The new Personal Data Protection Act adopted on time?
The proposal of the Personal Data Protection Act (ZVOP-2) provides temporary adjustment period allowing controllers and processors to introduce the novelties in additional transitional period of one year in relation to the use of consent, six months in relation to the data processing, nine months in relation to the appointment of the DPO etc. The point of these periods is that the controllers and processors who will demonstrate that they started adopting appropriate adjustment measures will not be subjected to sanctions for misdemeanour, which can, in the worst-case scenario, amount to 20 million euros or 4% of the total global turnover in the previous calendar year.
As the members of the Council of the President of the National Assembly did not approve the urgent procedure for the adoption of the Personal Data Protection Act (ZVOP-2), the General Data Protection Regulation (GDPR) will become directly applicable on 25 May 2018. In several places, the GDPR allows Member States to regulate the matters differently or in more detail and therefore it is necessary for the new Personal Data Protection Act (ZVOP-2) to be adopted as soon as possible, because it will contain additional sector-specific provisions (for example, video surveillance, biometrics, direct marketing), regulate specific procedural aspects (for example, minimum age of children to give consent), define the relation to other areas and rights (for example access to public information) and transpose Directive (EU) 2016/680 for police and justice sector into Slovenian law. New act is also necessary to provide legal certainty because the currently applicable Personal Data Protection Act (ZVOP-1) is out of date and in some places even contrary to the GDPR provisions.
The fact that the Personal Data Protection Act (ZVOP-2) has not yet been adopted will continue to cause inconveniences for the controllers and processors because they will be required to compare provisions of the GDPR and the Personal Data Protection Act (ZVOP-2). Where those provisions are conflicting, we suggest taking into account the provisions that are more advantageous to the individual. There will also be financial implications of the failure to adopt Personal Data Protection Act (ZVOP-2) because the companies will have to comply their operations first with the provisions of the GDPR and then again with the provisions of the Personal Data Protection Act (ZVOP-2).
Otherwise, the Government presented the first draft of the Personal Data Protection Act (ZVOP-2) in October 2017, followed by two rounds of public debate, where several stakeholders commented the text (Information Commissioner submitted 30 pages of comments), particularly regarding the regulation of the direct marketing and data protection officers (DPO). Even though the proposal of the Personal Data Protection Act (ZVOP-2) takes into consideration quite a few comments given by the public, the Information Commissioner still believes that the act will require several amendments in the National Assembly. The proposal of the Personal Data Protection Act (ZVOP-2) was subject to other critiques as well because it regulates direct marketing in the same manner as Personal Data Protection Act (ZVOP-1) and requires, at the same time, respect of the principle of traceability.