IP (Slovenia) - 07100-17-2023-7

From GDPRhub
IP - 07100-17-2023-7
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law:
Article 12 ZVOP-2
Article 14 ZVOP-2
Article 15 ZVOP-2
Type: Complaint
Outcome: Partly Upheld
Decided: 25.10.2023
Published: 18.12.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 07100-17-2023-7
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: Informacijski pooblaščenec (in SL)
Initial Contributor: ar

The Slovenian DPA decided that while the controller did not comply with the access request when the complaint was filed, it later remedied the violation by providing the complainant information regarding his application process for a public tender.

English Summary


On 14 July 2023, the Slovenian DPA received a complaint from a data subject alleging a violation of his right to access by the controller. The complainant declared that the controller had refused to grant him access to his data relating to the application process for a public tender. The controller had explained that it could not comply on the basis of professional secrecy.

The DPA noted that the controller had not yet provided the applicant with all the personal data requested. Nonetheless, given that during the proceedings an individual has the right to be informed of the controller's response, the DPA asked the controller whether it could provide the complainant the full response to the complaint, which would implicitly make the controller comply with the initial request. On 25 August 2023, the controller provided an affirmative reply.

Thus, on 20 September 2023, the DPA invited the complainant to inform it within ten days whether he wanted to withdraw the complaint or maintain it since he received the requested personal data. The complainant did not respond to the DPA’s query.


From the access request made by the complainant on 1 May 2023 and subsequent correspondence with the data controller, the DPA noted that the complainant requested from the controller several data: information about the score obtained and the assessment process, information on what his ranking was, and the number of points compared to the highest number of points in the written test.

On the basis of the information, the DPA concluded that the controller did not comply with the complainant's access request at the time of the submission of the request, on 14 July 2023, thus breaching Article 15 of the National Data Protection Act 2022 (ZVOP-2) in conjunction with Articles 12 and 14 ZVOP-2. However, the DPA acknowledged that the controller had subsequently fulfilled its obligations under Articles 12, 14 and 15 ZVOP-2 since it had given the complainant access to all the personal data requested: it had communicated the total number of points and the ranking to the complainant, with further explanations.

As the complainant did not respond to the request for declaration within the deadline and the controller did not send any comments, the DPA considered that the controller, following the DPA's inquiry, had remedied its breach of the right of access.


It must be noted that the GDPR does envisage the possibility of remedying a breach of the right to access. However, under the GDPR, such a remedy does not preclude a controller from being held accountable and liable.

Similarly, there are also no Slovenian laws requiring the DPA to not use its corrective or punitive powers when the violation is remedied during the procedure. In practice, however, it could be argued that the Slovenian DPA sometimes incorrectly uses its powers as it has a more lenient approach. It has been observed that when a violation is remedied during the procedure, the DPA treats the controller with more leniency and often does not impose a fine or implement other measures.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.