Slovenian Personal Data Protection Act
Personal Data Protection Act (ZVOP-2)
Zakon o varstvu osebnih podatkov (ZVOP-2)
Slovenia
RET-SI-NA-ZVOP200-2022
The Zakon o varstvu osebnih podatkov (ZVOP-2) is Slovenia's national legislation implementing and supplementing the EU's General Data Protection Regulation (GDPR). Enacted in 2022 and effective January 26, 2023, it replaces ZVOP-1, establishing a robust framework for personal data protection, including specific rules for sensitive data and video surveillance. The act empowers the Information Commissioner to impose substantial fines, ensuring stronger enforcement and aligning Slovenia's data protection landscape with broader EU standards.
Overview
The Zakon o varstvu osebnih podatkov (ZVOP-2), commonly known as the Personal Data Protection Act, represents Slovenia's comprehensive national legislation designed to implement and supplement the European Union's General Data Protection Regulation (GDPR), specifically Regulation (EU) 2016/679. This pivotal act was officially published in the Official Gazette of the Republic of Slovenia No. 163/2022 on December 27, 2022, and subsequently entered into force on January 26, 2023. Its enactment marked the replacement of the previous Personal Data Protection Act (ZVOP-1), bringing Slovenia's data protection framework fully into line with contemporary EU standards. ZVOP-2 addresses specific areas where the GDPR grants Member States the flexibility to legislate nationally, such as the nuanced processing of special categories of personal data, including health, biometric, and genetic information, as well as detailed provisions for video surveillance and the operational conditions for Data Protection Officers (DPOs). A critical innovation of ZVOP-2 is the establishment of a robust framework for administrative penalties, a significant gap under ZVOP-1, which now empowers the Information Commissioner to impose substantial fines for infringements, thereby strengthening enforcement capabilities.
The fundamental purpose of ZVOP-2 is to ensure the effective exercise of the constitutional human right to personal data protection within Slovenia. It guarantees that any interference with an individual's privacy, dignity, and data autonomy is constitutionally compliant, legally justified, and proportionate. The act meticulously sets forth the obligations, principles, entitlements, procedures, and measures that govern the processing of personal data across both public and private sectors. Concurrently, it facilitates the free flow of personal data in strict accordance with the GDPR, ensuring a harmonized approach across the EU. This legislation is instrumental in providing clarity and establishing stronger enforcement mechanisms within Slovenia's data protection landscape. It aims to cultivate greater trust in data processing activities undertaken by various entities, ensuring that all personal data, including sensitive employee information and pay-related records, is handled with the utmost care, security, and in full compliance with the stipulated legal requirements.
Historically, Slovenia faced criticism for being one of the last EU Member States to fully adopt national legislation implementing the GDPR. This delay in enacting ZVOP-2 meant that for a considerable period following the GDPR's direct applicability in May 2018, the national supervisory authority, the Information Commissioner, lacked the complete legal basis to impose the administrative fines stipulated by the GDPR. This created a legal vacuum that hindered effective enforcement. ZVOP-2 decisively rectifies this by providing the necessary legal framework for penalties and by detailing specific national provisions for areas such as the processing of personal data of deceased persons, data processing activities falling outside the direct scope of EU law, and data processing by Slovenian authorities in critical sectors like security and defense. The act therefore represents a monumental step forward in strengthening data protection in Slovenia, offering enhanced legal certainty for both data subjects and data controllers/processors, and ensuring that Slovenia meets its obligations under the broader European data protection regime.
Definitions
ZVOP-2, operating in conjunction with the GDPR, establishes a comprehensive and precise set of definitions that are absolutely crucial for understanding its extensive scope and practical application. At the core of the act is the expansive concept of 'personal data,' which is defined as any information relating to an identified or identifiable living individual. This broad definition is designed to encompass a vast array of information that, either alone or when combined with other data points, can lead to the identification of a specific person. Examples include, but are not limited to, names, residential addresses, email addresses, unique personal identification numbers, tax numbers, health insurance numbers, ID card numbers, vehicle license plate numbers, precise location data, IP addresses, and cookie identifiers. The law also extends its protective reach, in exceptional and clearly defined circumstances, to the personal data of deceased individuals, with specific provisions governing its processing for a period of up to 20 years after their passing, unless other specific laws stipulate a different timeframe or purpose.
