Better Late Than Never: Slovenia Last EU Member State To Adopt GDPR Implementing Act

• Jurisdiction: European Union
• Law Firm: Schoenherr Attorneys at Law
• Subject Matter: Privacy, Data Protection
• Author: Mr Marko Frantar and Miriam Gaj'ek
• Published date: 24 January 2023

On 15December2022, the Slovenian Parliament finally adopted the Data Protection Act (Zakon o varstvu osebnih podatkov, ZVOP-2, "ZVOP-2"), a national law implementing the EU General Data Protection Regulation ("GDPR"). The act had been several years in the making, with the earliest draft released for public consultation back in 2017.
Since the GDPR became directly applicable in 2018, the scope of applicability of the legacy Data Protection Act from 2004 ("ZVOP-1") was reduced to a handful of topics, including CCTV and processing of biometric data. The failure to update the national data protection legislation following the enactment of the GDPR generated a fair share of practical issues. Notably, these included uncertainty about the possibility to impose fines for breaches of the GDPR. Initially, the prevailing view had been that these breaches cannot be sanctioned at all, whether by means of administrative penalties under the GDPR or by fines set out in ZVOP-1, before an implementing law has been enacted. This changed in 2021 when leading courts took the view that a breach of GDPR provisions may carry fines set out in ZVOP-1 after all (incidentally, these fines are considerably lower than those in the GDPR).

Key takeaways

Some of the most notable changes brought about by ZVOP-2 include:

• Data processing log (Art 22): separate from the data protection impact analysis (DPIA) governed by the GDPR, controllers will be required to keep a data processing log (dnevnik obdelave) for certain categories of data processing, including collection change and disclosure. This obligation applies (i) where automized systems for large-scale data of special categories of personal data are used, (ii) where there is systematic and regular monitoring of individuals, (iii) where a DPIA has shown a risk that can be efficiently managed by keeping a processing log, or (iv) when otherwise so required by law (e.g. for CCTV). As a rule, processing logs must be kept for two years after the expiry of the calendar year when the corresponding processing was recorded. This can in some instances be extended to five years.
• Additional security requirements for "special processing" (posebne obdelave) (Art 23): ZVOP-2 introduces a new category of data processing, categorised as "special processing", which covers specific large-scale data processing within information systems.This includes systems processing personal data of more than 100,000 individuals on the basis of a statute or processing...