Slovenia Update

The Novelties Brought by the New Personal Data Protection Act

Several years have passed since the General Data Protection Regulation (“GDPR”) has been in force in the EU, regulating personal data protection. Although the GDPR is directly applicable, the act governing the matter of personal data protection must nevertheless be adopted in each member state, as some areas in the GDPR are left to be governed by the national law of each country. In addition, the adoption of a national law is a precondition for imposing fines and appointing a supervisory authority. Those are the main reasons for systematic regulation of the field of data protection in Slovenia by the new Personal Data Protection Act (“Act”). The Act will apply as of 26 January 2023.

The following is a brief description of some of the most important changes introduced with the Act.


Age limit for the consent of minors

The Act prescribes a limit of 15 years or more for the consent of minors. Consent of minors below the age of 15 is valid only if it is given or approved by one of the legal representatives. The service provider may also set a higher age limit in the terms of use, whereas such a higher set limit prevails.


Transmission of personal data of deceased individuals

The Act sets out the conditions for the transmission of personal data of deceased individuals, which are applicable for 20 years after the death of an individual. The protection no longer applies to such data after 20 years. However, the personal data of deceased individuals are also regulated by other, sectoral laws, which are specific in relation to the Act and therefore prevail.


Security obligations

For certain filing systems that are considered particularly sensitive due to their size, content, or other characteristics, the Act provides a special regime of measures to prevent unauthorized disclosure. Among others, this includes filing systems in the field of health care and health insurance, regardless of the size of the filing system.

Some data controllers and processors will be required to keep a processing log if:

  • such obligation will be required by law;
  • in event of extensive processing of special categories of personal data;
  • in event of regular and systematic monitoring of individuals; or
  • when an impact assessment has identified a risk that may be eliminated by the processing log.

Such a processing log allows for subsequent analysis of the legality of the processing and must record collection, change, access, disclosure, deletion, and other processing activities determined by law. Processing logs may be kept for a maximum of two years from the end of the year in which the processing operations were recorded unless another law provides otherwise.

Security of personal data in the area of special processing in certain information systems will not only have to be ensured in line with the GDPR but also with security and incident reporting measures pursuant to the Slovenian Information Security Act.


General judicial protection

General judicial protection of the rights of the individual may be used without prior use of other legal remedies. An individual lawsuit may be filed with the Administrative court by any individual who considers that his/her data protection rights are or have been violated. The individual may request cessation of a breach, compliance with the legislation, and compensation for the damage that occurred, and if the violation has already ceased, a finding that data protection rights have been violated.


Data Protection Officer

The data protection officer must be appointed to assist the controller or processor in ensuring compliance with the data protection legislation, whereas the appointed person must have knowledge and experience in the field of data protection which is required for the appointment. Several controllers or processors may jointly appoint a data protection officer.


Video surveillance and biometrics

The provisions on video surveillance have been renewed by the Act. The content of the video surveillance notice is specified. Such notice may also be published on the website; therefore, the notice must at least indicate the web address containing the information. The processing of personal data using biometrics is also regulated.



The supervisory authority regarding GDPR and the Act remains the Information Commissioner. The penalty provisions provide for the possibility of imposing fines for infringements on legal persons and on the responsible persons of legal persons. Penalties for infringements provided for in the GDPR will be imposed on legal persons, sole proprietors, and self-employed persons, in the amounts and within the ranges provided for in the GDPR (up to EUR 10 million, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher). For other infringements, for which no fine range is laid down in the GDPR or for infringements of provisions introduced by the Act, the fines are set in a range, with a maximum of EUR 40,000 for a legal person, and EUR 8,000 for the responsible person of a legal person.

A version of this article in the Slovenian language is available here.


The information in this document does not constitute legal advice on any particular matter and is provided for general informational purposes only.