Informacijski pooblaščenec Republika Slovenija
SLO | ENG

Personal data protection

+ -

Personal data protection

  1. What are the obligations of data controllers regarding personal data filing systems and filing systems registration?
  2. Who may implement video surveillance? What about video surveillance for household use?
  3. What is personal data and when may it be processed?
  4. Can my superior examine my e-mail?
  5. Can my superior examine the list of calls from my work telephone?
  6. Does transfer of personal data to other EU Member States fall under provisions on transfer to third countries?
  7. May companies request my EMŠO (Unique Citizen Identification Number) and tax number from me for ordinary business transactions (purchase and sales contracts, loans…)?
  8. May the providers of play contests collect tax numbers in advance? 
  9. Is it allowed to install video surveillance in apartment buildings in a way that would enable surveillance of the entrance area on the same television set as used for watching cable TV?
  10. When may personal data be transferred to a contractor data processor?
  11. What are the conditions for personal data processing for historical, statistical and scientific-research purposes?
  12. When may personal data be transferred to other legal or natural persons?
  13. How must the individual be informed about the fact that his data are being processed?
  14. What are the obligations of data controllers regarding security of personal data?
  15. What are the rights of the individual regarding personal information that relates to him?
  16. What should I do if my data protection right has been breached or my personal data were not processed lawfully?    
  17. What are the competencies of the Information Commissioner regarding lawful personal data processing?
  18. When may personal data be transferred to third countries?
  19. When may personal data be used for the purposes of offering goods, services or employment?
  20. Who, and under what conditions, may implement biometrics?
  21. What is the point of the Register? Isn’t it just an additional bureaucratic burden? 


1. What are the obligations of data controllers regarding personal data filing systems and filing systems registration?

Data controller shall establish for each filing system a catalogue containing:
1. Title of the filing system;
2. Data on the data controller (for natural persons: personal name, address where activities are performed or address of permanent or temporary residence, and, for sole trader, his official name, registered office, seat and registration number; for legal persons: title or registered office and address or seat of the data controller and registration number);
3. Legal basis for processing personal data;
4. The category of individuals to whom the personal data relates;
5. The type of personal data in the filing system;
6. Purpose of processing;
7. Duration of the storage of personal data;
8. Restrictions on the rights of individuals with regard to personal data in the filing system and the legal basis for such restrictions;
9. Data recipients, or categories of data recipients, of personal data contained in the filing system;
10. Whether the personal data is transferred to a third country, to where, to whom and the legal grounds for such transfer;
11. A general description of the security of personal data;
12. Data on connected filing systems from official records and public books.
13. Data on the representative from the third paragraph of Article 5 of ZVOP-1 (for natural persons: personal name, address where activities are performed or address of permanent or temporary residence, and, for sole trader, his official name, registered office, seat and registration number; for legal persons: title or registered office, address or seat of the data controller, and registration number).

Filing system catalogue is a description of a personal data filing system, which gives information on the above 13 facts about each separate filing system and should be designed according to the above questions and answers. Data controller shall on request of the individual be obliged to enable consultation of the filing system catalogue. Data controller shall supply data from subparagraphs 1, 2, 4, 5, 6, 9, 10, 11, 12 and 13 to the National Supervisory Body for Personal Data Protection – the Information Commissioner – at least 15 days prior to the establishing of a filing system or prior to the entry of a new type of personal data. Data controller shall also supply to the body any modifications to the data from the previous paragraph no later than eight days from the date of modification.

Top

2. Who may implement video surveillance? What about video surveillance for household use?


If video surveillance implementation is not provided for in a particular act, it shall be conducted pursuant to the provisions of the Personal Data Protection Act.

Whoever wishes to implement video surveillance must publish a notice to that effect. The notice must be visible and made public in a manner that enables individuals to acquaint themselves about video surveillance implementation; it must contain the following information:
• That video surveillance is taking place;
• The title of the person in the public or private sector implementing it;
• Telephone number to obtain information as to where and for which period recordings from the video surveillance system are stored.

The video surveillance system used to conduct video surveillance must be protected against access by unauthorized persons. Pursuant to ZVOP-1 video surveillance may be conducted in the official office premises or business premises, in apartment buildings, and within workplace areas. ZVOP-1 contains special provisions for video surveillance implementation in those cases.

