New Data Protection Act (ZVOP-2)

On 15 December 2022, the National Assembly adopted the Data Protection Act (ZVOP-2)¹Data Protection Act (Zakon o varstvu osebnih podatkov - ZVOP-2), Official Gazette of RS, no. 163/2022, which transposes the European General Data Protection Regulation (GDPR) into Slovenian law and regulates national specificities in the area of personal data protection. The new law will apply from 26 January 2023 and will replace the existing Data Protection Act (ZVOP-1) from 2004²Data Protection Act (Zakon o varstvu osebnih podatkov - ZVOP-1), Official Gazette of RS, no. 86/04, 113/05 – ZInfP, 51/07 – ZUstS-A, 67/07 and 177/20 .

The new Act respects the human right of the protection of personal data (Article 38 of the Constitution of the Republic of Slovenia). Among other things, it provides that the use of personal data contrary to the purpose for which they were collected is prohibited and provides that everyone has the possibility to become acquainted with the personal data collected concerning them, as well as the right to judicial protection in the event that personal data is misused. The Constitution already provides that the law must regulate the collection, processing, control and purpose of use of personal data and the protection of confidentiality of personal data³National Assembly adopts the Data Protection Act, Ministry of Justice, 15 January 2022 .

In addition to the GDPR, the new Act also regulates additional aspects of personal data protection, including in the areas of video surveillance, biometrics, processing of personal data for research purposes, authorized persons for the protection of personal data, sets an age limit for children's consent to the use of information society services, and allows for the imposition of fines as provided for in the GDPR.

Below are some of the new provisions introduced by the new Act:
- The new Act provides that a person older than 15 years can give consent to the processing of data for the use of information society services.

- It is specified that the special protection of personal data of deceased individuals, provided by the law, is guaranteed for 20 years after their death.

- Article 22 of the new Act provides for the keeping of a log of the processing of personal data where large-scale processing of special types of personal data is carried out in automated processing systems or where there is regular and systematic monitoring of individuals, and in certain other cases set out in the Act. The processing log will have to contain the type of processing operation, the date and time, the identification of the person who carried out the operation and the identification of the users of the personal data. The content of the processing log will have to be kept for two years from the end of the calendar year in which the acts were recorded. The Act provides for a period of two years (i.e. until 26 January 2025) for the harmonization of the processing logs.

- The new Act determines the application of the provisions on security requirements and incident notification of the law governing information security (the Information Security Act) ⁴Information Security Act (Zakon o informacijski varnosti - ZInfV), Official Gazette of RS, no. 30/18 and 95/21 , which apply to providers of essential services. The application applies only to certain information systems, including those where personal data of more than 100,000 individuals are processed on the basis of the law and where special types of personal data of more than 10,000 individuals are processed. The Act sets a deadline of three years (i.e. until 26.1.2026) for the processing of personal data to comply with this provision.

- The Act provides that the implementation of the provisions of the GDPR and the Act shall be supervised by the Information Commissioner, who, as an infringement authority, is also competent to impose fines in accordance with the GDPR and the new Act. This will allow for the imposition of the high fines provided in the GDPR, including a fine of up to €20 million or 4% of annual sales (whichever amount is greater), which can be imposed on a company. Until the new Act comes into force, it is otherwise impossible to impose such fines under the GDPR.

Below we mention some of the foreseen fines:
- In case of breach of the data processing rules (e.g. improper consent of an individual to the collection of his data), the fine ranges between €200 and €8,000 for the responsible person or the sole trader.

- In the case of failure to publish a video surveillance notice, a fine of up to €10,000 is foreseen, or up to €20,000 for medium and large companies.

- If the recordings are kept for more than one year, the new Act foresees a fine of €20,000 or €40,000 for medium and large companies.