The act further elaborates on the term 'processing,' defining it as any operation or set of operations performed on personal data, irrespective of whether such operations are carried out by automated means. This definition covers an incredibly wide spectrum of activities, ensuring that virtually any interaction with personal data falls under the purview of ZVOP-2 and GDPR. These activities include the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. This expansive definition is fundamental to ensuring that all stages of data handling are subject to the legal requirements and protections outlined in the act. Furthermore, ZVOP-2 clearly defines the key roles in data processing: a 'controller' is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data, while a 'processor' is a natural or legal person, public authority, agency, or other body that processes personal data strictly on behalf of the controller, adhering to their instructions.
A particularly significant aspect of ZVOP-2 is its explicit prohibition of discrimination in the processing of personal data. Article 2 of the act unequivocally states that the processing of personal data is forbidden if it is carried out in a manner or results in impermissible discrimination based on a wide range of personal characteristics. These include nationality, race, skin color, religion, ethnic origin, sex, language, political or other conviction, sexual orientation, gender identity, property status, place of birth, education, social status, disability, citizenship, place or type of residence, health status, genetic predispositions, or any other personal circumstance of an individual. This robust anti-discrimination clause is foundational to ensuring fair, equitable, and unbiased data handling practices, particularly within employment contexts where sensitive personal data, including pay-related information, might be processed. The act also details 'special categories of personal data,' which are subject to stricter processing conditions due to their inherent sensitivity. These categories include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.
Covered Employers
The scope of ZVOP-2, in strict alignment with the GDPR, is exceptionally broad, extending its reach to virtually all entities that process personal data within the territorial boundaries of Slovenia or process the personal data of individuals residing in Slovenia, irrespective of whether the actual data processing operations take place within the European Union. This comprehensive coverage includes both public and private sector organizations, operating in their capacities as either data controllers or data processors. A crucial aspect of this broad applicability is the absence of general size thresholds that would exempt smaller employers from the core obligations stipulated by ZVOP-2 and GDPR. Consequently, all organizations, regardless of their employee count or turnover, are expected to adhere to fundamental data protection principles such as lawfulness, fairness, transparency, data minimization, accuracy, storage limitation, integrity, and confidentiality. This universal application ensures a consistent baseline of data protection across the Slovenian economy.
While the core obligations apply universally, ZVOP-2 and GDPR introduce specific, enhanced obligations for certain types of organizations or those engaged in particular processing activities that pose higher risks to data subjects' rights and freedoms. For instance, the appointment of a Data Protection Officer (DPO) is a mandatory requirement for all public authorities and bodies (with some narrowly defined exceptions), as well as for private and public sector entities whose core activities involve the regular and systematic monitoring of data subjects on a large scale, or the processing on a large scale of special categories of data. This latter category includes highly sensitive information such as health data, genetic data, biometric data, or data related to criminal convictions. These criteria mean that a significant number of employers, particularly those with a substantial workforce, those operating in regulated sectors like banking, insurance, or telecommunications, or those handling sensitive employee data (e.g., health records for occupational health purposes), will likely fall under the mandatory DPO requirement, necessitating specialized expertise and oversight.
ZVOP-2 does not explicitly define 'covered employers' in terms of specific size thresholds for all its provisions, instead placing a strong emphasis on the nature, scale, and context of data processing activities. Organizations that process large volumes of customer or guest data, such as hotels or e-commerce platforms, are also specifically highlighted as needing to ensure their GDPR and ZVOP-2 compliance is robust and comprehensive. The act ensures that all controllers and processors, irrespective of their organizational size, are held accountable for the personal data they handle, fostering a culture of responsibility. Exemptions from the act's provisions are generally very limited and apply only to specific contexts, such as processing for national security or defense purposes, or for purely personal or household activities, rather than being based on an employer's size. Furthermore, the transitional provisions within ZVOP-2 allow for different periods of adaptation for certain obligations, indicating a phased approach to full compliance for some specific measures, such as bringing processing logs into line with Article 22 of ZVOP-2 within two years of the act's entry into force, providing businesses with a grace period for complex adjustments.
