Starting with the highest legal act in Slovenia, personal data protection is regulated at the constitutional level in the Constitution of the Republic of Slovenia (Official Gazette No. 33/91-I and amend.), Article 38.

As far as European legislation directly applied in Slovenia is concerned, the GDPR has been in use since 25 May 2018. The other two main legal acts are the ZVOP-2, in use since 26 January 2023, and ZVOPOKD, in use since 31 December 2020.

Other regulations that relate to the legal area of personal data are: the Information Commissioner Act (Official Gazette No. 113/05 and amend.), the Public Information Access Act (Official Gazette No. 51/06 and amend.), the Reporting Persons Protection Act (Official Gazette No. 16/23), the Classified Information Act (Official Gazette No. 50/06 and amend.), the Electronic Communications Act (Official Gazette No. 130/22 and amend.), the Patients’ Rights Act (Official Gazette No. 15/08 and amend.), the Mass Media Act (Official Gazette No. 110/06 and amend.), the Inspection Act (Official Gazette No. 43/07 and amend.), the Minor Offences Act (Official Gazette No. 29/11 and amend.), the Penal Code (Official Gazette No. 50/12 and amend), the Employment Relationship Act (Official Gazette No. 21/13 and amend.), the Banking Act (Official Gazette No. 92/21 and amend.), the Attorneys Act (Official Gazette No. 18/93 and amend.), the Slovenian Intelligence and Security Agency Act (Official Gazette No. 81/06), the Defence Act (Official Gazette No. 103/04 and amend.), the Public Procurement Act (Official Gazette No. 91/15 and amend.) and the Information Security Act (Official Gazette No. 30/18 and amend.).

The following text will primarily focus on the GDPR and ZVOP-2 and legal documents deriving from this legislation, unless specified otherwise.

The laws apply to:

• individuals or data subjects to whom the personal data relates; 
• the supervisory authority: the Information Commissioner; 
• supervisory persons: information officer and supervisors for the protection of personal data;
• the public sector: state bodies, bodies of self-governing local communities, holders of public powers, public agencies, public funds, public institutes, universities, independent institutions of higher education, private kindergartens and private primary and secondary schools, self-governing national communities, the Council of the Roma Community of the Republic of Slovenia and other public law entities established by law;
• the private sector: legal or natural persons carrying out an activity under the statute regulating commercial companies or a commercial public service or craft, as well as persons of private law, public commercial institutes, public companies and commercial companies, self-governing local communities or self-governing communities of nationalities;
• the data controller: natural or legal person, public body, agency or other body that alone or together with others determines the purposes and means of processing;
• the data processor: natural or legal person, public authority, agency or other body that processes personal data in the name of the controller;
• the data recipient: natural or legal person, public authority, agency or other body to whom personal data was provided or disclosed, whether it is a third party or not; and
• a third party: natural or legal person, public body, agency or other body that is not the individual to whom personal data is referred, the controller, processor and persons authorised to process personal data under the direct management of the controller or processor.

The GDPR stipulates that its provisions apply to the processing of personal data within the scope of the activities of the controller’s or processor’s headquarters in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of individuals to whom personal data relates and who are in the EU, by a controller or processor not established in the EU, when the processing activities are related to (a) offering goods or services to such individuals (data subjects in the EU), whether or not payment by the individual is required; or (b) monitoring of their behaviour so far as it takes place in the EU. The GDPR also applies to the processing of personal data by a controller who is not established in the EU but in a place where the law of a Member State is applied based on public international law.

ZVOP-2 determines that its provisions apply to the processing of personal data carried out within the public sector of the Republic of Slovenia and to the private sector when it comes to the processing of personal data carried out within the scope of the establishment of a controller or processor registered in Slovenia, even though processing of personal data does not take place in Slovenia. It also applies to the processing of personal data carried out within the framework of the establishment of a controller or processor registered outside the EU, if the processing activities are related to the provision of goods or services to an individual in Slovenia, regardless of whether payment is required for them, or if this is related to the monitoring of the performance or behaviour of individuals, if this takes place in Slovenia.

The regulated acts and operations in relation to personal data cover a wide range of actions, such as: collecting, recording, editing, structuring, storing, adapting or changing, retrieving, viewing, using, disclosing by means of, disseminating or otherwise making accessible, adapting or combining, limiting, erasing or destroying personal data.

The law regulates “personal data”, i.e., any information relating to a specific or identifiable (living) individual (exceptionally also dead individuals: Article 9 ZVOP-2). A definable individual is one who can be identified directly or indirectly, especially by specifying an identifier; that is, pieces of information which together can lead to the identification of a specific person, such as: name and surname, address of residence, some email addresses, identification number (identity number of a citizen, tax number, health insurance number, identity card number, registration number), information about the location, online identifier (IP address, cookie tag), identifier for advertisers on phones, information held by a hospital or doctor that could be a sign that uniquely identifies a person, matter number or service number if it can recall other identifiers (name and surname, home address), or by specifying one or more factors that characterise the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual. Data that is not considered personal data is: company registration number, general email address, and anonymised data (personal data that is anonymised in such a way that the individual is not or can no longer be identified).

