|Phone:||+386 1 230 9730|
|Translated Decisions:||Category:IP (Slovenia)|
|Head Count:||ca. 40-50|
|Budget:||1.8 million euros (2018), ca. 2.4 million euros (2020)|
The Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec) is the national Data Protection Authority for Slovenia. It resides in Ljubljana and is in charge of enforcing GDPR in Slovenia.
The Information Commissioner is an autonomous and independent body and it oversees personal data protection and access to public information in Slovenia. In the field of data protection, it has competencies under the GDPR as well as under the Slovenian Personal Data Protection Act, the Electronic Communications Act, the Act on Patient’s Rights, Passports Act, Identity Card Act, Banking Act, Consumer Credit Act, Decree on unmanned aircraft systems, Decree on the implementation of the Regulation (EU) on the Citizens’ Initiative and the Convention implementing the Schengen Agreement
Structure[edit | edit source]
The body consists of four internal organisational units: (1) the cabinet of the Information Commissioner, (2) the Sector for public information, (3) the Sector for protection of personal data, and (4) the administrative-technical service. Opinions are signed by the Information Commissioner and, where applicable, by a staff member, who prepared the opinion. Decisions in inspection procedures include information on the staff member, who issued the decision on the Information Commissioner’s behalf (with data being anonymsed in the online published versions).
Procedural Information[edit | edit source]
Applicable Procedural Law[edit | edit source]
The inspection procedure of the Information Commissioner is regulated by the GDPR, Personal Data Protection Act (Zakon o varstvu osebnih podatkov (ZVOP-1)), Information Commissioner Act (Zakon o Informacijskem pooblaščencu (ZInfP)), Inspection Act (Zakon o inšpekcijskem nadzoru (ZIN)), and General Administrative Procedure Act (Zakon o splošnem upravnem postopku (ZUP)). For procedural matters not regulated in the Inspection Act, the General Administrative Procedure Act applies.
There is no procedural law in place that would regulate the issuing of administrative fines under the GDPR, as the new Personal Data Protection Act (Zakon o varstvu osebnih podatkov (ZVOP-2), which should ensure the full implementation of the GDPR in Slovenia, still hasn’t been adopted. Therefore, the Information Commissioner can conduct the offences procedure (prekrškovni postopek) only in case of breaches of the few articles in the current Personal Data Protection Act (Zakon o varstvu osebnih podatkov (ZVOP-1)) which are still in force after the GDPR’s entrance into force.
Responding to requests regarding the applicability of the GDPR in Slovenia, the IP issued the following response on 26 October 2022:
"[T]he General data protection Regulation (GDPR) is in Slovenia directly applicable, as well as in other EU member states. There are however problems in the practical use of the GDPR which arise from the delay in the adoption of the new Personal Data Protection Act which would define procedural aspects of the use of GDPR and other aspects which the GDPR leaves for definition to the member states (for ex. Art. 6(3), some aspects of Art. 9(2), Art. 10, Art. 23, Art. 88, 89 etc.). This is for example among other issues reflected also in the field of prevention and compliance, as controllers and processors consequently – until the conditions in the national legislation are clearly defined – cannot use certification under the GDPR.
Consequently some parts of the 2007 Personal Data Protection Act (ZVOP-1) are still valid and in use, which was confirmed also by some late court decisions. These are of course parts of 2007 ZVOP-1 which are not in contradiction with the GDPR which is as stated fully and directly applicable in Slovenia.
As for the implementation of the Directive 2016/680 it was implemented with the Act on the Protection of Personal Data in the Area of Treatment of Criminal Offences (ZVOPOKD - available in Slovene at: http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO8157).
Another issue relevant for the analysis of the Data protection legislation in Slovenia is law relevant for the group of controllers which are not subject to the GDPR neither to the ZVOPOKD (for ex. Slovene Intelligence and Security Agency) for these the ‘2007’ ZVOP-1 is still fully applicable and GDPR does not apply to them. The same goes for the aspect of the processing of personal data of deceased individuals which is regulated by Art. 23 of the 2007 ZVOP-1 which also still valid and in use."
