New Personal Data Protection Act (ZVOP-2) adopted
On 27 December 2022, the new Personal Data Protection Act (»ZVOP-2«) was published in the Official Gazette of the Republic of Slovenia No. 163/2022 and entered into force on 26 January 2023.
Slovenia has thus adopted legislation transposing the General Data Protection Regulation (»the Regulation« or »GDPR«) into national law. Although the Regulation is generally directly applicable, some of its provisions are not. In penalising violators, there has so far been a legal vacuum in our legislation, as the supervisory authority had no legal basis for imposing the administrative fines provided for by the Regulation. In addition, the ZVOP-2 also systematically regulates other areas that are not covered by the Regulation or which the EU has left to Member States to regulate via national legislation (video surveillance, biometrics, etc.). With the entry into force of the ZVOP-2, the ZVOP-1, which is currently applicable in this part, will therefore cease to apply.
Below we summarise some of the key changes introduced by the law, to which controllers and (data) processors should pay particular attention.
1. High fines for violators
The major change introduced by ZVOP-2 is undoubtedly the introduction of a legal basis for imposing fines for misdemeanours committed by personal data controllers. ZVOP-2 penalty provisions provide that the infringements for which »administrative fines« are imposed under the provisions of the Regulation are to be treated as misdemeanours. In addition, they provide that the Information Commissioner is the offence authority, which also decides on misdemeanours under the specific part of the ZVOP-2 (e.g., offences relating to video surveillance, biometrics, etc.).
Fines amounts and ranges reflect those set out in the Regulation. The Regulation provides for high fines for violators, up to EUR 20,000,000.00 or, in the case of a company, up to 4% of its total worldwide annual turnover. ZVOP-2 provides for a fine calculation method for infringements of the provisions of the Regulation (depending on the specific circumstances), the principle of proportionality, whether there was an intention to benefit or harm data subjects, etc.). It also provides for fines for the responsible persons of the violator – legal persons, sole traders, or independent business individuals.
2. New obligations for controllers and processors
To ensure personal data processing compliance (lawfulness, fairness, proportionality), ZVOP-2 provides for a measure for internal traceability of the transmission of personal data (certain controllers and processors are required to keep processing logs) and a measure for external traceability of the processing of personal data as an obligation for controllers and processors, in addition to the implementation of impact assessments.
3. Special status reportee
A data subject who considers that his or her personal data protection rights have been infringed now also has the possibility to file a direct request with the Information Commissioner (a report) and to be the reportee in this procedure (special status reportee). In this case, the reportee acts as a party to the proceedings in which the provisions of the General Administrative Procedure Act (“ZUP”) apply subsidiarily. The reportee has the right to be informed by the supervisory authority of the essential facts of the proceedings and the state of the case, and to be heard on the findings before a decision is issued.
4. Independent judicial protection
Another key change for individuals who consider that their personal data have been processed in contravention of the law is the possibility of an independent judicial remedy. An individual may bring an independent action (without prior recourse to other legal remedies) before the Administrative Court of the Republic of Slovenia regarding the processing of personal data by the controller. This may be brought in respect of current or past infringements of his or her data protection rights. By bringing an action against the controller, the individual may seek cessation of the infringement, restoration of the lawful situation and also damages. If the infringement has already ceased, the claimant may also raise a declaratory claim, i.e., to ask the court to find that an infringement has occurred. To protect data privacy or an individual’s dignity, the public is excluded from the proceedings before the court.
5. Revised provisions on video surveillance
The content of the notice on the introduction of video surveillance has been revised. It will now also have to contain the information required by Article 13 of the Regulation. However, it is sufficient to include a web link or QR code with a link to the notification. A new provision is a provision on video surveillance in public areas, where video surveillance is allowed in specifically justified cases (serious and justified danger to life, personal liberty, body or health of persons, security of property, etc.). In this case, the recordings may be kept for six months from the date of their creation (for other forms of video surveillance, the retention period is one year). Under the provision of ZVOP-2, the use of Automatic Number Plate Recognition (ANPR) systems is not allowed in public areas.
For more detailed information on the new ZVOP-2 and the new obligations it imposes, please contact us.
Author: Tina Mihalič, Senior Associate