Pseudonymisation is the processing of personal data in such a way that the personal data, without additional information, can no longer be attributed to a specific individual to whom the personal data relates, provided that any additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to a specific or identifiable individual.

The GDPR determines that the processing of specific categories of personal data is prohibited (with exceptions listed below). These types of personal data are data revealing racial or ethnic origin, political opinion, religious or philosophical belief or trade union membership, genetic data and biometric data for purposes of identification of an individual, data related to health or data related to an individual’s sex life or sexual orientation. 

ZVOP-2 sets stricter rules for the protection of certain types — these categories of personal data are data relating to race, religion and nationality, biometric data and genetic data, personal data relating to criminal convictions and offences, and personal data relating to deceased persons.

The processing of personal data is legal only and to the extent that at least one of the following conditions is met:

• consent to the processing of personal data: the individual to whom the personal data relates has consented to the processing of their personal data for one or more specified purposes;
• contractual processing: processing is necessary for the implementation of a contract to which the data subject is a contractual party; or for the implementation of measures at the request of such an individual prior to the conclusion of the contract;
• legal obligation: processing is necessary to fulfil a legal obligation applicable to the controller;
• vital interests: processing is necessary in order to protect the vital interests of the data subject or another natural person;
• performance of a public task: processing is necessary for the implementation of a task carried out in the public interest or in the exercise of public authority assigned to the controller (applies only to the public sector); and
• legitimate interest: processing is necessary due to the legitimate interests pursued by the controller or by a third party, except when such interests are overridden by the interests or fundamental rights and freedoms of the individual to whom the personal data relate, which require the protection of personal data, in particular when the individual to whom to the personal data relates is a child (applies only to the private sector).

In addition to the above conditions, the processing of special categories of data must meet further conditions set out in the GDPR, such as: explicit consent (if necessary for the purposes of employment, social law and collective agreement), to protect vital interests of physically/legally incapacitated individuals, where personal data was made public by the individual, for the purposes of legal claims and courts’ needs, for public interest based on the EU or Member State law, for preventative/occupational medicine, for public interest in the area of public health, or for public interest in archiving, scientific, historical and statistical purposes.

ZVOP-2 imposes additional limitations for processing genetic data, biometric data, ethnicity and race data. The Patient Rights Act determines additional limitations for processing health data.

As regards the consent to the processing of personal data, it must be given prior to the processing. The consent is valid if it is: given voluntarily, specific, informative and unequivocal. Consent must be given for a specific purpose or for one or more specific purposes. It must be obtained in a way that separates the information about the purpose of the processing from other information in the consent itself, so that the individual has control over the processing of personal data. The individual must be informed in clear and reasonable language about the content of the consent, the purpose of the processing and the rights, in particular the right to withdraw consent. Consent must be given unambiguously, in writing, by electronic means or by the behaviour of the individual. It can also be given verbally, but the consent itself must be recorded.

The GDPR and ZVOP-2 stipulate that a state authority may process personal data on the basis of consent, only and exclusively if such a possibility is provided for by law; otherwise, the state authority may process personal data on the basis of consent, if it is not in the exercise of legal powers, duties or official obligations of the public sector. 

Fundamental obligations of the controller and processor of personal data are: appointing an authorised person for data protection, adopting the personal data protection policy, establishing appropriate technical and organisational measures to ensure that processing is carried out in accordance with the GDPR and ZVOP-2, keeping records of personal data processing activities, informing individuals about the processing of personal data in accordance with Articles 13 and 14 of the GDPR, carrying out an assessment of the effects of personal data processing, arranging contracts with contractual processors of personal data, co-operation with supervisory authorities and employee training. Additional obligations by ZVOP-2 are: processing logs, additional protection requirements for special processing, preliminary notification of biometric measures to the supervisory authority, security procedures for setting up video surveillance, and retention periods for personal data.

The individual has the right to the protection of personal data. The fundamental principles of personal data protection are defined in Article 5 of the GDPR; moreover, data subjects have the following rights in relation to personal data:

• right of access;
• right to rectify;
• right to erasure;
• right to restriction of processing;
• right to data portability;
• right to object; and
• right not to be subject to automated decision-making, including profiling.

Under the Patient Rights Act, the data subject has, among others, the right to request access to medical documentation, and under certain conditions they can also access the medical documentation of a deceased patient.

One of the six legal bases from the GDPR is required for direct marketing by regular post. Any form of personal data processing (B2C, B2B) must follow data protection regulations. 

With B2B, actively asking for consent when processing data is not required; direct marketing communication can be sent to business contacts if there is legitimate interest.

Article 21 of the GDPR determines that when personal data is processed for the purposes of direct marketing (in any form), and on the basis of the controller’s legitimate interests, the individual has the right to object at any time to the processing of personal data concerning them for the purposes of such marketing, including the creation of profiles, as far as associated with such direct marketing. The controller must explicitly warn the individual of the right to object at the latest at the time of the first communication with them, and must present this right clearly and separately from all other information. 