Employee Rights
Under ZVOP-2, employees, as fundamental data subjects, are granted a comprehensive and robust set of rights concerning their personal data, meticulously mirroring and often detailing those established by the GDPR. These rights are absolutely fundamental to ensuring that individuals maintain effective control over their personal information within the workplace environment. Foremost among these is the crucial right to be informed about the collection and use of their personal data. This encompasses detailed information regarding the specific purposes of processing, the legal basis relied upon for such processing, the categories of data concerned (e.g., identity, contact, financial, performance data), and the categories of recipients to whom the data may be disclosed. Employers are legally obligated to provide this information in a concise, transparent, intelligible, and easily accessible form, utilizing clear and plain language. This requirement is particularly pertinent for employee records, including salary, benefits, performance evaluation data, and disciplinary records, where absolute transparency about data handling practices is paramount to fostering trust and compliance.
Employees are also endowed with the powerful right of access, which enables them to obtain confirmation as to whether or not personal data concerning them is being processed. Where such processing is indeed occurring, employees have the right to access that personal data along with a wealth of supplementary information, including the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipient to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored, and the existence of their other rights. This right empowers employees to actively verify the lawfulness of the processing activities and to ascertain the accuracy and completeness of their data. Furthermore, they possess the unequivocal right to rectification of inaccurate personal data without undue delay, and the significant right to erasure (often referred to as the 'right to be forgotten') under specific conditions, such as when the data is no longer necessary for the purposes for which it was collected or when consent is withdrawn and no other legal basis for processing exists. These rights are critical for maintaining the integrity, accuracy, and relevance of employee data, including any information related to their pay, benefits, or performance evaluations, ensuring that outdated or incorrect information does not negatively impact their employment.
Beyond these foundational rights, ZVOP-2 reinforces several other vital data subject rights, including the right to restriction of processing, which allows employees to limit how their data is used under certain circumstances (e.g., while accuracy is being verified). They also have the right to data portability, enabling them to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance, where processing is based on consent or a contract and carried out by automated means. Crucially, employees have the right to object to processing, particularly in cases of direct marketing or processing based on legitimate interests, if they believe their fundamental rights and freedoms override the legitimate interests of the employer. In the unfortunate event of a perceived infringement of their data protection rights, employees in Slovenia have several robust avenues for recourse. They can file a direct request or a formal report with the Information Commissioner (Informacijski pooblaščenec - IPRS), which functions as the national Data Protection Authority. Moreover, ZVOP-2 explicitly grants individuals the right to pursue judicial protection directly before the Administrative Court of the Republic of Slovenia, without necessarily requiring prior administrative proceedings before the Information Commissioner. This dual approach provides comprehensive and robust mechanisms for employees to seek redress, challenge unlawful processing, and ensure their data protection rights are consistently upheld and enforced.
Pay Transparency Requirements
It is important to clarify that ZVOP-2, as a dedicated personal data protection act, does not directly mandate pay transparency in the sense of requiring employers to proactively disclose salary ranges in job postings or publish comprehensive pay scales for their workforce. Its primary focus is on how personal data, including pay-related information, is collected, processed, stored, and protected, rather than on the public disclosure of remuneration structures. However, the overarching principles enshrined in ZVOP-2, by virtue of its implementation of the GDPR, significantly impact how any pay-related data is collected, processed, and managed within an organization. The act places a strong emphasis on the principles of lawfulness, fairness, and transparency in all data processing activities. This means that if an employer collects and processes employee salary data, they must do so on a legitimate legal basis, such as the necessity for the performance of an employment contract, compliance with a legal obligation (e.g., tax or social security laws), or with the explicit, informed, and freely given consent of the employee, where no other legal basis applies. Any processing of pay data without a valid legal basis would constitute an infringement of ZVOP-2 and GDPR.
The principle of transparency, a cornerstone of ZVOP-2, specifically requires employers to clearly and comprehensively inform employees about the processing of their pay data. This obligation extends to detailing the precise purposes for which salary information is collected (e.g., payroll administration, benefits management, performance-based remuneration, internal auditing, or compliance with equal pay legislation), the specific categories of data involved (e.g., base salary, bonuses, allowances, deductions), the categories of recipients of this data (e.g., HR department, finance department, external payroll providers, tax authorities, social security institutions), and the retention periods for such data. Employees must also be explicitly informed of their full range of rights regarding this data, including the right to access their own pay data, the right to request rectification of inaccuracies, and the right to object to certain processing activities. While ZVOP-2 does not compel employers to proactively publish general pay scales, it unequivocally ensures that if such data is processed, employees have an absolute right to understand precisely how their own pay data is handled and to access their individual records, thereby indirectly fostering a degree of individual pay transparency.
