As the last EU state, Slovenia passed Personal Data Protection Act


As of 2023 data privacy in Slovenia will be governed by the newly passed Personal Data Protection Act (ZVOP-2), which aims to bring country’s data protection framework in line with the GDPR. Slovenia became the last EU member state to fully implement the GDPR into its legal system when ZVOP-2 came into effect on January 26, 2023.

What changes does ZVOP-2 bring?

ZVOP-2 contains additional requirements regarding data security that controllers must comply with in addition to the requirements of the GDPR.

  1. Record-keeping

    Article 22 of ZVOP-2 regulates record-keeping, which was previously known as "traceability” and specifies who must ensure record-keeping, for which processing activities, what the record-keeping must contain, for what purposes the record-keeping can be used, and the data retention period for records of processing. Regarding the retention periods of processing logs, ZVOP-2 stipulates that the content of the processing log should be kept for two years from the end of the calendar year in which the processing activities were recorded, unless another law provides otherwise. If a DPIA or other analysis of relevant risks reveals a risk that can be effectively managed by extending the retention period, the processing log may be kept for a maximum of five years from the end of the calendar year in which the processing activities were recorded.

  2. Security of personal data in the field of special processing

    Article 23 of ZVOP-2 stipulates the security of personal data in the area of special processing. These are specific requirements for particularly risky information systems where a large amount of particularly sensitive, confidential or otherwise protected data is processed, including special types of personal data, such as large state registers (e.g. pension and health insurance, Permanent Population Register, register of motor vehicles, etc.) For these information systems, ZVOP-2 is linked to the Information Security Act and specifies restrictions in connection with the location of data storage.

  3. Protection of personal data that is the subject of the procedure

    ZVOP-2 also contains provisions relating to the protection of personal data that are the subject of the procedure (Article 21 of ZVOP-2) - but it is primarily about when and how data controllers must act in the event that certain personal data are requested in a certain procedure (e.g. inspection, in the procedure of an individual's request for access to his own data, etc.), where it is essential that the controller may not delete or change the necessary data while the procedure lasts.


Key market and enforcement trends in 2023

One of the key market trends in data privacy in Slovenia is the increasing awareness and importance of data protection among individuals and businesses. With the implementation of ZVOP-2, organizations will have to comply with stricter data protection regulations, and failure to do so can result in significant fines and legal penalties. As a result, there is a growing demand for privacy professionals, including data protection officers (DPOs), consultants, and lawyers, who can help organizations navigate the complex data protection landscape.

In terms of enforcement trends, the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec or IP) is expected to play a more active role in monitoring and enforcing data protection regulations. The IP will have the power to impose significant fines for non-compliance with the new law, and it is expected to carry out regular audits and investigations to ensure that organizations are following data protection requirements.

Furthermore, the new law includes several transitional provisions, which provide some flexibility for organizations to adapt to the new data protection requirements. For example, existing data protection officers appointed by organizations before the implementation of ZVOP-2 can continue to carry out their duties under the new law. Similarly, ongoing administrative and legal proceedings that began before the implementation of the new law will be concluded under the previous law unless the new law is more favorable to the accused party.

Overall, data privacy will remain a critical issue in Slovenia in the coming years, and organizations will need to take proactive steps to ensure compliance with the new data protection regulations to avoid legal and financial consequences.

We therefore strongly recommend that companies doing business with or in Slovenia engage a lawyer to review their personal data protection procedures in light of the new law.

Article provided by INPLP member: Boris Kozlevcar (JK Group, Slovenia)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.