IP (Slovenia): Difference between revisions

From GDPRhub
 
(5 intermediate revisions by 5 users not shown)
Line 32: Line 32:
|Procedural Law:||n/a
|Procedural Law:||n/a
|-
|-
|Decision Database:||[https://www.ip-rs.si/vop/ ip-rs.si]
|Decision Database:||[https://www.ip-rs.si/varstvo-osebnih-podatkov/praksa-ip ip-rs.si]
|-
|-
|Translated Decisions:||[[:Category:IP (Slovenia)]]
|Translated Decisions:||[[:Category:IP (Slovenia)]]
Line 51: Line 51:


===Applicable Procedural Law===
===Applicable Procedural Law===
The inspection procedure of the Information Commissioner is regulated by the GDPR, [https://www.ip-rs.si/en/legislation/personal-data-protection-act/ Personal Data Protection Act] (''[http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO3906 Zakon o varstvu osebnih podatkov (ZVOP-1)]''), [https://www.ip-rs.si/en/legislation/information-commissioner-act/ Information Commissioner Act] (''[http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO4498 Zakon o Informacijskem pooblaščencu (ZInfP)]''), [https://www.ip-rs.si/en/legislation/inspections-act/ Inspection Act] (''[http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO3209 Zakon o inšpekcijskem nadzoru (ZIN)]''), and General Administrative Procedure Act (''[http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO1603 Zakon o splošnem upravnem postopku (ZUP)]''). For procedural matters not regulated in the Inspection Act, the General Administrative Procedure Act applies.  
The inspection procedure of the Information Commissioner is regulated by the GDPR, [https://www.ip-rs.si/en/legislation/personal-data-protection-act/ Personal Data Protection Act] (''[http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7959 Zakon o varstvu osebnih podatkov (ZVOP-2)]''), [https://www.ip-rs.si/en/legislation/information-commissioner-act/ Information Commissioner Act] (''[http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO4498 Zakon o Informacijskem pooblaščencu (ZInfP)]''), [https://www.ip-rs.si/en/legislation/inspections-act/ Inspection Act] (''[http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO3209 Zakon o inšpekcijskem nadzoru (ZIN)]''), and General Administrative Procedure Act (''[http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO1603 Zakon o splošnem upravnem postopku (ZUP)]''). For procedural matters not regulated in the Personal Data Protection Act and/or Inspection Act, the General Administrative Procedure Act applies.  


There is no procedural law in place that would regulate the issuing of administrative fines under the GDPR, as the new Personal Data Protection Act (''Zakon o varstvu osebnih podatkov (ZVOP-2)'', which should ensure the full implementation of the GDPR in Slovenia, still hasn’t been adopted. Therefore, the Information Commissioner can conduct the offences procedure (''prekrškovni postopek'') only in case of breaches of the few articles in the current Personal Data Protection Act (''Zakon o varstvu osebnih podatkov (ZVOP-1)'') which are still in force after the GDPR’s entrance into force.<ref name=":0">Letno poročilo Infromacijskega pooblaščenca za leto 2018 (Annual Report of the Information Commissioner for 2018), available at: https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/Letno_porocilo_2018_FINAL.pdf, introduction, pp. 70, 120.</ref>
The new Personal Data Protection Act (''Zakon o varstvu osebnih podatkov (ZVOP-2)'', which ensured the full implementation of the GDPR in Slovenia, entered into force on 26 January 2023. Before its entry into force, the Information Commissioner conducted only inspection procedures (''prekrškovni postopek'') in cases of breaches of the few articles in the former Personal Data Protection Act (''Zakon o varstvu osebnih podatkov (ZVOP-1)'') which stayed  in force for more than 4 years after the GDPR’s entrance into force.<ref name=":0">Letno poročilo Infromacijskega pooblaščenca za leto 2018 (Annual Report of the Information Commissioner for 2018), available at: https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/Letno_porocilo_2018_FINAL.pdf, introduction, pp. 70, 120.</ref>
 
Responding to requests regarding the applicability of the GDPR in Slovenia, the IP issued the following response on 26 October 2022:
 
''"[T]he General data protection Regulation (GDPR) is in Slovenia directly applicable, as well as in other EU member states. There are however problems in the practical use of the GDPR which arise from the delay in the adoption of the new Personal Data Protection Act which would define procedural aspects of the use of GDPR and other aspects which the GDPR leaves for definition to the member states (for ex. Art. 6(3), some aspects of Art. 9(2), Art. 10, Art. 23, Art. 88, 89 etc.). This is for example among other issues reflected also in the field of prevention and compliance, as controllers and processors consequently – until the conditions in the national legislation are clearly defined – cannot use certification under the GDPR.''
 