Furthermore, the data minimization principle, a core tenet of ZVOP-2 and GDPR, dictates that employers should only collect and process pay data that is strictly adequate, relevant, and limited to what is absolutely necessary in relation to the specific purposes for which it is processed. This principle actively prevents employers from collecting excessive or irrelevant financial information about employees that is not directly pertinent to their employment or legal obligations. The stringent security obligations under ZVOP-2 also mean that sensitive pay data, due to its financial and personal nature, must be protected with appropriate technical and organizational measures to prevent unauthorized access, unlawful disclosure, accidental alteration, or destruction. These measures could include encryption, access controls, pseudonymization, and regular security audits. In the broader context of pay equity, while ZVOP-2 does not directly address pay gap reporting or mandate specific equal pay audits, it ensures that the underlying individual data used for such analyses, if conducted voluntarily or under other legal frameworks, is processed in a lawful, fair, and secure manner. Any internal or external reporting involving aggregated or anonymized pay data would still need to adhere rigorously to the principles of data protection to ensure individual privacy is maintained and that the aggregation methods do not inadvertently lead to re-identification of individuals.
Reporting & Audit Obligations
ZVOP-2 significantly introduces and strengthens several critical reporting and audit obligations for data controllers and processors, particularly those entities handling large volumes of personal data or special, sensitive categories of personal data. A notable and impactful novelty introduced by the act is the mandatory keeping of detailed processing logs, which were previously referred to as 'traceability' logs under earlier drafts. This stringent requirement applies specifically to entities engaged in large-scale processing of special categories of personal data (e.g., health, genetic, biometric data) or those involved in the regular and systematic monitoring of individuals. These processing logs must contain highly specific and comprehensive information about all processing activities, including, but not limited to, the precise purpose of processing, the categories of data subjects and personal data involved, the categories of recipients to whom the data has been or will be disclosed, details of transfers to third countries or international organizations, and the envisaged time limits for the erasure of different categories of data. This meticulous record-keeping ensures a high degree of internal accountability and provides a transparent record for supervisory authorities during any subsequent inspections or investigations.
Controllers and processors are generally mandated to retain the content of these processing logs for a period of two years from the end of the calendar year in which the processing activities were recorded. However, ZVOP-2 includes a provision for flexibility: if a Data Protection Impact Assessment (DPIA) or another comprehensive risk analysis reveals a specific risk that can be effectively managed only by extending this retention period, the processing log may be kept for a maximum duration of five years. This allows for a risk-based approach to data retention. Companies operating in Slovenia were granted a transitional period until January 26, 2025, to fully align their data processing practices with this new and mandatory requirement for processing logs. This obligation is crucial for ensuring internal accountability, demonstrating compliance with data protection principles, and providing a clear, auditable record for the Information Commissioner during any supervisory activities. The detailed nature of these logs allows for a thorough review of data flows and processing justifications, enhancing overall data governance.
In addition to the requirement for processing logs, ZVOP-2, in full alignment with GDPR, mandates the conduct of Data Protection Impact Assessments (DPIAs) for all processing operations that are deemed likely to result in a high risk to the rights and freedoms of natural persons. The act provides a more detailed definition of the specific circumstances necessitating a DPIA and outlines when a review or update of an existing DPIA is required, ensuring these assessments remain current and effective. These proactive assessments are absolutely crucial for identifying, evaluating, and mitigating potential data protection risks before new processing activities commence, thereby preventing harm to data subjects. Furthermore, the mandatory appointment of a Data Protection Officer (DPO) for certain organizations (public authorities, and those engaged in large-scale or sensitive data processing) introduces a vital internal audit and advisory function. The DPO is responsible for providing expert advice on compliance, monitoring adherence to data protection policies and the law, and serving as a key point of contact and cooperation with the supervisory authority. Organizations are legally required to register the DPO's contact information with the Information Commissioner within eight days of their appointment and to make this information publicly available, ensuring transparency and accessibility for data subjects and the supervisory body.
Governance & Enforcement Bodies
The primary governance and enforcement body for ZVOP-2 and the overarching GDPR in Slovenia is the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec - IPRS). The IPRS functions as the national Data Protection Authority (DPA) and plays an absolutely central and indispensable role in overseeing the application of data protection laws, meticulously investigating complaints lodged by data subjects, and imposing appropriate sanctions for infringements. Its extensive responsibilities encompass providing comprehensive guidance and expert advice to both data subjects and organizations, conducting proactive inspections to verify compliance, and ensuring strict adherence to the entire legal framework governing personal data protection. The IPRS operates as an independent public authority, a critical aspect that safeguards its impartiality and effectiveness in upholding the fundamental human right to personal data protection and the constitutional right of access to public information, thereby acting as a crucial guardian of privacy in the digital age.