Video surveillance for household use falls under provision of Article 7 of ZVOP-1, which stipulates that ZVOP-1 shall not apply to the processing of personal data (in this case video surveillance) performed by individuals exclusively for personal use, family life or for other domestic needs. However, it is important to stress that such kind of video surveillance is only possible on individual’s private properties. If the property is not private, the individual, performing video surveillance, may be subject to action for damages, and additionally, a criminal law procedure may be initiated against him/her.


Top

3. What is personal data and when may it be processed?


Personal data is any data relating to an individual, irrespective of the form in which it is expressed. An individual is an identified or identifiable natural person to whom personal data relates; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number (Unique citizen identification number –EMŠO, tax number, social security number, telephone number, vehicle registration number) or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (such as employment status, address, position in a particular subject, etc.).

Processing of personal data means any operation or set of operations performed in connection with personal data that are subject to automated processing or which in manual processing are part of a filing system or which are intended for inclusion in a filing system, such as in particular collection, acquisition, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, communication, dissemination or otherwise making available, alignment or connecting, blocking, anonymizing, erasure or destruction; processing may be performed manually or by using automated technology (means of processing).

ZVOP-1 provisions regarding personal data processing are wide, therefore the Commissioner suggests data controllers to be cautious when handling any personal data.

Personal data may only be processed if the processing of personal data and the personal data being processed are provided by statute, or if the personal consent of the individual has been given for the processing of certain personal data. The purpose of processing must also be provided by statute, or in the case of the personal consent of the individual, the individual has to be notified in advance as to the purpose of processing.

Top

4. Can my superior examine my e-mail?


No. The content of your e-mails is protected directly by Article 37 of The Constitution of the Republic of Slovenia (Protection of Privacy of Correspondence and Other Means of Communication), however the Commissioner is not competent to make decisions in this specific area (the applicant has the option of action for compensation, or initiation of criminal law procedure). Additionally, theorists have developed a premise, based on decisions of European Court of Human Rights, which states that even traffic data (to whom you have sent the mail and who sent it to you) is protected in this context. Traffic data forms a personal data filing system, and the employer requires your consent if he/she wishes to access it.


Top

5. Can my superior examine the list of calls from my work telephone?

In most cases, the employer is the only subject who might request such data from the telecommunications services provider. This act itself does not constitute a breach of the Personal Data Protection Act – the employer may acquire the list due to his/her property rights. However, the moment he/she starts identifying the owners of particular numbers, this is regarded as personal data processing. This act of identifying represents the line to which the employers may process employee’s lists of calls. Often bills for work telephones exceed the limits set by the employers, however, if this happens, the employers may investigate the issue in a way that does not involve disclosure of personal information. And it is important for the employers to set the rules of work telephone use in advance, preferably with employee’s written consent.

Top

6. Does transfer of personal data to other EU Member States fall under provisions on transfer to third countries?

 

No. The rules for transfer to other EU Member States are the same as for transfer inside of the Republic of Slovenia.

Top

7. May companies request my EMŠO (Unique Citizen Identification Number) and tax number from me for ordinary business transactions (purchase and sales contracts, loans…)?


No. Both numbers fall under the “same connecting codes,” which identify an individual beyond doubt. The fact that collecting of both pieces of identifiable information together is excessive has been reiterated by the Constitutional Court of RS. The proportionality principle from Article 3 of ZVOP-1 suggests that in business operations companies should request the tax number, because it reveals less information about the individual than EMŠO (which reveals birth date, age, and sex).

Top

8. May the providers of play contests collect tax numbers in advance? 

 

No. Tax numbers may only be used for taxation purposes. When an individual is merely participating in a play contest there is no “tax” relationship, therefore the provider may not collect participant’s tax numbers. However, when an individual wins the contest, and receives the prize, he/she becomes a taxable person and thus the provider may then request the information on tax number.

Top

9. Is it allowed to install video surveillance in apartment buildings in a way that would enable surveillance of the entrance area on the same television set as used for watching cable TV?

 

No. The law specifically forbids combining video surveillance systems with other systems which enable transmitting videos.

Top

10. When may personal data be transferred to a contractor data processor?

 

According to ZVOP-1, the data controller may, by contract, entrust individual tasks related to the processing of personal data to another legal or natural person - data processor - that may perform individual tasks associated with processing of personal data within the scope of the client’s authorizations. Two conditions however apply:
1. Data processor must be registered to perform such activities;
2. Mutual rights and obligations shall be arranged by contract, which must contain an agreement on the procedures and measures for personal data protection. The data controller is obliged to supervise the execution of the arranged procedures and measures.

