe/urad-vlade-za-informacijsko-varnost/
• Information commissioner of Republic of Slovenia (Informacijski pooblaščenec)
  https://www.ip-rs.si/
• Agency for Communication Networks and Services of the Republic of Slovenia (Agencija za komunikacijska omrežja in storitve Republike Slovenije) 
  https://www.akos-rs.si/
• Market Inspectorate (Tržni inpšektorat) - part of the Ministry of the Economy, Tourism and Sport 
  https://www.gov.si/drzavni-organi/organi-v-sestavi/trzni-inspektorat/

• Entities being subject to ZInfV-1 must self-register. Entities already subject to ZInfV-1 on 19 June 2025 must self-register by 19 December 2025. All other entities must register within 30 days of becoming subject.
• Essential and important entities must implement a documented information security management system and business continuity management system, based on a risk-based approach. Documentation must include, among others, policy on information system security, inventory of information assets and data and designated administrators, risk analysis, business continuity plan, system recovery plan, incident response plan, security measures plan, etc. 
• ZInfV-1 provides the list of measures that must be undertaken by essential and important entities. These measures include, among others, management support and inclusion of cyber security in annual plans, ensuring the integrity of personnel before, during, and after employment, cyber hygiene practices and regular training, identity verification and access management, implementation and monitoring of data backups, etc.
• Entities must assess the effectiveness of cyber security risk management measures at least annually or at regular intervals specified in the policy and procedures and whenever vulnerabilities are detected.
• Mandatory reporting of significant incidents, aligned with NIS2 timelines (typically 24 hours for early warning, 72 hours for incident notification).

• Operators must prepare a risk assessment and, based on this assessment, adopt appropriate resilience measures.  
• If a potential crisis or interruption in the operation of infrastructure occurs, the operator must notify the sector authority for that critical infrastructure.

• Operators must establish a security management system in line with the requirements of ZInfV-1.

• ZInfV-1: fine up to EUR 10 million or 2% of total worldwide annual turnover (whichever is higher) for the most serious infringements
• ZEKom-2: fine up to EUR 400,000
• ZEPT: fine up to EUR 50,000

It is possible to be fined under both the above regulations and the GDPR/ZVOP-2 for the same incident, provided there are distinct bases for doing so (ie there is a breach of data protection law and a separate breach of the information security regulations).

• imprisonment up to 15 years

• Compensation claims in case of damages. 
• See “Data Protection” section above.

SI-CERT (Slovenian Computer Emergency Response Team) provides a role of the national CSIRT. SI-CERT is a service of ARNES (Academic and Research Network of Slovenia).

SI-CERT provides the following activities:

• coordination of resolving of cyber incidents;
• technical advice on attacks, viruses and other misuse;
• issuing of alerts for network managers and general public on current threats in electronic networks.

SIGOV-CERT (a body within the Government Information Security Office) is a response centre for information security incidents in information systems of the state and local level administration.

Under ZInfV-1, entities in scope must report “significant” cybersecurity to SI-CERT within set deadlines. Other, less significant incidents may be reported voluntarily. Cybersecurity incidents within the information systems of the state and local level administration are reported to SIGOV-CERT.

Entities not in the scope of ZInfV-1 and natural persons can report cybersecurity incidents to SI-CERT.

SI-CERT has been implementing awareness-raising and educational program on internet safety “Safe on the internet”: https://www.varninainternetu.si/ (web-page only in Slovenian).

SAFE:SI is a national internet point for raising awareness for children and teenagers on the safe use of internet and mobile devices (https://safe.si/english).

• Site of SI-CERT
• Slovenian National Cyber Security Strategy