A significant and transformative enhancement brought about by ZVOP-2 is the explicit conferral of substantial powers upon the IPRS, including the authority to issue administrative fines for offenses in the field of personal data protection. This was a crucial development because, prior to the enactment of ZVOP-2, the IPRS notably lacked the specific legal basis under national law to impose the substantial administrative fines foreseen and mandated by the GDPR, which had created a significant legal vacuum and hampered effective enforcement. ZVOP-2 decisively rectifies this by explicitly defining the Information Commissioner as the designated offense authority responsible for adjudicating misdemeanors under both the GDPR and the specific national provisions of ZVOP-2, such as those pertaining to video surveillance, biometric data processing, or the processing of personal data of deceased individuals. This empowerment aligns Slovenia with the robust enforcement capabilities of other EU Member States, enabling the IPRS to effectively enforce the law, deter non-compliance, and ensure a high standard of data protection across the country.
Individuals who believe their data protection rights have been violated possess clear avenues for recourse, primarily by filing a direct request or a formal report with the Information Commissioner. Upon receipt of such a complaint, the IPRS initiates comprehensive administrative proceedings, during which the complainant (reportee) is afforded a special status as a party to the proceedings, with the provisions of the General Administrative Procedure Act (ZUP) applying subsidiarily to ensure due process. Beyond this administrative recourse, ZVOP-2 also provides data subjects with an additional and powerful layer of legal remedy: the explicit right to seek judicial protection directly before the Administrative Court of the Republic of Slovenia. This means individuals are not necessarily required to exhaust administrative proceedings before the Information Commissioner prior to seeking judicial review. This dual system of administrative and judicial oversight ensures comprehensive protection for individuals' data rights, provides multiple avenues for redress, and facilitates robust enforcement against infringements, thereby strengthening the overall data protection ecosystem in Slovenia.
Monitoring & Evaluation
Monitoring and evaluation of compliance with ZVOP-2 and the GDPR are meticulously structured, involving both robust internal mechanisms within organizations and rigorous external oversight by the Information Commissioner (IPRS). Internally, the mandatory appointment of a Data Protection Officer (DPO) for certain entities serves as a cornerstone of the monitoring function. The DPO acts as an essential internal auditor for personal data protection, providing expert advice to the organization on its legal obligations, diligently monitoring adherence to data protection laws and internal policies, and delivering crucial training to staff members to raise awareness and ensure best practices. Furthermore, the DPO is responsible for assisting with the conduct of Data Protection Impact Assessments (DPIAs) and serves as the primary point of contact for both the supervisory authority (IPRS) and data subjects. To ensure their effectiveness and independence, the DPO must operate autonomously, possess appropriate professional knowledge and expertise in data protection law and practices, and receive active support and resources from senior management, underscoring the importance of their role in maintaining compliance.
The requirement for mandatory processing logs for specific data processing activities, as stipulated by ZVOP-2, also significantly facilitates both internal monitoring and external evaluation. These detailed logs provide a comprehensive and auditable record of all data processing operations, enabling organizations to systematically track, review, and demonstrate their ongoing compliance with data protection regulations. For the IPRS, these processing logs serve as an invaluable tool during inspections and investigations, allowing the supervisory authority to efficiently verify the lawfulness, fairness, and integrity of data processing activities. The IPRS conducts its inspections either proactively, based on its own initiative and risk assessments, or reactively, in response to complaints received from data subjects. During these inspections, the IPRS rigorously assesses whether data controllers and processors are adhering to all the principles and specific provisions of ZVOP-2 and GDPR, scrutinizing their policies, procedures, and technical and organizational measures.
When a complaint is formally filed with the IPRS, the Commissioner initiates a thorough investigation into the alleged infringement, applying the procedural rules of the General Administrative Procedure Act (ZUP) to ensure fairness and due process. This investigative process typically involves gathering all relevant evidence, communicating extensively with all parties involved (complainant, controller, processor), and ultimately issuing a reasoned decision. Beyond individual complaint resolution, the IPRS also plays a proactive role in monitoring and evaluation by providing general guidance, issuing official opinions, and publishing recommendations to clarify legal interpretations and promote best practices across various sectors. This continuous engagement contributes significantly to a dynamic process of evaluation and improvement in data protection standards throughout Slovenia. The act's transitional provisions, such as the two-year period granted for aligning processing logs with Article 22, also indicate a structured and phased approach to monitoring the implementation progress of new obligations, with full enforcement expected by 2026 for certain complex aspects, ensuring a gradual but firm transition to full compliance.