Complaints Procedure under Art 77 GDPR[edit | edit source]
For complaints of data subjects with a supervisory authority (Article 77 of the GDPR), the procedural rules of the General Administrative Procedure Act (Zakon o splošnem upravnem postopku (ZUP)) apply.
Ex Officio Procedures under Art 57 GDPR[edit | edit source]
You can help us filling this section!
Appeals[edit | edit source]
Appeals against decisions in inspection procedures can be lodged with the Administrative Court.
Practical Information[edit | edit source]
An individual can report a breach of the GDPR to the Information Commissioner, which then conducts an ex-officio inspection procedure based on the Slovenian Inspection Act. More information, including a recommended form for reporting (in English), is available on the Information Commissioner's website.
Filing with the DPA[edit | edit source]
You can help us by filling in this section!
Known Problems[edit | edit source]
You can help us by filling in this section!
Filing an Appeal[edit | edit source]
You can help us by filling in this section!
Decision Database[edit | edit source]
Statistics[edit | edit source]
In 2018, the Information Commissioner conducted 1.029 inspection procedures on suspected infringements of the Personal Data Protection Act (ZVOP-1) and the GDPR, and issued 2.192 written and 3.230 oral opinions on data protection issues.
- Letno poročilo Infromacijskega pooblaščenca za leto 2018 (Annual Report of the Information Commissioner for 2018), available at: https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/Letno_porocilo_2018_FINAL.pdf, introduction, pp. 70, 120.
- Letno poročilo Infromacijskega pooblaščenca za leto 2018 (Annual Report of the Information Commissioner for 2018), available at: https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/Letno_porocilo_2018_FINAL.pdf, introduction, pp. 63, 94.
Funding[edit | edit source]
The Information Commissioner had a budget of €2,232,236.00 in 2019. It is funded by the Republic of Slovenia. All fines and fees go to the federal budget, not into the budget of the IC.
Personal[edit | edit source]
In 2019 the IC had 47 employees.
Caseload[edit | edit source]
The following are the statistics for 2019 according to the IC's Annual Report:
- 1183 investigation proceedures (11.5% more as in 2019),
- 139 misdemenaor proceedures (note: those are not administrative fines as required by GDPR),
- 1261 non-binding opinions,
- 137 security breach reports,
- 73 opinions on regulations.
Average caseload per supervisor:
- 2017: 61,
- 2018: 92,
- 2019: 74.
Fines[edit | edit source]
For alleged violations of the provisions of ZVOP-1, the Information Commissioner initiated 139 administrative offense proceedings in 2019, of which 83 proceedings were against public sector legal entities and their responsible persons, 32 proceedings were against private sector legal entities and their responsible persons, and 24 proceedings were against natural persons (this figure also includes proceedings against responsible persons of state bodies and self-governing local municipalities, since according to ZP-1 the Republic of Slovenia and self-governing local municipalities are not responsible for administrative offenses, but only their responsible persons - there were 19).
The Information Commissioner stressed that the conduct of administrative offense proceedings and the imposition of sanctions for detected violations have been strongly influenced by the fact that Slovenia has still not adopted a systemic regulation for the application of the GDPR (so-called ZVOP-2). The Information Commissioner could therefore not initiate infringement proceedings and impose sanctions for infringements of the provisions of the GDPR; IC could only do so for infringements of those articles of ZVOP-1 that are still valid or for controllers to whom ZVOP-1 fully applies.
Annual Reports[edit | edit source]
2019 Annual Report can be found on ip-rs.si.
|EU/EEA/UK Data Protection Authorities|
|Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland (Åland) · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · Andalusia)· Sweden|
|Iceland · Liechtenstein · Norway · United Kingdom||EDPS · EDPB|