The new Personal Data Protection Act (hereinafter: “ZVOP-2”) was adopted by the National Assembly on 15 December 2022, published in the Official Gazette of the Republic of Slovenia on 27 December 2022 and entered into force on 26 January 2023. Slovenia is thus the last EU Member State to adopt national legislation on personal data protection, thereby regulating some of the matters that the General Data Protection Regulation (the “GDPR”) left to the Member States.
The ZVOP-2 introduces some important new provisions, the most significant of which is that the Information Commissioner will be able to impose fines that are prescribed in Article 83 in the GDPR. At the same time, ZVOP-2 also made it possible to impose fines on responsible persons at the companies and individuals, which is not provided for in the GDPR. It is also important to note that ZVOP-2 provides in transitional provisions that minor offence proceedings initiated before the Information Commissioner or the courts prior to ZVOP-2 entering into force shall be concluded in accordance with the provisions of ZVOP-1, unless the provisions of ZVOP-2 are more lenient for the perpetrator. Inspection proceedings initiated under ZVOP-1 shall continue in accordance with ZVOP-2.
ZVOP-2 also regulates areas that are not covered by the GDPR or not covered in sufficient detail. ZVOP-2 thus introduces the following new features:
- in the area of video surveillance, the retention period for recordings has changed to a maximum of 1 year and the video surveillance notice will have to contain all the information provisioned in Article 13 of the GDPR (companies will be able to include on the notice a link to a website containing this information, instead of having it on the notice itself);
- data processing logs, are to be kept in case of (i) extensive processing of special categories of personal data, (ii) regular and systematic monitoring of individuals, or (iii) where an impact assessment has identified a risk that can be effectively managed through the keeping of a processing log, or (iv) where the law so provides (the obligation to keep processing logs with the provisions of the ZVOP-2, shall be necessary within 2 years of its entry into force, i.e. by 26 January 2025);
- the individual may seek judicial protection of his or her rights throughout the duration of the infringement, without first exercising rights under other provisions of the ZVOP-2 or resorting to other legal remedies and the decision is taken by an administrative court under the Administrative Dispute Act, where the individual may also include a claim for damages in his or her lawsuit;
- after 20 years from the death of the individual, his or her data will no longer be protected as personal data;
- the list of third countries referred to in Article 66 of ZVOP-1, i.e. the list of countries which the Information Commissioner has found to have an adequate level of protection of personal data or not, either fully or partially has been amended, i.e. it has been repealed with the entry into force of ZVOP-2, which means that another legal basis will have to be found for the export of personal data to countries that have been identified on this list as having an adequate level of protection of personal data;
ZVOP-2 also introduces other changes, including in the areas of biometrics, linking filing systems, public registers and research purposes.
At this point, it is important to stress that the provisions of GDPR are still applicable and used directly, and ZVOP-2 can be considered as an amendment to the GDPR, as it introduces additional requirements for compliance when processing personal data. Companies that have already been following the provisions under the GDPR and the guidance of the Information Commissioner will be able to adapt their business operations quite quickly and swiftly.