''Consequently some parts of the 2007 Personal Data Protection Act (ZVOP-1) are still valid and in use, which was confirmed also by some late court decisions. These are of course parts of 2007 ZVOP-1 which are not in contradiction with the GDPR which is as stated fully and directly applicable in Slovenia.''
 
''As for the implementation of the Directive 2016/680 it was implemented with the Act on the Protection of Personal Data in the Area of Treatment of Criminal Offences (ZVOPOKD - available in Slovene at: <nowiki>http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO8157</nowiki>).''
 
''Another issue relevant for the analysis of the Data protection legislation in Slovenia is law relevant for the group of controllers which are not subject to the GDPR neither to the ZVOPOKD (for ex. Slovene Intelligence and Security Agency) for these the ‘2007’ ZVOP-1 is still fully applicable and GDPR does not apply to them. The same goes for the aspect of the processing of personal data of deceased individuals which is regulated by Art. 23 of the 2007 ZVOP-1 which also still valid and in use."''


===Complaints Procedure under Art 77 GDPR===
===Complaints Procedure under Art 77 GDPR===
For complaints of data subjects with a supervisory authority (Article 77 of the GDPR), the procedural rules of the General Administrative Procedure Act (''Zakon o splošnem upravnem postopku (ZUP)'') apply.
For complaints of data subjects with a supervisory authority (Article 77 of the GDPR), the procedural rules of Personal Data Protection Act (Zakon o varstvu osebnih podatkov (ZVOP-2)) apply and subsidiarily the General Administrative Procedure Act (''Zakon o splošnem upravnem postopku (ZUP)'') for issues not regulated in ZVOP-2.


===''Ex Officio'' Procedures under Art 57 GDPR===
===''Ex Officio'' Procedures under Art 57 GDPR===
Line 62: Line 72:


===Appeals===
===Appeals===
Appeals against decisions in inspection procedures can be lodged with the Administrative Court.
Appeals against decisions in complaint procedures can be lodged with the Administrative Court.


==Practical Information==
==Practical Information==
An individual can report a breach of the GDPR to the Information Commissioner, which then conducts an ''ex-officio'' inspection procedure based on the Slovenian Inspection Act. More information, including a recommended form for reporting (in English), is available on the Information Commissioner's [https://www.ip-rs.si/en/data-protection/how-to-file-an-application/ website].
An individual can, in case of a breach of the GDPR, lodge a complaint with  the Information Commissioner, which then conducts a complaint procedure based on the Slovenian Inspection Act. More information, including a recommended form for reporting (in English), is available on the Information Commissioner's [https://www.ip-rs.si/en/data-protection/how-to-file-an-application/ website].
 
==Practical Information==
An individual can report a breach of the GDPR to the Information Commissioner, which then conducts an ''ex-officio'' inspection procedure based on the Slovenian Inspection Act. More information, including a recommended form for reporting (in English), is available on the Information Commissioner's [https://www.ip-rs.si/en/data-protection/how-to-file-an-application/ website].


===Filing with the DPA===
===Filing with the DPA===
Line 80: Line 87:


==Decision Database==
==Decision Database==
''You can help us by filling in this section!''
https://www.ip-rs.si/varstvo-osebnih-podatkov/praksa-ip


==Statistics==
==Statistics==
Line 87: Line 94:


===Funding===
===Funding===
''You can help us by filling in this section!''
The Information Commissioner had a budget of €2,232,236.00 in 2019. It is funded by the Republic of Slovenia. All fines and fees go to the federal budget, not into the budget of the IC.


===Personal===
===Personal===
''You can help us by filling in this section!''
''In 2019 the IC had 47 employees.''


===Caseload===
===Caseload===
''You can help us by filling in this section!''
''The following are the statistics for 2019 according to the IC's Annual Report:''
 
* 1183 investigation proceedures (11.5% more as in 2019),
* 139 misdemenaor proceedures (note: those are not administrative fines as required by GDPR),
* 1261 non-binding opinions,
* 137 security breach reports,
* 73 opinions on regulations.
 
Average caseload per supervisor:
 
* 2017: 61,
* 2018: 92,
* 2019: 74.


===Fines===
===Fines===
''You can help us by filling in this section!''
For alleged violations of the provisions of ZVOP-1, the Information Commissioner initiated 139 administrative offense proceedings in 2019, of which 83 proceedings were against public sector legal entities and their responsible persons, 32 proceedings were against private sector legal entities and their responsible persons, and 24 proceedings were against natural persons (this figure also includes proceedings against responsible persons of state bodies and self-governing local municipalities, since according to ZP-1 the Republic of Slovenia and self-governing local municipalities are not responsible for administrative offenses, but only their responsible persons - there were 19).
 
