Home / Publications / Data Law Navigator | Slovenia

Data Law Navigator | Slovenia

Information on Data Protection and Cyber Security laws from CMS experts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security
 

Data Protection

Last updated 23 October 2018

Risk scale

Risk Scale Red

Laws 

  • GDPR
  • Personal Data Protection Act (ZVOP-1, Official Gazette of RS, no. 94/07 – official consolidated text)
  • Information Commissioner Act (ZInfP, Official Gazette of RS, no. 113/05 et al)
  • Electronic Communications Act (ZEKom-1, Official Gazette of RS, no. 109/12 et al)

Authority

Information Commissioner of the Republic of Slovenia: https://www.ip-rs.si/en/  

Anticipated changes to law

Expected adoption of the new Personal Data Protection Act (ZVOP-2), which will further implement the GDPR.

If applicable: stage of legislative implementation of GDPR

The new proposal of ZVOP-2 is currently subject of professional and inter-ministerial coordination and harmonization.

Scope

The current Data Protection Act (ZVOP-1) applies:

  • to processing of personal data if the data controller is established, has its seat or is registered in the Slovenia, or if a branch of the data controller is registered in Slovenia;
  • if the data controller is not established, does not have its seat or is not registered in a Member State of the EU or is not a part of the EEA, whereby for the processing of personal data the data controller uses automated or other equipment located in Slovenia, except where such equipment is used solely for the transfer of personal data across the territory of Slovenia;
  • to diplomatic-consular offices and other official representative offices of the Republic of Slovenia abroad;

Penalties/Enforcement

The Information Commissioner cannot impose administrative fines and other sanctions based on the GDPR, but only based on the Data Protection Act (ZVOP-1), which was in force already prior to GDPR and will remain in force until adoption of ZVOP-2.

  • ZVOP-1: fines up to EUR 12,500;
  • ZEKom-1: fines up to EUR 20,000 in reference to direct marketing provisions;
  • Criminal Code (KZ-1, Official Gazette of RS, no. 50/12 - official consolidated et al): fine or imprisonment from 1 to 5 years.

Main obligations and processing requirements

Mostly in accordance with the GDPR, watch out for specifics regarding video surveillance, biometrics and employment

Data subject rights

No derogations from GDPR.

Processing by third parties

Similar like GDPR, the ZVOP-1 also provides the data controller & processor must enter into a written data processing agreement. However, the requirements under the GDPR are more specific, therefore these apply.

Since according to the ZVOP-1, data processing activities and appropriate technical and organisational security measures to protect the personal data must be laid down in the agreement, we believe this needs to be included also in the data processing agreement pursuant to Article 28 GDPR.

Transfers out of country

No derogations from GDPR.

Data Protection Officer

No derogations from GDPR.

Security

GDPR applies, however some provisions of the ZVOP-1 still apply. For example, data controllers must provide in their acts the procedures and measures for the protection of personal data and determine the persons responsible for certain personal databases and persons who, due to the nature of their work, may process certain personal data.

Breach notification

No derogations from GDPR.

Direct marketing

  • If by e-mail: Pursuant to Electronic Communications Act (ZEKom-1) the use of e-mail for direct marketing purposes is permitted only on the basis of the consumer's prior consent, unless direct marketing can be relied on the soft opt-in exemption (consumer purchased a product or service of the company, provided the e-mail address at the time of purchase and the company uses the address for direct marketing of its own similar goods or services). Opt-out option must be provided at the time of collection of the e-mail address and must be included in every future marketing communication.
  • If by regular mail: Direct marketing is not permitted without prior consent, the company may use only the following data: personal name, address of residence and phone/fax number, which were collected from the publicly available sources or in the context of the lawful pursuit of company’s activity. Opt-out option must be provided to an individual by the company when performing direct marketing.

Cookies

Pursuant to ZEKom-1, the use of cookies is allowed only with prior consent by the user, after the user was clearly and comprehensively informed in advance about the data controller and the purpose of data processing.