Top

11. What are the conditions for personal data processing for historical, statistical and scientific-research purposes?

 

Irrespective of the initial purpose of collection, personal data may be further processed for historical, statistical and scientific-research purposes. Personal data shall be supplied to the data recipient for this purpose in an anonymized form. The data may be supplied in non-anonymized form only if otherwise provided by statute, or if the individual to whom the personal data relate gave prior written consent, or if written consent for such publication has been given by the legal heirs of the first or second order to the deceased person.

Top

12. When may personal data be transferred to other legal or natural persons?

 

Personal data may be transferred to third persons only:
• when provided so by statute;
• if the individual has given explicit personal consent for this;
• if transfer is necessary for the fulfillment of a contract, or in order to fulfill the obligations and special rights of a data controller in the area of employment;
• exceptionally, if transfer of personal data is necessary for the exercise of lawful competences, duties or obligations by the public sector, provided that such processing does not encroach on the justified interests of the individual to whom the personal data relate;
• if it is essential for the fulfillment of the lawful interests of the private sector and these interests clearly outweigh the interests of the individual to whom the personal data relate.

The data controller of the Central Population Register or of Records of Permanently and Temporarily Registered Residents shall be obliged, in the manner defined, to issue certificates to an authorized party demonstrating a lawful interest in exercising rights before public sector persons the personal name and address of permanent or temporary residence of an individual against whom they are exercising their rights. The data controller shall be obliged for each supply of personal data to ensure that it is subsequently possible to determine what personal data was supplied, to whom, when and on what basis, for the period covered by statutory protection of the rights of an individual due to non-allowed supply of personal data. Data controller shall on request of the individual be obliged to provide a list of data recipients to whom personal data was supplied, when, on what basis, and for what purpose within 30 days.


Top

13. How must the individual be informed about the fact that his data are being processed?

 

If personal data are collected directly from the individual to whom they relate, the data controller or his representative must communicate to the individual the following information, if the individual is not yet acquainted with them: data on the data controller and his possible representative (personal name, title or official name respectively and address or seat respectively), and the purpose of personal data processing. In special circumstances, the data controller must also communicate to the individual the following additional information:
• a declaration as to the data recipient or the type of data recipients of his personal data,
• a declaration of whether the collection of personal data is compulsory or voluntary, and the possible consequences if the individual will not provide data voluntarily,
• information on the right to consult, transcribe, copy, supplement, correct, block and erase personal data that relate to him.

Special circumstances
ZVOP-1 does not specify the special circumstances of collecting personal data. However, informing individuals is a precondition of fair and lawful personal data processing, therefore the individual should always receive all requested information. Informing is especially important when the data is being processed on the basis of individual’s consent or in the case of contractual processing, where data is being transferred to another party. Informing the individual about all the aspects of data processing is essential when he/she discloses personal data voluntarily, and this act may have negative consequences for him/her. The information has to be clear and comprehensible, so the individual can reach an informed decision on whether to disclose the personal information.

Collecting data indirectly from other subjects or filing systems
If personal data was not collected directly from the individual to whom it relates, the data controller or his representative must communicate to the individual the following information to the data recipient, no later than on the recording or supply of personal data: data on the data controller and his possible representative (personal name, title or official name respectively and address or seat respectively), and the purpose of the processing of personal data. In view of the special circumstances of collecting, the data controller must communicate to the individual the following additional information:
• information on the type of personal data collected,
• a declaration as to the data recipient or the type of data recipients of his personal data,
• information on the right to consult, transcribe, copy, supplement, correct, block and erase personal data that relate to him.

Top 

14. What are the obligations of data controllers regarding security of personal data?

 

Data controllers shall document in their internal acts the procedures and measures for security of personal data. The security of personal data comprises organizational, technical and logical-technical procedures and measures to protect personal data, and to prevent accidental or deliberate unauthorized destruction, modification or loss of data, and unauthorized processing of such data by protecting premises, equipment and systems software, including input-output units; by protecting software applications used to process personal data; by preventing unauthorized access to personal data during transmission thereof, including transmission via telecommunications means and networks; by ensuring effective methods of blocking, destruction, deletion or anonymization of personal data; by enabling subsequent determination of when individual personal data were entered into a filing system, used or otherwise processed, and who did so, for the period covered by statutory protection of the rights of an individual due to unauthorized supply or processing of personal data. For the procedures and measures to be enforced, all employees need to be acquainted with the content of those acts. Data controller shall also define the persons responsible for individual filing systems and the persons who, due to the nature of their work, shall process individual personal data.