The Information Commissioner stressed that the conduct of administrative offense proceedings and the imposition of sanctions for detected violations have been strongly influenced by the fact that '''Slovenia has still not adopted''' a systemic regulation for the application of the GDPR (so-called ZVOP-2). The Information Commissioner '''could therefore not initiate infringement proceedings''' and impose sanctions for infringements of the provisions of the GDPR; IC could only do so for infringements of those articles of ZVOP-1 that are still valid or for controllers to whom ZVOP-1 fully applies.


===Annual Reports===
===Annual Reports===
''You can help us by filling in this section!''
''2019 Annual Report can be found on [https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/LetnoPorocilo2019.pdf ip-rs.si].''


{{DataProtectionAuthorities}}
{{DataProtectionAuthorities}}

Latest revision as of 10:51, 6 February 2024

Informacijski pooblaščenec
LogoSI.png
Name: Informacijski pooblaščenec
Abbreviation : IP
Jurisdiction: Slovenia
Head: Mojca Prelesnik
Deputy: n/a
Adress: Dunajska 22

1000 Ljubljana

SLOVENIA

Webpage: ip-rs.si
Email: gp.ip@ip-rs.si
Phone: +386 1 230 9730
Twitter: n/a
Procedural Law: n/a
Decision Database: ip-rs.si
Translated Decisions: Category:IP (Slovenia)
Head Count: ca. 40-50
Budget: 1.8 million euros (2018), ca. 2.4 million euros (2020)

The Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec) is the national Data Protection Authority for Slovenia. It resides in Ljubljana and is in charge of enforcing GDPR in Slovenia.

The Information Commissioner is an autonomous and independent body and it oversees personal data protection and access to public information in Slovenia. In the field of data protection, it has competencies under the GDPR as well as under the Slovenian Personal Data Protection Act, the Electronic Communications Act, the Act on Patient’s Rights, Passports Act, Identity Card Act, Banking Act, Consumer Credit Act, Decree on unmanned aircraft systems, Decree on the implementation of the Regulation (EU) on the Citizens’ Initiative and the Convention implementing the Schengen Agreement

Structure

The body consists of four internal organisational units: (1) the cabinet of the Information Commissioner, (2) the Sector for public information, (3) the Sector for protection of personal data, and (4) the administrative-technical service. Opinions are signed by the Information Commissioner and, where applicable, by a staff member, who prepared the opinion. Decisions in inspection procedures include information on the staff member, who issued the decision on the Information Commissioner’s behalf (with data being anonymsed in the online published versions).

Procedural Information

Applicable Procedural Law

The inspection procedure of the Information Commissioner is regulated by the GDPR, Personal Data Protection Act (Zakon o varstvu osebnih podatkov (ZVOP-2)), Information Commissioner Act (Zakon o Informacijskem pooblaščencu (ZInfP)), Inspection Act (Zakon o inšpekcijskem nadzoru (ZIN)), and General Administrative Procedure Act (Zakon o splošnem upravnem postopku (ZUP)). For procedural matters not regulated in the Personal Data Protection Act and/or Inspection Act, the General Administrative Procedure Act applies.

The new Personal Data Protection Act (Zakon o varstvu osebnih podatkov (ZVOP-2), which ensured the full implementation of the GDPR in Slovenia, entered into force on 26 January 2023. Before its entry into force, the Information Commissioner conducted only inspection procedures (prekrškovni postopek) in cases of breaches of the few articles in the former Personal Data Protection Act (Zakon o varstvu osebnih podatkov (ZVOP-1)) which stayed in force for more than 4 years after the GDPR’s entrance into force.[1]

Responding to requests regarding the applicability of the GDPR in Slovenia, the IP issued the following response on 26 October 2022:

"[T]he General data protection Regulation (GDPR) is in Slovenia directly applicable, as well as in other EU member states. There are however problems in the practical use of the GDPR which arise from the delay in the adoption of the new Personal Data Protection Act which would define procedural aspects of the use of GDPR and other aspects which the GDPR leaves for definition to the member states (for ex. Art. 6(3), some aspects of Art. 9(2), Art. 10, Art. 23, Art. 88, 89 etc.). This is for example among other issues reflected also in the field of prevention and compliance, as controllers and processors consequently – until the conditions in the national legislation are clearly defined – cannot use certification under the GDPR.

