Skip to main content
News

GDPR topics still relevant after 25 May 2018

14. June, 2018No Comments

GDPR topics still relevant after 25 May 2018

Regardless of the fact that 25 May 2018 is already behind us and that the General Data Protection Regulation (GDPR) started to apply, the process of complying with the new rules has just begun; it will be a process that the companies will have to deal with on a daily basis. Controllers and processors on the market are checking each other out in order to implement best practices, Information Commissioner of the Republic of Slovenia (IPRS) is publishing explanations, guidelines and instructions on its website and at the end of May the Ministry of Justice issued first systemic explanations at the beginning of application of the GDPR.

The time will show how the rules and provisions of the GDPR will be put into practice. Let us provide an answer here to two topical issues:
1. Is it necessary to respect the provisions of the Personal Data Protection Act (ZVOP 1)?
The GDPR provisions alone are not enough. It is clear from the (not binding) systemic explanations of the Ministry of Justice  that only those provisions of the existing Personal Data Protection Act (ZVOP-1) that differ from the GDPR provisions cease to apply on 25 May 2018. In particular, what remains in force is sector-specific provisions in the Personal Data Protection Act (ZVOP-1), such as provisions regarding video surveillance, biometrics, direct marketing, and provisions relating to those areas, which are not regulated by the GDPR or which the Member States may regulate differently (e.g. Article 14 – protection of the sensitive personal data, Article 17 – data processing for the historical, statistical and scientific and research purposes, second paragraph of Article 18 – inspection of the personal document, Article 24 – additional measures for personal data protection). 
Until the new Personal Data Protection Act (ZVOP-2) enters into force there will be two regimes in Slovenia, reducing without doubt legal certainty and predictability.
2. Is it true that we cannot be fined pursuant to the GDPR after 25 May 2018?
Very severe sanctions for the violations of the GDPR provisions are definitely one of the main reasons why the GDPR is still such a “hot” topic. Companies face fines of up to EUR 20 million or up to 4% of the total global annual turnover in the previous financial year, whichever is higher.
According to both, the IPRS and the Ministry of Justice, the GDPR refers to administrative fines, which are not known in our legal order (it defines fines for misdemeanour). This means that, according to the current position, the IPRS cannot, until the Personal Data Protection Act (ZVOP-2) is adopted, impose neither fines nor other sanctions for the infringement of the GDPR provisions but may impose sanctions in relation to the still applicable provisions of the Personal Data Protection Act (ZVOP-1).
The Ministry of Justice surprisingly adds that the infringements of the GDPR committed between 25 May and until the competence for misdemeanours of the IPRS concerning these provisions is laid down in the Personal Data Protection Act (ZVOP-2) will continue to be punishable (from the substantive point of view). It will be up to the courts to decide whether it will also be possible to punish infringers (after the adoption of the Personal Data Protection Act (ZVOP-2)) for the infringements of the GDPR after 25 May 2018.
However, it must be noted that in addition to the sanctions (fines) the GDPR also provides liability of companies for damage, which is not dependent upon the (non)adoption of the Personal Data Protection Act (ZVOP-2). In case of violation of individual’s rights, the companies may be held liable directly on the basis of the GDPR.