Home / Publications / Data Law Navigator | Slovenia

Data Law Navigator | Slovenia

Information on Data Protection and Cyber Security laws from CMS experts

<< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security >>

Data Protection

Last updated March 2020

Risk scale

Risk Scale Red


  • GDPR
  • Personal Data Protection Act (ZVOP-1, Official Gazette of RS, no. 94/07 – official consolidated text)
  • Information Commissioner Act (ZInfP, Official Gazette of RS, no. 113/05 et al)
  • Electronic Communications Act (ZEKom-1, Official Gazette of RS, no. 109/12 et al)


Information Commissioner of the Republic of Slovenia https://www.ip-rs.si/en/ 

Anticipated changes to law

Expected adoption of the new Personal Data Protection Act (ZVOP-2), which will further implement the GDPR.

If applicable: stage of legislative implementation of GDPR

The proposal of ZVOP-2 is currently subject of inter-ministerial coordination and harmonization.


The current Data Protection Act (ZVOP-1) applies:

  • to processing of personal data if the data controller is established, has its seat or is registered in the Slovenia, or if a branch of the data controller is registered in Slovenia;
  • if the data controller is not established, does not have its seat or is not registered in a Member State of the EU or is not a part of the EEA, whereby for the processing of personal data the data controller uses automated or other equipment located in Slovenia, except where such equipment is used solely for the transfer of personal data across the territory of Slovenia;
  • to diplomatic-consular offices and other official representative offices of the Republic of Slovenia abroad;


Until the new legislation following the application of the GDPR is adopted, the Information Commissioner does not have legal ground for imposing administrative fines under the GDPR, but only fines under the Personal Data Protection Act (ZVOP-1), which are not contrary to the GDPR.

  • ZVOP-1: fines up to EUR 12,500;
  • ZEKom-1: fines up to EUR 20,000 in reference to direct marketing provisions;
  • Criminal Code (KZ-1, Official Gazette of RS, no. 50/12 - official consolidated et al): fine or imprisonment from 1 to 5 years.

Main obligations and processing requirements

Mostly in accordance with the GDPR, watch out for specifics regarding video surveillance, biometrics and employment.

Data subject rights

No derogations from GDPR.

Processing by third parties

Data controller and processor must enter into a data processing agreement pursuant to Article 28 GDPR. Additionally, the parties should note that considering the ZVOP-1 provisions on security of data still apply, the data processing activities and appropriate technical and organisational security measures to protect the personal data must be laid down in the agreement and a mere reference to proper handling of personal data and compliance with the provisions of data protection legislation does not suffice.

Transfers out of country

No derogations from GDPR.

Data Protection Officer

No derogations from GDPR (yet).


GDPR applies, however some provisions of the ZVOP-1 still apply. For example, data controllers must provide in their internal acts the procedures and measures for the protection of personal data and determine the persons responsible for certain personal databases and persons who, due to the nature of their work, may process certain personal data.

Breach notification

No derogations from GDPR.

Direct marketing

  • If by e-mail: Pursuant to Electronic Communications Act (ZEKom-1) the use of e-mail for direct marketing purposes is permitted only on the basis of the consumer's prior consent, unless direct marketing can be relied on the soft opt-in exemption (consumer purchased a product or service of the company, provided the e-mail address at the time of purchase and the company uses the address for direct marketing of its own similar goods or services). Opt-out option must be provided at the time of collection of the e-mail address and must be included in every future marketing communication.
  • If by regular mail: for the purpose of direct marketing the company may use only the following data collected from the publicly available sources or in the context of the lawful pursuit of company’s activity: personal name, address of residence and phone/fax number, which were. For any other data the company must obtain prior consent. Opt-out option must be provided to an individual by the company when performing direct marketing.


Pursuant to ZEKom-1, the use of cookies is allowed only with prior consent by the user, after the user was clearly and comprehensively informed in advance about the data controller and the purpose of data processing.

