IP (Slovenia)

From GDPRhub
Informacijski pooblaščenec
LogoSI.png
Name: Informacijski pooblaščenec
Abbreviation : IP
Jurisdiction: Slovenia
Head: Mojca Prelesnik
Deputy: n/a
Adress: Dunajska 22

1000 Ljubljana

SLOVENIA

Webpage: ip-rs.si
Email: gp.ip@ip-rs.si
Phone: +386 1 230 9730
Twitter: n/a
Procedural Law: n/a
Decision Database: ip-rs.si
Translated Decisions: Category:IP (Slovenia)
Head Count: ca. 40-50
Budget: 1.8 million euros (2018), ca. 2.4 million euros (2020)

The Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec) is the national Data Protection Authority for Slovenia. It resides in Ljubljana and is in charge of enforcing GDPR in Slovenia.

The Information Commissioner is an autonomous and independent body and it oversees personal data protection and access to public information in Slovenia. In the field of data protection, it has competencies under the GDPR as well as under the Slovenian Personal Data Protection Act, the Electronic Communications Act, the Act on Patient’s Rights, Passports Act, Identity Card Act, Banking Act, Consumer Credit Act, Decree on unmanned aircraft systems, Decree on the implementation of the Regulation (EU) on the Citizens’ Initiative and the Convention implementing the Schengen Agreement

Structure

The body consists of four internal organisational units: (1) the cabinet of the Information Commissioner, (2) the Sector for public information, (3) the Sector for protection of personal data, and (4) the administrative-technical service. Opinions are signed by the Information Commissioner and, where applicable, by a staff member, who prepared the opinion. Decisions in inspection procedures include information on the staff member, who issued the decision on the Information Commissioner’s behalf (with data being anonymsed in the online published versions).

Procedural Information

Applicable Procedural Law

The inspection procedure of the Information Commissioner is regulated by the GDPR, Personal Data Protection Act (Zakon o varstvu osebnih podatkov (ZVOP-1)), Information Commissioner Act (Zakon o Informacijskem pooblaščencu (ZInfP)), Inspection Act (Zakon o inšpekcijskem nadzoru (ZIN)), and General Administrative Procedure Act (Zakon o splošnem upravnem postopku (ZUP)). For procedural matters not regulated in the Inspection Act, the General Administrative Procedure Act applies.

There is no procedural law in place that would regulate the issuing of administrative fines under the GDPR, as the new Personal Data Protection Act (Zakon o varstvu osebnih podatkov (ZVOP-2), which should ensure the full implementation of the GDPR in Slovenia, still hasn’t been adopted. Therefore, the Information Commissioner can conduct the offences procedure (prekrškovni postopek) only in case of breaches of the few articles in the current Personal Data Protection Act (Zakon o varstvu osebnih podatkov (ZVOP-1)) which are still in force after the GDPR’s entrance into force.[1]

Complaints Procedure under Art 77 GDPR

For complaints of data subjects with a supervisory authority (Article 77 of the GDPR), the procedural rules of the General Administrative Procedure Act (Zakon o splošnem upravnem postopku (ZUP)) apply.

Ex Officio Procedures under Art 57 GDPR

You can help us filling this section!

Appeals

Appeals against decisions in inspection procedures can be lodged with the Administrative Court.

Practical Information

An individual can report a breach of the GDPR to the Information Commissioner, which then conducts an ex-officio inspection procedure based on the Slovenian Inspection Act. More information, including a recommended form for reporting (in English), is available on the Information Commissioner's website.

Filing with the DPA

You can help us by filling in this section!

Known Problems

You can help us by filling in this section!

Filing an Appeal

You can help us by filling in this section!

Decision Database

https://www.ip-rs.si/varstvo-osebnih-podatkov/praksa-ip

Statistics

In 2018, the Information Commissioner conducted 1.029 inspection procedures on suspected infringements of the Personal Data Protection Act (ZVOP-1) and the GDPR, and issued 2.192 written and 3.230 oral opinions on data protection issues.[2]

  1. Letno poročilo Infromacijskega pooblaščenca za leto 2018 (Annual Report of the Information Commissioner for 2018), available at: https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/Letno_porocilo_2018_FINAL.pdf, introduction, pp. 70, 120.
  2. Letno poročilo Infromacijskega pooblaščenca za leto 2018 (Annual Report of the Information Commissioner for 2018), available at: https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/Letno_porocilo_2018_FINAL.pdf, introduction, pp. 63, 94.

Funding

The Information Commissioner had a budget of €2,232,236.00 in 2019. It is funded by the Republic of Slovenia. All fines and fees go to the federal budget, not into the budget of the IC.

Personal

In 2019 the IC had 47 employees.

Caseload

The following are the statistics for 2019 according to the IC's Annual Report:

  • 1183 investigation proceedures (11.5% more as in 2019),
  • 139 misdemenaor proceedures (note: those are not administrative fines as required by GDPR),
  • 1261 non-binding opinions,
  • 137 security breach reports,
  • 73 opinions on regulations.

Average caseload per supervisor:

  • 2017: 61,
  • 2018: 92,
  • 2019: 74.

Fines

For alleged violations of the provisions of ZVOP-1, the Information Commissioner initiated 139 administrative offense proceedings in 2019, of which 83 proceedings were against public sector legal entities and their responsible persons, 32 proceedings were against private sector legal entities and their responsible persons, and 24 proceedings were against natural persons (this figure also includes proceedings against responsible persons of state bodies and self-governing local municipalities, since according to ZP-1 the Republic of Slovenia and self-governing local municipalities are not responsible for administrative offenses, but only their responsible persons - there were 19).

The Information Commissioner stressed that the conduct of administrative offense proceedings and the imposition of sanctions for detected violations have been strongly influenced by the fact that Slovenia has still not adopted a systemic regulation for the application of the GDPR (so-called ZVOP-2). The Information Commissioner could therefore not initiate infringement proceedings and impose sanctions for infringements of the provisions of the GDPR; IC could only do so for infringements of those articles of ZVOP-1 that are still valid or for controllers to whom ZVOP-1 fully applies.

Annual Reports

2019 Annual Report can be found on ip-rs.si.

EU/EEA/UK Data Protection Authorities
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland (Åland) · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · AndalusiaSweden
Iceland · Liechtenstein · Norway · United Kingdom EDPS · EDPB