Defining the Constitutional Right of Privacy in Slovenia

Slovenia’s Personal Data Protection Act 2004 is a personal data protection law that was originally passed in 2004. Although Slovenia is a member state within the European Union and is subject to the provisions set out in the EU’s General Data Protection Regulation or GDPR, Slovenia is one of a handful of nations within the EU that has yet to pass a national law for the purposes of implementing the provisions of the EU’s GDPR law into Slovenian law. To this point, Slovenia’s Personal Data Protection Act 2004 has been amended several times, most recently in 2013, in order to provide Slovenian citizens with more updated privacy protections. Moreover, the Personal Data Protection Act 2004 and the EU’s GDPR law represent the primary legal guidelines for which personal data may be collected and processed within Slovenia.

How are data controllers and processors defined?

Under Slovenia’s Personal Data Protection Act 2004, a data controller is defined as “a natural person or legal person or other public or private sector person which alone or jointly with others determines the purposes and means of the processing of personal data or a person provided by statute that also determines the purposes and means of processing.” Alternatively, a data processor is defined as “a natural person or legal person that processes personal data on behalf and for the account of the data controller.” Furthermore, the law defines an individual as “an identified or identifiable natural person to whom personal data relates; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, where the method of identification does not incur large costs or disproportionate effort or require a large amount of time.”

What are the requirements?

Data controllers and processors who conduct operations within Slovenia have the following responsibilities and obligations under Slovenia’s Personal Data Protection Act 2004:

• Personal data must be processed in a manner that is consistent with the principles of lawfulness and fairness.
• All personal data that is processed must be adequate in relation to the purposes for which it was collected or further processed.
• The “protection of personal data shall be guaranteed to every individual irrespective of nationality, race, color, religious belief, ethnicity, sex, language, political or other belief, sexual orientation, material standing, birth, education, social position, citizenship, place or type of residence or any other personal circumstance.”
• Sensitive personal data, such as data pertaining to racial or ethnic origin, may only be processed under certain circumstances, such as when an individual provides their consent for the processing of such information.
• All personal data that is processed must be accurate and kept up to date.
• Technical and organizational measures must be taken for the purposes of ensuring the security of personal data that is collected or processed.

What are the rights of Slovenian citizens under Slovenia’s Personal Data Protection Act 2004?

Under Slovenia’s Personal Data Protection Act 2004, Slovenian citizens have the following rights as it concerns data protection:

• The right to be informed.
• The right to access.
• The right erasure.
• The right to rectification.
• The right to object or opt-out.
• The right of restriction.
• The right to judicial protection.
• The right to request a temporary injunction.

In terms of penalties that can be imposed against data controllers and processors who violate any of the rights stated above, Slovenia’s Personal Data Protection Act 2004 is enforced by Slovenia’s National Supervisory Body for Personal Data Protection or the National Supervisory Body for short. As such, the National Supervisory Body has the authority to impose a number of punishments against individuals and organizations who violate the provisions of the law. Such punishments include but are not limited to:

• “A fine from EUR 2.080 to 8.340 shall be imposed for a minor offense on a legal person, sole trader, or individual independently performing an activity, who implements video surveillance in contravention of Article 76.”
• “A fine from EUR 2.080 to 4.170 shall be imposed for a minor offense on a legal person, sole trader, or individual independently performing an activity, if in accordance with this Act he processes personal data for the purposes of direct marketing and does not act in accordance with Articles 72 or 73.”
• “A fine from EUR 4.170 to 12.510 shall be imposed for a minor offense on a legal person, sole trader, or individual independently performing an activity, if he processes personal data in accordance with this Act and fails to ensure the security of personal data (Articles 24 and 25).”

Although Slovenia has yet to enact a national law for the purposes of implementing the provisions of the EU’s GDPR law into Slovenian law, the provisions of the Personal Data Protection Act 2004 and subsequent amendments provide citizens of the country with a comprehensive level of data protection. To this end, the country of Slovenia has a long history of protecting the information of its citizens, as personal data is a constitutionally protected right under the Constitution of the Republic of Slovenia. As such, Slovenia has taken steps to ensure the personal privacy of its citizens, irrespective of the provisions set forth in the EU’s GDPR law.