IP (Slovenia)

From GDPRhub
Informacijski pooblaščenec
LogoSI.png
Name: Informacijski pooblaščenec
Abbreviation : IP
Jurisdiction: Slovenia
Head: Mojca Prelesnik
Deputy: n/a
Adress: Dunajska 22

1000 Ljubljana

SLOVENIA

Webpage: ip-rs.si
Email: gp.ip@ip-rs.si
Phone: +386 1 230 9730
Twitter: n/a
Procedural Law: n/a
Decision Database: ip-rs.si
Translated Decisions: Category:IP (Slovenia)
Head Count: ca. 40-50
Budget: 1.8 million euros (2018), ca. 2.4 million euros (2020)

The Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec) is the national Data Protection Authority for Slovenia. It resides in Ljubljana and is in charge of enforcing GDPR in Slovenia.

The Information Commissioner is an autonomous and independent body and it oversees personal data protection and access to public information in Slovenia. In the field of data protection, it has competencies under the GDPR as well as under the Slovenian Personal Data Protection Act, the Electronic Communications Act, the Act on Patient’s Rights, Passports Act, Identity Card Act, Banking Act, Consumer Credit Act, Decree on unmanned aircraft systems, Decree on the implementation of the Regulation (EU) on the Citizens’ Initiative and the Convention implementing the Schengen Agreement

Structure[edit | edit source]

The body consists of four internal organisational units: (1) the cabinet of the Information Commissioner, (2) the Sector for public information, (3) the Sector for protection of personal data, and (4) the administrative-technical service. Opinions are signed by the Information Commissioner and, where applicable, by a staff member, who prepared the opinion. Decisions in inspection procedures include information on the staff member, who issued the decision on the Information Commissioner’s behalf (with data being anonymsed in the online published versions).

Procedural Information[edit | edit source]

Applicable Procedural Law[edit | edit source]

The inspection procedure of the Information Commissioner is regulated by the GDPR, Personal Data Protection Act (Zakon o varstvu osebnih podatkov (ZVOP-1)), Information Commissioner Act (Zakon o Informacijskem pooblaščencu (ZInfP)), Inspection Act (Zakon o inšpekcijskem nadzoru (ZIN)), and General Administrative Procedure Act (Zakon o splošnem upravnem postopku (ZUP)). For procedural matters not regulated in the Inspection Act, the General Administrative Procedure Act applies.

There is no procedural law in place that would regulate the issuing of administrative fines under the GDPR, as the new Personal Data Protection Act (Zakon o varstvu osebnih podatkov (ZVOP-2), which should ensure the full implementation of the GDPR in Slovenia, still hasn’t been adopted. Therefore, the Information Commissioner can conduct the offences procedure (prekrškovni postopek) only in case of breaches of the few articles in the current Personal Data Protection Act (Zakon o varstvu osebnih podatkov (ZVOP-1)) which are still in force after the GDPR’s entrance into force.[1]

Complaints Procedure under Art 77 GDPR[edit | edit source]

For complaints of data subjects with a supervisory authority (Article 77 of the GDPR), the procedural rules of the General Administrative Procedure Act (Zakon o splošnem upravnem postopku (ZUP)) apply.

Ex Officio Procedures under Art 57 GDPR[edit | edit source]

You can help us filling this section!

Appeals[edit | edit source]

Appeals against decisions in inspection procedures can be lodged with the Administrative Court.

Practical Information[edit | edit source]

An individual can report a breach of the GDPR to the Information Commissioner, which then conducts an ex-officio inspection procedure based on the Slovenian Inspection Act. More information, including a recommended form for reporting (in English), is available on the Information Commissioner's website.

Filing with the DPA[edit | edit source]

You can help us by filling in this section!

Known Problems[edit | edit source]

You can help us by filling in this section!

Filing an Appeal[edit | edit source]

You can help us by filling in this section!

Decision Database[edit | edit source]

You can help us by filling in this section!

Statistics[edit | edit source]

In 2018, the Information Commissioner conducted 1.029 inspection procedures on suspected infringements of the Personal Data Protection Act (ZVOP-1) and the GDPR, and issued 2.192 written and 3.230 oral opinions on data protection issues.[2]

  1. Letno poročilo Infromacijskega pooblaščenca za leto 2018 (Annual Report of the Information Commissioner for 2018), available at: https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/Letno_porocilo_2018_FINAL.pdf, introduction, pp. 70, 120.
  2. Letno poročilo Infromacijskega pooblaščenca za leto 2018 (Annual Report of the Information Commissioner for 2018), available at: https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/Letno_porocilo_2018_FINAL.pdf, introduction, pp. 63, 94.

Funding[edit | edit source]

The Information Commissioner had a budget of €2,232,236.00 in 2019. It is funded by the Republic of Slovenia. All fines and fees go to the federal budget, not into the budget of the IC.

Personal[edit | edit source]

In 2019 the IC had 47 employees.

Caseload[edit | edit source]

The following are the statistics for 2019 according to the IC's Annual Report:

  • 1183 investigation proceedures (11.5% more as in 2019),
  • 139 misdemenaor proceedures (note: those are not administrative fines as required by GDPR),
  • 1261 non-binding opinions,
  • 137 security breach reports,
  • 73 opinions on regulations.

Average caseload per supervisor:

  • 2017: 61,
  • 2018: 92,
  • 2019: 74.

Fines[edit | edit source]

For alleged violations of the provisions of ZVOP-1, the Information Commissioner initiated 139 administrative offense proceedings in 2019, of which 83 proceedings were against public sector legal entities and their responsible persons, 32 proceedings were against private sector legal entities and their responsible persons, and 24 proceedings were against natural persons (this figure also includes proceedings against responsible persons of state bodies and self-governing local municipalities, since according to ZP-1 the Republic of Slovenia and self-governing local municipalities are not responsible for administrative offenses, but only their responsible persons - there were 19).

The Information Commissioner stressed that the conduct of administrative offense proceedings and the imposition of sanctions for detected violations have been strongly influenced by the fact that Slovenia has still not adopted a systemic regulation for the application of the GDPR (so-called ZVOP-2). The Information Commissioner could therefore not initiate infringement proceedings and impose sanctions for infringements of the provisions of the GDPR; IC could only do so for infringements of those articles of ZVOP-1 that are still valid or for controllers to whom ZVOP-1 fully applies.

Annual Reports[edit | edit source]

2019 Annual Report can be found on ip-rs.si.

EU/EEA/UK Data Protection Authorities
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · AndalusiaSweden
Iceland · Liechtenstein · Norway · United Kingdom EDPS · EDPB