Top 

15. What are the rights of the individual regarding personal information that relates to him?

Data controller shall on request of the individual be obliged:
1. to enable consultation of the filing system catalogue;
2. to certify whether data relating to him is being processed, and to enable him to consult personal data contained in filing system that relate to him, and to transcribe or copy them;
3. to supply him an extract of the personal data contained in the filing system that relates to him;
4. to provide a list of data recipients to whom personal data was supplied, when, on what basis and for what purpose;
5. to provide information about the sources on which records contained about the individual in a filing system are based, and on the method of processing.
6. to provide information on the purpose of processing and the type of personal data being processed, and all necessary explanations in this connection;
7. to explain technical and logical-technical procedures of decision-making, if the controller is performing automated decision-making through the processing of personal data of an individual.
The costs related to the request and examination shall be borne by the data controller.

On the request of an individual to whom personal data relates, the data controller must supplement, correct, block or erase personal data which the individual proves as being incomplete, inaccurate or not up to date, or that was collected or processed contrary to statute. The data controller shall enable this on the same day that the request is received, and no later than within 15 days, or within 15 days to inform the individual in writing of the reasons why he will not enable consultation, transcription, copying or the issuing of a certificate. The time frame for appeal is the same as above. On request of the individual the data controller must inform all data recipients and data processors to whom the controller has supplied the personal data of the individual, before the measures from the previous paragraph have been carried out, of their supplementation, correction, blocking or erasure pursuant to the previous paragraph. The data controller shall not need to do this if it would incur large costs, disproportionate efforts or would require a large amount of time. Individuals whose personal data are being processed shall have the right through objection at any time to demand the cessation of their processing. The data controller shall grant the objection if the individual demonstrates that the conditions for processing have not been fulfilled.

An individual who finds that his rights provided by ZVOP-1 have been violated may request judicial protection for as long as such violation lasts. If the violation ceases, the individual may file a suit to rule that the violation existed if he is not provided with other judicial protection in relation to the violation.

Top

16. What should I do if my data protection right has been breached or my personal data were not processed lawfully?   
 

An individual who believes his right to personal data protection has been breached, or that his data was not processed lawfully, has, according to Article 30 of ZVOP-1, the right to:
• consult personal data contained in filing system that relates to him, and to transcribe or copy them;
• to request a list of data recipients to whom personal data were supplied, when, on what basis and for what purpose
• to request information on the sources on which records contained about the individual in a filing system are based, and on the method of processing
• to request information on the purpose of processing and the type of personal data being processed, and all necessary explanations in this connection
• to request an explanation of technical and logical-technical procedures of decision-making, if the controller is performing automated decision-making through the processing of personal data of an individual.

If an individual believes his right to personal data protection has been breached, or that his data was not processed lawfully, he/she may request for the Commissioner's opinion on the matter. If an individual believes his rights from ZVOP-1 have been violated, he/she may request legal protection by filing a suit at the Administrative Court of the Republic of Slovenia. In this case it is necessary that he/she firstly requests the data controller to respect his legal rights. If the individual has suffered any damage due to unlawful processing of his/her data, he/she may initiate action for compensation.


Top

17. What are the competencies of the Information Commissioner regarding lawful personal data processing?

 

The Information Commissioner is competent to undertake inspection supervision on the implementation of the provisions of ZVOP-1 and other tasks under ZVOP-1 and other regulations regulating the protection or processing of personal data. Within the framework of inspection supervision the Information Commissioner is competent to:
1. supervise the lawfulness of processing of personal data;
2. supervise the suitability of measures for security of personal data and the implementation of procedures and measures for security of personal;
3. supervise the implementation of the provisions of the statute regulating the filing system catalogue, the Register of Filing Systems and the recording of the supply of personal data to individual data recipients;
4. supervise the implementation of the statutory provisions regarding the transfer of personal data to third countries and on the supply thereof to foreign data recipients.
Information Commissioner is competent for deciding on complaints of individuals regarding unlawful processing of personal data, and deciding on the appeal of an individual when the data controller refuses his request for data, extract, list, examination, confirmation, information, explanation, transcript or copy. The Commissioner can initiate before the Constitutional Court the procedure for the review of the constitutionality or legality of regulations or general acts issued for the exercise of public authority, provided that a question of constitutionality or legality arises in connection with a procedure he is conducting.