Enforcement & Penalties
ZVOP-2 has fundamentally transformed and significantly strengthened the enforcement regime for personal data protection in Slovenia by providing a clear, robust, and explicit legal basis for imposing administrative fines. This critical development brings national law into full alignment with the stringent penalty framework established by the GDPR. This was an absolutely essential step, as the preceding ZVOP-1 notably lacked the specific legal authority to grant the Information Commissioner (IPRS) the power to levy the substantial fines stipulated by the GDPR, which had created a significant legal vacuum and limited the effectiveness of enforcement efforts. With the enactment of ZVOP-2, the IPRS is now unequivocally designated as the competent offense authority, fully empowered to decide on misdemeanors related to both direct GDPR infringements and violations of specific ZVOP-2 provisions, such as those concerning video surveillance, biometric data processing, or the processing of personal data of deceased individuals. This empowerment ensures that the IPRS can effectively enforce the law and deter non-compliance, thereby aligning Slovenia with the robust enforcement capabilities of other EU Member States.
The penalties for infringements under ZVOP-2 and GDPR are exceptionally substantial, reflecting the severe impact that data protection violations can have on individuals' rights and freedoms. For the most serious breaches of core data protection principles or data subject rights, fines can reach an astronomical amount of up to EUR 20,000,000. Alternatively, in the case of an undertaking (a business or enterprise), the fine can be up to 4% of its total worldwide annual turnover of the preceding financial year, whichever amount is higher. This dual threshold ensures that penalties are both significant and proportionate to the economic capacity of the infringing entity. ZVOP-2 also outlines a detailed methodology for calculating these fines, requiring the IPRS to take into account a comprehensive set of specific circumstances of the infringement. These factors include the nature, gravity, and duration of the infringement, the intentional or negligent character of the infringement, any actions taken to mitigate damage, the categories of personal data affected, and whether there was an intention to benefit from the infringement or cause harm to data subjects. Importantly, the act also provides for the imposition of fines against the responsible persons within legal entities, sole traders, or independent business individuals, ensuring a crucial layer of individual accountability in addition to corporate liability.
The enforcement process typically commences either with a formal complaint filed by an affected data subject or through an investigation initiated proactively by the IPRS based on its own intelligence or risk assessments. If, following a thorough investigation, an infringement is identified and confirmed, the IPRS issues a formal decision. This decision can encompass a range of measures, including orders for corrective actions, mandates to comply with specific provisions, and the imposition of administrative fines. Data subjects whose rights have been violated also retain the crucial option to seek judicial protection directly before the Administrative Court of the Republic of Slovenia, providing an independent avenue for appeal against IPRS decisions or for direct legal action against controllers or processors. This robust dual system of administrative and judicial remedies ensures that individuals have multiple powerful avenues to seek redress and compensation for damages, and that data protection laws are rigorously enforced, promoting a consistently high standard of data privacy and security across Slovenia's public and private sectors.
Relationship to Other Laws
ZVOP-2 operates within a complex and interconnected legal ecosystem, primarily serving as the national implementing legislation for the General Data Protection Regulation (GDPR) in Slovenia. While the GDPR is directly applicable across all Member States of the European Union, it explicitly grants Member States the discretion to specify or derogate from some of its provisions at a national level, allowing for adaptation to local legal traditions and administrative structures. ZVOP-2 meticulously fills these gaps, regulating substantive and procedural aspects that the GDPR leaves to national law. This includes, but is not limited to, specific national rules for video surveillance in various contexts, the processing of biometric data, genetic data, and the nuanced conditions for the processing of personal data of deceased individuals. Consequently, ZVOP-2 and GDPR are not standalone acts but are to be read and interpreted in conjunction, with ZVOP-2 providing the essential national specificities within the broader, overarching EU data protection framework, ensuring a coherent and comprehensive legal landscape.
