The Unauthorised Access to Personal Data by the Slovenian Police


On July 10, 2020, a press conference was held in the hall of Slovenia’s legislative body by Jožef Horvat, MP, a member of one of the coalition parties which until early this year had spent many years in the opposition. The MP explained that his subject access request (SAR) filed with the Police in May produced evidence of 22 instances of access to his personal data, 13 of which contained no explanation as to the purpose thereof.

According to the MP, the Police was most active in March this year during the talks about the formation of the new government. He added that many of his fellow MPs had filed SARs with the Police and were awaiting responses, and several more were about to follow suit. He had reported the case to the Information Commissioner (Slovenia’s personal data watchdog). No further information was available at the time of the publication of this article. However, some media have already dubbed the case as one of the biggest scandals in the country’s history.

Putting aside the potential political motives or implications, the possibility of peeping toms inside the Police should hardy come as a surprise. Namely, between 2009 and 2019, 101 Police employees were fined by the Information Commissioner alone for unauthorised access to personal data. In the same period, the Police itself identified 44 potential criminal offences related to misuse of personal data within its own ranks (few were convicted though). But this might be just the tip of the iceberg. In question is a whole range of personal data such as residence, vehicle ownership, traffic fines, other misdemeanours and even criminal convictions. More often than not, the reason for looking at the data was plain curiosity, as victims were mainly public figures, neighbours and (ex) partners.

What in my view is a reason for concern is the fact that the Police have had in place a relatively effective system for recording all and any processing of personal data in their databases, including pure access. It is also fair to assume that the (majority of) its employees were aware of it. There are therefore only two possible explanations. There is either a lack of control and supervision within the Police, so the perpetrators feel unlikely to be caught. Or, due to the lack of education and training, the employees are unaware that any processing of personal data should be legally grounded, while at the same time pursuing a legitimate purpose – and spying on people out of curiosity doesn’t fall into this category.

Whatever the outcome of the possible political scandal, the Slovenia’s Police might have a hard case policing its own ranks.


Article provided by: Matija Jamnik (JK Group, Slovenia)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.