Information commissioner Republic of Slovenia
| en | Iskalnik po spletni strani   Priredbe v znakovni jezik  
dekorativna slika

Key new features of the Personal Data Protection Act (ZVOP-2)

+ -

The General Data Protection Regulation (GDPR) sets out uniform rules for the protection of personal data in the EU, but certain substantive and procedural issues may be regulated by Member States. These areas are regulated by the new Personal Data Protection Act (Official Journal of the Republic of Slovenia No. 163/22; ZVOP-2), which applies from 26 January 2023 - with the expiry of the previous Personal Data Protection Act (ZVOP-1).

On this page you will find essential information on ZVOP-2 and links to additional materials:

What is regulated by the ZVOP-2?

When do the obligations under the ZVOP-2 enter into force and what are the transitional provisions?

Where can I find more information on the specific areas covered by the ZVOP-2?

What is regulated by the ZVOP-2?

The General Regulation allows the national regulators to regulate certain substantive areas, such as the use of health, biometric and genetic data, certain procedural aspects (e.g. sanctioning procedure and remedies) and the relation to other areas and rights (e.g. access to public information, use of personal data for research, archival and statistical purposes). It also regulates additional conditions for Data Protection Officers, changes the regulation of video surveillance, ensures traceability and certain other areas. However, the General Regulation should not be amended by the ZVOP-2, as the General Regulation is directly applicable. It should be borne in mind that both the General Regulation and the ZVOP-2 apply, and therefore the provisions of the ZVOP-2 should also be read in the light of the General Regulation.

When do the obligations under the ZVOP-2 enter into force and what are the transitional provisions?

The Personal Data Protection Act applies from 26 January 2023, but it allows different periods of time for adaptation (from the date of entry into force, i.e. 26 January 2023):

  • Specific measures to ensure the security of personal data in the area of special processing (Article 23) shall be put in place within three years.
  • The Minister responsible for Justice, in agreement with the Minister responsible for Health, shall, after a prior opinion of the supervisory authority, adopt rules on charging (Article 17(5)) within three months.
  • Data protection officers (DPOs) appointed by the heads of the ministries before the entry into force of the ZVOP-2 shall continue to act as DPOs under the ZVOP-2.
  • Offence proceedings initiated before the entry into force of the ZVOP-2 before the Information Commissioner or the courts shall be terminated in accordance with the ZVOP-1, unless ZVOP-2 is more lenient for the offender. Inspection proceedings initiated under ZVOP-1 shall continue in accordance with the ZVOP-2.
  • The list of third countries referred to in Article 66 of the ZVOP-1 (transfer of data to third countries) is repealed.
  • The Register of personal data filing systems of the Information Commissioner shall cease to function as of the date of entry into force of the ZVOP-2.
  • The keeping of processing logs shall be brought into line with Article 22 of the ZVOP-2 within two years.
  • Slovenian Accreditation shall start the accreditation procedures on 1 January 2024; applications shall be submitted by controllers within six months after the expiry of the deadline referred to in Article 121(1).
  • Video surveillance in means of transport intended for public passenger transport shall be brought into line with the provisions of Article 79 of the ZVOP-2 within six months.
  • The controllers are not required to resubmit information on the DPOs, provided that the information on the DPO is not changed.
  • The following legislation shall cease to apply:
    • Rules on the methodology of keeping the register of personal data files (Official Journal of the RS, No 28/05 and 30/11);
    • The Regulation on obtaining the information necessary for deciding on transfer of personal data to third countries (Official Journal of the RS, No 79/05);
    • Regulation on the charging of costs for the exercise of the individual's right of access (Official Journal of the Republic of Slovenia, No 85/07 and 5/12).
  • While amendments to the provisions on the amounts and ranges of fines laid down by the law governing offences are pending, fines for infringements under Article 83 of the General Regulation shall be imposed in accordance with Article 83 of the General Regulation.

Please note that with the entry into force of the ZVOP-2, ZVOP-1 will cease to apply, and with it the following provisions that are no longer regulated by the ZVOP-2:

  • Protection of sensitive personal data in the case of transmission over unsecured electronic channels (Article 14 of the ZVOP-1),
  • Regulation of direct marketing (Articles 72 and 73 of the ZVOP-1).

Where can I find more information on the specific areas covered by the ZVOP-2?

More information on the specific areas covered by the ZVOP-2 is available here: https://www.ip-rs.si/en/data-protection/obligations-of-data-processors/.