Skip to main content
News

A new law on personal data protection is in the pipeline

29. December, 2021No Comments

A new law on personal data protection is in the pipeline

On International Anti-Corruption Day (9 December) it was clear that the Republic of Slovenia would miss the 17 December deadline to pass a law to transpose the provision of the EU Whistleblower Directive, a topic touched on in one of our previous articles. (https://www.fpjr.si/en/publications/2021/10/616-The-Whistleblower-Directive#middle).

Similarly, in the area of personal data protection, Slovenia remains the only EU Member State yet to adequately regulate or adapt its legislation to the General Data Protection Regulation (“GDPR”). Although GDPR entered into force on 25 May 2018 and has been directly applicable since then, every Member State is required to adopt adequate national legislation to regulate, in line with GDPR, areas which are regulated at national level, and, inter alia, to lay down the relevant procedural provisions. The latest draft of the Personal Data Protection Bill (»ZVOP-2«) was published in the spring of this year, and has been subject to inter-ministerial coordination since August. 
The majority of businesses subject to GDPR have already aligned their operations with the current GDPR, with the new law unlikely to see them subject to additional obligations. However, it is imperative the new national law finally resolve the dilemma of sanctioning personal data breaches, including the imposition of so-called administrative fines. The long-running dilemma of sanctioning infringements was answered in part this year by the Supreme Court of the Republic of Slovenia and the High Court in Ljubljana, which upheld the Information Commissioner’s view that he may still sanction personal data protection infringements, which are defined as offences in the (currently applicable) Personal Data Protection Act (“ZVOP-1”), even after the GDPR came into force. This applies to both infringements that occurred before and after the GDPR entered into force. The Supreme Court ruling centred on the relatively free hand that GDPR gives to Member States to legislate how infringements are to be sanctioned and that, therefore, administrative fines, which are provided for in Article 83 thereof, are not the only possible sanction for a breach of personal data protection. 
In addition to streamlining infringement sanctions, ZVOP-2 is also set to introduce some other changes. Among others, it sets the age of consent to the processing of personal data at 15 years of age, regulates the delicate relationship between the protection of personal data and the freedom of expression and access to information, regulates activities related to video surveillance, biometrics and the processing of deceased persons’ personal data, sets the requirements to be met by data protection officers and regulates certain other procedural activities (e.g. prescribing the content of the request for the provision of personal data). 
As the draft ZVOP-2 is still the subject of inter-ministerial coordination, it is difficult to predict when it will actually be adopted or to what extent the final draft might deviate from its current form. Nevertheless, the above should serve as a clear signal to all those who are dragging their feet or haphazardly regulating the protection of personal data to prepare an internal review of their existing regulation and situation, and to ensure that the measures and activities taken continue to comply with the applicable standards and the evolution of both technology and the legal framework, even almost four years after the direct applicability of the GDPR has started. 
Author: Eva Možina, Attorney-at-Law