Consequently some parts of the 2007 Personal Data Protection Act (ZVOP-1) are still valid and in use, which was confirmed also by some late court decisions. These are of course parts of 2007 ZVOP-1 which are not in contradiction with the GDPR which is as stated fully and directly applicable in Slovenia.

As for the implementation of the Directive 2016/680 it was implemented with the Act on the Protection of Personal Data in the Area of Treatment of Criminal Offences (ZVOPOKD - available in Slovene at: http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO8157).

Another issue relevant for the analysis of the Data protection legislation in Slovenia is law relevant for the group of controllers which are not subject to the GDPR neither to the ZVOPOKD (for ex. Slovene Intelligence and Security Agency) for these the ‘2007’ ZVOP-1 is still fully applicable and GDPR does not apply to them. The same goes for the aspect of the processing of personal data of deceased individuals which is regulated by Art. 23 of the 2007 ZVOP-1 which also still valid and in use."

Complaints Procedure under Art 77 GDPR

For complaints of data subjects with a supervisory authority (Article 77 of the GDPR), the procedural rules of Personal Data Protection Act (Zakon o varstvu osebnih podatkov (ZVOP-2)) apply and subsidiarily the General Administrative Procedure Act (Zakon o splošnem upravnem postopku (ZUP)) for issues not regulated in ZVOP-2.

Ex Officio Procedures under Art 57 GDPR

You can help us filling this section!

Appeals

Appeals against decisions in complaint procedures can be lodged with the Administrative Court.

Practical Information

An individual can, in case of a breach of the GDPR, lodge a complaint with the Information Commissioner, which then conducts a complaint procedure based on the Slovenian Inspection Act. More information, including a recommended form for reporting (in English), is available on the Information Commissioner's website.

Filing with the DPA

You can help us by filling in this section!

Known Problems

You can help us by filling in this section!

Filing an Appeal

You can help us by filling in this section!

Decision Database

https://www.ip-rs.si/varstvo-osebnih-podatkov/praksa-ip

Statistics

In 2018, the Information Commissioner conducted 1.029 inspection procedures on suspected infringements of the Personal Data Protection Act (ZVOP-1) and the GDPR, and issued 2.192 written and 3.230 oral opinions on data protection issues.[2]

  1. Letno poročilo Infromacijskega pooblaščenca za leto 2018 (Annual Report of the Information Commissioner for 2018), available at: https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/Letno_porocilo_2018_FINAL.pdf, introduction, pp. 70, 120.
  2. Letno poročilo Infromacijskega pooblaščenca za leto 2018 (Annual Report of the Information Commissioner for 2018), available at: https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/Letno_porocilo_2018_FINAL.pdf, introduction, pp. 63, 94.

Funding

The Information Commissioner had a budget of €2,232,236.00 in 2019. It is funded by the Republic of Slovenia. All fines and fees go to the federal budget, not into the budget of the IC.

Personal

In 2019 the IC had 47 employees.

Caseload

The following are the statistics for 2019 according to the IC's Annual Report:

  • 1183 investigation proceedures (11.5% more as in 2019),
  • 139 misdemenaor proceedures (note: those are not administrative fines as required by GDPR),
  • 1261 non-binding opinions,
  • 137 security breach reports,
  • 73 opinions on regulations.

Average caseload per supervisor:

  • 2017: 61,
  • 2018: 92,
  • 2019: 74.

Fines

For alleged violations of the provisions of ZVOP-1, the Information Commissioner initiated 139 administrative offense proceedings in 2019, of which 83 proceedings were against public sector legal entities and their responsible persons, 32 proceedings were against private sector legal entities and their responsible persons, and 24 proceedings were against natural persons (this figure also includes proceedings against responsible persons of state bodies and self-governing local municipalities, since according to ZP-1 the Republic of Slovenia and self-governing local municipalities are not responsible for administrative offenses, but only their responsible persons - there were 19).

The Information Commissioner stressed that the conduct of administrative offense proceedings and the imposition of sanctions for detected violations have been strongly influenced by the fact that Slovenia has still not adopted a systemic regulation for the application of the GDPR (so-called ZVOP-2). The Information Commissioner could therefore not initiate infringement proceedings and impose sanctions for infringements of the provisions of the GDPR; IC could only do so for infringements of those articles of ZVOP-1 that are still valid or for controllers to whom ZVOP-1 fully applies.

Annual Reports

2019 Annual Report can be found on ip-rs.si.

EU/EEA/UK Data Protection Authorities
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland (Åland) · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · AndalusiaSweden
Iceland · Liechtenstein · Norway · United Kingdom EDPS · EDPB