Beyond its foundational relationship with the GDPR, ZVOP-2 interacts significantly with several other key Slovenian laws, forming a layered regulatory structure. Notably, it is closely linked to the Zakon o informacijski varnosti (ZInfV-1), or the Information Security Act. ZVOP-2 specifies detailed data security requirements, particularly in the area of 'special processing' for risky information systems that handle large amounts of sensitive data. These requirements often explicitly refer to compliance with ZInfV-1 provisions concerning security requirements and incident notification protocols, including the mandatory preparation of Information Security Management System (ISMS) and Business Continuity Management System (BCMS) documentation. This interlinkage ensures a holistic approach to data protection, seamlessly integrating data privacy considerations with broader cybersecurity measures, recognizing that data security is a prerequisite for data privacy. This prevents fragmentation and ensures that organizations adopt comprehensive strategies to protect personal data from both privacy and security threats.
Furthermore, ZVOP-2 acknowledges and respects the existence of lex specialis legislation, meaning specific laws that take precedence over general laws in their particular domain. A prime example is the Zakon o varstvu osebnih podatkov na področju obravnavanja kaznivih dejanj (ZVOPOKD), which specifically governs the protection of personal data in the area of criminal offenses and related judicial proceedings. In such specialized cases, the provisions of ZVOP-2 do not apply to questions that are specifically and comprehensively regulated by ZVOPOKD, ensuring that the appropriate legal framework is applied to highly sensitive areas. The act also implicitly and extensively interacts with general employment law, as it governs the processing of all employee data, including sensitive information relevant to employment contracts, payroll administration, performance management, and employee benefits. While ZVOP-2 does not directly address specific mandates for pay equity or pay gap reporting, it fundamentally sets the overarching rules for how any data used in pay equity analyses or reporting must be handled, ensuring legality, transparency, data minimization, and strict adherence to data subject rights. This ensures that even when other laws require data processing for specific purposes, the fundamental data protection principles of ZVOP-2 must still be observed.
International Context
Slovenia's ZVOP-2 is a direct and necessary legislative response to, and comprehensive implementation of, the European Union's General Data Protection Regulation (GDPR). The GDPR, which became directly applicable across all EU Member States on May 25, 2018, has unequivocally set a global benchmark for stringent data protection standards. As a sovereign Member State of the EU, Slovenia is legally bound by the GDPR, and ZVOP-2 serves to complement this regulation by exercising the discretion explicitly afforded to Member States. This discretion allows national legislatures to elaborate on or derogate from certain GDPR provisions, thereby tailoring the broader EU framework to the specific national legal, administrative, and cultural context. This includes crucial areas such as the detailed processing of special categories of data, specific rules for video surveillance, and defining the precise powers and operational scope of the national supervisory authority, the Information Commissioner. Consequently, ZVOP-2, by aligning with the GDPR, inherently adheres to these high international standards for personal data protection, contributing to a harmonized data protection landscape across the European Economic Area.
The GDPR itself represents a monumental evolution in international data protection law, building upon foundational principles established by earlier instruments such as the EU Data Protection Directive 95/46/EC. Its profound influence extends far beyond the geographical borders of the EU, inspiring similar legislative developments and reforms in numerous countries worldwide that seek to enhance their own data privacy frameworks. ZVOP-2, by virtue of its deep integration with the GDPR, inherently embraces and upholds these universally recognized high international standards for personal data protection. This includes core principles such as data minimization (collecting only necessary data), purpose limitation (using data only for specified purposes), accuracy (keeping data correct and up-to-date), storage limitation (retaining data only as long as needed), integrity and confidentiality (protecting data from unauthorized access or loss), and accountability (demonstrating compliance). These principles are widely acknowledged as best practices in data governance globally and are foundational to modern privacy regimes. The act's provisions on cross-border data transfers, for instance, are directly informed by GDPR's stringent requirements for ensuring adequate levels of protection when personal data is transferred outside the European Economic Area, safeguarding data even when it leaves EU jurisdiction.
Furthermore, ZVOP-2's strong emphasis on individual rights, such as the right to access, rectification, erasure, and objection, reflects and reinforces the broader international human rights framework. This framework includes foundational documents like the Universal Declaration of Human Rights (Article 12) and the European Convention on Human Rights (Article 8), both of which explicitly recognize and protect the fundamental right to privacy. While ZVOP-2 does not directly reference specific International Labour Organization (ILO) Conventions, the robust principles of data protection it enshrines are indirectly highly relevant to the protection of workers' data, which is a significant concern for international bodies like the ILO. For example, ILO Convention 100 (Equal Remuneration) and Convention 111 (Discrimination in Employment and Occupation) advocate for fair treatment, non-discrimination, and equal opportunities in the workplace. In a modern context, these principles extend to how personal data, including sensitive pay-related information, is processed and used by employers. ZVOP-2's explicit prohibition of discrimination in data processing, as outlined in Article 2, directly supports the broader goals of these international labor standards by ensuring that data handling practices do not perpetuate or enable discriminatory outcomes in employment, thereby contributing to a more equitable and just working environment.