However, ZEKom-1 lays down two exceptions under which the use of cookies is permitted without prior consent, namely:

  • cookies that are required solely for the transmission of a message on an electronic communications network; and
  • cookies that are indispensable for providing information society services, upon explicit request by the user.

Useful links

Cyber Security

Last updated March 2020

Risk scale

Risk Scale Orange

Laws and regulations

  • Electronic Communications Act (ZEKom-1, Official Gazette of RS, no. 109/12 et al)
  • Electronic Commerce Market Act (ZEPT, Official Gazette of RS, no. 96/09 et al)
  • Electronic Business and Electronic Signature Act (ZEPEP, Official Gazette of RS, no. 98/04 et al)
  • Information Security Act (ZInfV, Official Gazette of RS, no. 30/18)

Anticipated changes to law

No changes currently anticipated. 


  • ZEKom-1 regulates, inter alia, electronic communications networks and services, construction of electronic communications networks, security of networks and services and their operation in emergency situations, protection of the privacy of communications right
  • ZEPT regulates information society services
  • ZEPEP regulates, inter alia, electronic business, including business in an e-form by using information and communications technology and use of electronic signatures in transactions
  • ZInfV regulates, inter alia, security of information systems and measurements for achieving a high level of security of network and information systems, minimum safety requirements and requirements for reporting of incidents and organisation and operating of authorities for information security and security incidents


  • ZEKom-1: Information commissioner of Republic of Slovenia and Agency for Communication Networks and Services of the Republic of Slovenia
  • ZEPT: Ministry of Economic Development and Technology - Market Inspectorate
  • ZEPEP: Ministry of Public Administration
  • ZInfV: the Information Security Administration (Uprava za informacijsko varnost) which is part of the Ministry of Public Administration.

Key obligations

  • ZEKom-1:
    • Operators should establish security plan to manage the risk on security of networks and services and to prevent and minimise the impact of security incidents
    • Operators must notify the Agency for Communication Networks and Services of the Republic of Slovenia of breaches of security or integrity of networks
  • ZEPEP:
    • Safety requirements must be considered in internal rules
    • Use of reliable systems and equipment, ensuring technical and cryptographic security of procedures
  • ZInfV:
    • Requirement to appoint a contact person for information security and its deputy
    • Risk management on security of network and information system should be performed
    • Establishment and maintenance of management system regarding security of information 
    • Reporting of incidents


  • ZEKom-1:
    • fine up to EUR 400,000
  • ZEPT:
    • fine up to EUR 50,000
  • ZEPEP:
    • fine up to EUR 20,000
  • Criminal Code (KZ-1, Official Gazette of RS, no. 50/12 et al)
    • imprisonment up to 5 years
  • ZInfV:
    • fine up to EUR 50,000

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

SI-CERT (Slovenian Computer Emergency Response Team) provides a role of the national CSIRT. SI-CERT is a service of ARNES (Academic and Research Network of Slovenia).

SI-CERT provides the following activities:

  • coordination of resolving of cyber incidents;
  • technical advice on attacks, viruses and other misuse;
  • issuing of alerts for network managers and general public on current threads in electronic networks.

SIGOV-CERT (a body within the Ministry of Public Administration) is a response centre for information security incidents in information systems of the state administration.

Is there a national incident management structure for responding to cybersecurity incidents?

Cybersecurity incidents may be reported to SI-CERT. Cybersecurity incidents within the information systems of the state administration may be reported to SIGOV-CERT.

Other cyber security initiatives

SI-CERT has been implementing awareness-raising and educational programme on internet safety “Safe on the internet”: https://www.varninainternetu.si/ (web-page only in Slovenian).

SAFE:SI is a national internet point for raising awareness for children and teenagers on the safe use of internet and mobile devices (https://safe.si/english).

Useful links


<< back to Overview


Picture of Amela Zrt
Amela Žrt
Picture of Irena Sik
Irena Šik Bukovnik
Attorney-at-Law for banking & finance