In addition, there are differences between regular post marketing and marketing through electronic communications (emails, phone calls, SMS messages), which is regulated by the Electronic Communications Act. Sending unsolicited messages by means of electronic communications is permitted only upon individuals’ prior consent or if the individual bought a product or service from the sender and entrusted them with their email address, or if the marketing of similar products or services to this email address is permitted. Data processing is only permitted if the individual has a clear and explicit option to refuse such use of their contact information at any time (and free of charge). 

Furthermore, direct marketing via electronic communications is regulated also by the Consumer Protection Act (Official Gazette No. 130/22) and the Electronic Commerce Market Act (Official Gazette No. 96/09 and amend.).

Personal data of a controller or processor from Slovenia or another EU Member State may be transferred to third countries (outside the EU or European Economic Area (in addition to EU countries, we also include Iceland, Norway and Liechtenstein)) or access to personal data may be provided to organisations, companies, individuals or other entities from third countries, even if the data is stored within the EEA, under two conditions:

• fulfilment of one of the legal bases specified in Articles 6 (legal basis for processing of “ordinary” personal data) and 9 (legal basis for processing special categories of personal data) of the GDPR, and additionally for the public sector in Article 6 of ZVOP-2. Personal data may be transferred under the conditions specified in Article 28 (processing of personal data based on contract) of the GDPR;
• if the previous condition is met, then the transfer of personal data is authorised:
  • if the European Commission adopts a decision that the country, territory, specific sector of the country or international organisation to which personal data is transferred ensures an adequate level of personal data protection;
  • if the data exporter provides adequate protective measures in accordance with Article 46 of the GDPR and provides individuals with enforceable rights and effective legal remedies (binding corporate rules, standard contractual clauses, etc.); or
  • in special cases, which are precisely defined in Articles 48 and 49 of the GDPR, where deviations are possible, such as: express consent of the individual, implementation of a contract with an individual or pre-contractual measures, the necessity of the transfer for the conclusion or performance of a contract that is in the interest of the individual, important reasons of public interest, for asserting, exercising or defending legal claims, protection of individuals’ vital interests when the individual is unable to give consent, and transfer from the register, which according to EU law or the law of a Member State is intended to provide information to the public.

If the transfer of personal data is not possible under the previous conditions, but is necessary, the transfer may be carried out if all of the following conditions are fulfilled: transfer is not repeatable, concerns a limited number of individuals, is necessary due to the necessary legitimate controller’s interests, which are not dominated by interests or the rights and freedoms of individuals, and the controller has previously assessed all the circumstances in relation to transfers and provided for appropriate protective measures in relation to the protection of personal data and information to the individual about the transfer. Notification of the supervisory authority and the data subject is required.

Article 48 of the GDPR states that transfers in connection with court judgments and decisions of administrative bodies of a third country, which require the transfer or disclosure of personal data by the controller or processor, can only be recognised or enforced in any way if they are based on an international agreement, such as a treaty on mutual legal assistance, concluded between the requesting third country and the EU or a Member State, without prejudice to other reasons for transfer based on Chapter V of the GDPR.

ZVOP-2 covers transfers that refer to a very narrow circle of processing of personal data, namely only those where processing is carried out in areas outside the jurisdiction of EU law, i.e., in areas that fall completely or partially under the independent jurisdiction of the Republic of Slovenia, e.g. the areas of national security and national defence; processing of data on the deceased.

The Information Commissioner has wide-ranging investigation, enforcement and corrective powers. For example, it:

• supervises the implementation of the provisions of ZVOP-2, the GDPR and other personal data protection regulations; 
• decides in the appeals procedure, decides in the application procedures of applicants with a special status and carries out inspections according to ZVOP-2;
• orders the control measures referred to in Article 29 of the ZVOP-2, ZVOPOKD, implements preventive measures and issues warnings in accordance with the law governing inspection control;
• files criminal complaints or carries minor offence procedures;
• audits administrative procedures for issuing declaratory decisions on whether the intended implementation of biometric measures in the private sector is in accordance with the provisions of ZVOP-2;
• informs the competent court about violations of the law, and provides the court with an opinion on the violations found in court proceedings;
• decides on an individual’s complaint against controllers of personal data; and
• performs other tasks from Article 57 and enacts powers from Article 58 of GDPR. 

Under the GDPR, a fine up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year — whichever is higher — applies for the infringement of the basic principles of data processing, individuals’ rights, international data transfer, obligations imposed by Member States law and certain orders of supervisory authority.

A fine up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide turnover of the preceding year — whichever is higher — applies for the infringement of controllers’ and processors’ obligations, obligations of certification bodies and of the monitoring body.

Fines can be imposed in combination with other sanctions. 

ZVOP-2 also prescribes sanctions for violations of the GDPR committed by responsible persons or individuals, as well as other sanctions that can be imposed by the Information Commissioner.

GDPR violations also trigger compensation claims under Article 82 of the GDPR.

Misuse of personal data is also a criminal offence with sanctions such as a fine and imprisonment of up to five years.