Implementation Timeline
| Date | Milestone | Status |
|---|---|---|
| 2022-12-27 | ZVOP-2 published in the Official Gazette of the Republic of Slovenia No. 163/2022 | Adopted |
| 2023-01-26 | ZVOP-2 enters into force and begins to apply, replacing ZVOP-1 | In Force |
| 2023-04-26 | Minister responsible for Justice, in agreement with Minister responsible for Health, to adopt rules on charging (Article 17(5)) | Completed |
| 2023-07-26 | Video surveillance in public passenger transport to be brought into line with Article 79 of ZVOP-2 | Completed |
| 2024-01-01 | Slovenian Accreditation to start accreditation procedures | In Force |
| 2025-01-26 | Deadline for companies to fully align with mandatory processing log requirements (Article 22) | Awaiting Entry |
| 2026-01-26 | Specific measures for security of personal data in special processing (Article 23) to be put in place | Awaiting Entry |
| By 2026 | Full enforcement expected for certain transitional provisions | Awaiting Entry |
Compliance Checklist
| Requirement | Action Required | Deadline |
|---|---|---|
| Understand ZVOP-2 and GDPR principles | Thoroughly review the full text of ZVOP-2 and GDPR; actively consult official guidance from the Information Commissioner (IPRS) and relevant EU bodies. | Ongoing |
| Identify legal basis for data processing | Ensure that all personal data processing activities, especially those involving employee data (including pay, performance, and health information), have a valid legal basis (e.g., necessity for contract performance, compliance with a legal obligation, legitimate interest, or explicit consent). | Ongoing |
| Update privacy notices and policies | Revise and update all internal and external privacy notices, policies, and employee handbooks to clearly, transparently, and accessibly inform data subjects (employees, customers, etc.) about data processing activities. | Ongoing |
| Implement data subject rights procedures | Establish and document clear, efficient, and accessible procedures for handling requests from employees and other data subjects regarding their rights (access, rectification, erasure, restriction, portability, objection). | Ongoing |
| Appoint a Data Protection Officer (DPO) | Assess whether your organization meets the criteria for mandatory DPO appointment (e.g., public authority, large-scale processing of sensitive data, systematic monitoring). If required, appoint a DPO with appropriate expertise. | As applicable, within 8 days of appointment to register with IPRS |
| Register DPO with IPRS | If a DPO is appointed, ensure their contact information is formally registered with the Information Commissioner and made publicly available. | Within 8 days of appointment |
| Maintain records of processing activities | Keep detailed and up-to-date records of all personal data processing activities, including purposes, categories of data subjects and personal data, categories of recipients, transfers to third countries, and retention periods. | Ongoing; align with Article 22 by January 26, 2025 |
| Conduct Data Protection Impact Assessments (DPIAs) | Perform DPIAs for all new or existing processing activities that are likely to result in a high risk to individuals' rights and freedoms, and review them periodically. | Before commencing high-risk processing |
| Implement data security measures | Ensure appropriate technical and organizational measures are in place to protect personal data from unauthorized access, loss, destruction, or alteration, especially for special categories of data. This includes encryption, access controls, and regular security audits. | Ongoing; specific measures for special processing by January 26, 2026 |
| Manage cross-border data transfers | Verify the legal basis and implement appropriate safeguards (e.g., Standard Contractual Clauses, adequacy decisions) for any transfer of personal data outside the EU/EEA. | Ongoing |
| Review video surveillance practices | Ensure all video surveillance systems and practices comply with ZVOP-2 and GDPR requirements, including clear notices, purpose limitation, and appropriate retention periods. | Align with Article 79 by July 26, 2023 |
| Establish data breach notification procedures | Develop and implement robust procedures to detect, manage, report, and investigate personal data breaches to the IPRS and affected data subjects, where required, within the stipulated timelines. | Ongoing |
Sources and References
© RewardsET.com / Smitteck GmbH — created on 22-Jan-2026 using Gemini 2.5 Flash