However, ZEKom-1 lays down two exceptions under which the use of cookies is permitted without prior consent, namely:

  • cookies that are required solely for the transmission of a message on an electronic communications network; and
  • cookies that are indispensable for providing information society services, upon explicit request by the user.

Useful links

 

Cyber Security

Last updated 11 July 2019

Risk scale

Risk Scale Orange

Laws and regulations

  • Electronic Communications Act (ZEKom-1, Official Gazette of RS, no. 109/12 et al)
  • Electronic Commerce Market Act (ZEPT, Official Gazette of RS, no. 96/09 et al)
  • Electronic Business and Electronic Signature Act (ZEPEP, Official Gazette of RS, no. 98/04 et al)
  • Act on information security (ZInfV, Official Gazette of RS, no. 30/18)

Anticipated changes to law

Resolution on National Security Strategy of the Republic of Slovenia pursuant to the Act on information security is currently being adopted.

Application 

  • ZEKom-1 regulates, inter alia, electronic communications networks and services, construction of electronic communications networks, security of networks and services and their operation in emergency situations, protection of the privacy of communications right
  • ZEPT regulates information society services
  • ZEPEP regulates, inter alia, electronic business, including business in an e-form by using information and communications technology and use of electronic signatures in transactions
  • ZInfV regulates, inter alia, security of information systems and measurements for achieving a high level of security of network and information systems, minimum safety requirements and requirements for reporting of incidents and organisation and operating of authorities for information security and security incidents

Authority

  • ZEKom-1: Information commissioner of Republic of Slovenia and Agency for Communication Networks and Services of the Republic of Slovenia
  • ZEPT: Ministry of Economic Development and Technology - Market Inspectorate
  • ZEPEP: Ministry of Public Administration
  • ZInfV: the Government Office for the Protection of Classified Information will perform the role of the national authority until a new authority body (Uprava za informacijsko varnost) is established. The new authority body shall start its activities on 1 January 2020 at the latest.

Key obligations

  • ZEKom-1:
    • Operators should establish security plan to manage the risk on security of networks and services and to prevent and minimise the impact of security incidents
    • Operators must notify Agency for Communication Networks and Services of the Republic of Slovenia of breaches of security or integrity of networks
  • ZEPEP:
    • Safety requirements must be considered in internal rules
    • Use of reliable systems and equipment, ensuring technical and cryptographic security of procedures
  • ZInfV:
    • Requirement to appoint contact person for information security and its deputy
    • Risk management on security of network and information system should be performed
    • Establishment and maintenance of management system regarding security of information  
    • Reporting of incidents

Penalties/enforcement

  • ZEKom-1:
    • fine up to EUR 400,000
  • ZEPT:
    • fine up to EUR 50,000
  • ZEPEP:
    • fine up to EUR 20,000
  • Criminal Code  (KZ-1, Official Gazette of RS, no. 50/12 - official consolidated et al)
    • imprisonment up to 5 years
  • ZInfV:
    • fine up to EUR 50,000

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

SI-CERT (Slovenian Computer Emergency Response Team) provides a role of the national CSIRT. SI-CERT is a service of ARNES (Academic and Research Network of Slovenia).

SI-CERT provides the following activities:

  • coordination of cyber incidents resolving;
  • technical advice on attacks, viruses and other misuse;
  • issuing of alerts for network managers and general public on current threads in electronic networks.

SIGOV-CERT (a body within Ministry of Public Administration) is a response centre for information security incidents in information systems of the state administration.

Is there a national incident management structure for responding to cybersecurity incidents?

Cybersecurity incidents may be reported to SI-CERT. Cybersecurity incidents within the information systems of the state administration may be reported to SIGOV-CERT.

Other cyber security initiatives

SI-CERT has been implementing awareness-raising and educational programme on internet safety “Safe on the internet”: https://www.varninainternetu.si/ (web-page only in Slovenian)

SAFE:SI is a national internet point for raising awareness for children and teenagers on the safe use of internet and mobile devices (https://safe.si/english)

Useful links

 

< back to Overview

Authors

Picture of Ales Lunder
Aleš Lunder
Partner
Ljubljana