• Insights

Slovenia – The GDPR one year on

Written by
ŠELIH & PARTNERJI Law Firm, a leading Slovenian full-service business and employment law firm with a long tradition of legal service excellence.
Slovenia has not yet implemented local legislation to reflect the entry into force of the GDPR in May 2018. This article describes the current state of legislative proposals and other data protection developments. 

Slovenia is one of the EU member states that has not yet completed the process of implementing the GDPR into national legislation. The legislative procedure for the adoption of the new Personal Data Protection Act is still ongoing. Only after its adoption will there be legislation listing violations and providing a basis for sanctions under the GDPR. The Information Commissioner as the competent authority for data protection in Slovenia does not currently have the power to impose administrative fines for violations of the GDPR. Consequently, the Information Commissioner can only impose monetary fines under the currently valid Personal Data Protection Act for matters not covered by the GDPR (e.g. biometrics, direct marketing, video surveillance, database linking etc.). Inspections initiated prior to GDPR with regard to matters that are now regulated by the GDPR had to be suspended until the new Personal Data Protection Act is adopted.

The latest proposal for the new Personal Data Protection Act was published on 6 March 2019 and is currently in the public consultation phase. The main concern is that the proposed new Act may overstep the margin of discretion foreseen in the GDPR in some aspects. Therefore, it is expected that the proposal will undergo further revisions, before being adopted by the National Assembly, probably in the second half of 2019.

Observations from the Information Commissioner show there has been a significant increase in requests for access by individuals to their personal data and requests for erasure of personal data. As follows from these observations, as a result of poor differentiation between legal bases for the processing of personal data under GDPR, many businesses prefer to ‘flood’ data subjects with consent requests rather than relying on another legal basis for processing. However, on the other hand, a number of DPO’s have been nominated (more than 2,100). The Information Commissioner also notes that data subjects are quite well acquainted with their rights deriving from the GDPR. As regards the impact on HR, practice shows that regulation was also rather strict before the GDPR and therefore no major changes have had to be implemented in this respect so far.

Darja Miklavčič
Partner - Slovenia