Top

18. When may personal data be transferred to third countries?

 

Whenever personal data is supplied to a data controller, data processor or data recipient established in, has its seat in, or is registered in a Member State of the European Union or the European Economic Area or otherwise subject to the legal order thereof, the provisions of ZVOP-1 on the transfer of personal data to third countries shall not apply.

The supply of personal data that is processed or will be processed only after being supplied to a third country, shall be permitted in accordance with the provisions of ZVOP-1 provided that the Information Commissioner issues a decision that the country to which the data is transferred ensures an adequate level of protection of personal data. The Commissioner shall maintain a list of third countries which it has found to have fully or partly ensured an adequate level of protection of personal data, and a list of those who have not ensured such protection. If it has been determined that a third country only partly ensures an adequate level of protection of personal data, the list shall also detail what parts have been adequately secured. Irrespective of the above, personal data may be transferred and supplied to a third country, if:
1. so provided by another statute or binding international treaty;
2. the individual to whom the personal data relates gives personal consent and is aware of the consequences of such supply;
3. the transfer is necessary for the fulfillment of a contract between the individual to whom the personal data relates and the data controller, or for the implementation of pre-contractual measures adopted in response to the request of the individual to whom the personal data relates;
4. the transfer is necessary for the conclusion or implementation of a contract to the benefit of the individual to whom the personal data relates, concluded between the data controller and a third party;
5. the transfer is necessary to protect the individual to whom the personal data relates from serious danger to life or body;
6. the transfer is performed from registers, public books or official records which are intended by statute to provide information to the public and which are available for consultation by the general public or to any person who demonstrates a legal interest that in the individual case the conditions provided by statute for consultation have been met;
7. the data controller ensures adequate measures of protection of personal data and of the fundamental rights and freedoms of individuals, and declares the possibility of their fulfillment or protection, especially in the provisions of contracts or in the general terms of business.

The list of countries which ensure an adequate level of protection of personal data.


Top

19. When may personal data be used for the purposes of offering goods, services or employment?

 

For these purposes, the data controller may only use the personal data of individuals that he obtained from publicly accessible sources or within the framework of the lawful performance of activities. For direct marketing purposes, the data controller may only use personal name, address of permanent or temporary residence, telephone number, e-mail address and fax number. Other personal data may only be processed on the basis of personal consent of the individual. Data controller shall be obliged to inform the individual of his/her right to request at any time in writing or in another agreed manner that the data controller permanently or temporarily cease to use his personal data for the purpose of direct marketing. The data controller shall be obliged within 15 days to prevent as appropriate the use of personal data for the purpose of direct marketing, and within the subsequent 5 days to inform in writing or another agreed manner the individual who so requested.

Top

20. Who, and under what conditions, may implement biometrics?

 

Biometric measures in the public sector may only be provided for by statute if it is necessarily required for the security of people or property or to protect secret data and business secrets, and this purpose cannot be achieved by less intrusive means. The private sector may implement biometric measures only if they are necessarily required for the same purposes and if the employees were informed in writing thereof in advance. If the implementation of specific biometric measures in the private sector is not regulated by statute, a data controller intending to implement biometric measures shall prior to introducing the measures be obliged to supply the Information Commissioner with a description of the intended measures and the reasons for the introduction thereof. The Commissioner shall be obliged within two months to decide whether the intended introduction of biometric measures complies with ZVOP. The deadline may be extended by a maximum of one month if the introduction of such measures would affect more than 20 employees in a person in the private sector, or if the representative trade union at the employer requests to participate in the administrative procedure. There shall be no appeal against a decision of the Information Commissioner, but an administrative dispute shall be permitted. Biometric measures may be implemented in the public sector in connection with entry into a building or parts of a building and recording the presence of employees at work, and they shall be implemented with the mutatis mutandis application of the second, third and fourth paragraphs of Article 80 of ZVOP-1. This means that a public sector subject has to receive a positive decision from the Information Commissioner prior to implementation of biometric measures.

Top

21. What is the point of the Register? Isn’t it just an additional bureaucratic burden? 

Register of filing systems is an important tool for the individuals to exercise their rights of data protection. The register enables individuals to consult the personal data included in filling systems held by data controllers. The register enables greater transparency of personal data processing and safeguards the individuals to whom these data relate.

Top