IP (Slovenia) - 07101-22/2023/7

From GDPRhub
IP - 07101-22/2023/7
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6(1) GDPR
Article 12 GDPR
Article 15 GDPR
Type: Complaint
Outcome: Rejected
Started: 16.10.2023
Decided: 08.01.2024
Published: 31.01.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 07101-22/2023/7
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Slovenian
Original Source: Informacijski pooblaščenec (in SL)
Initial Contributor: im

The controller was not ordered to take any specific measures after they missed the deadline to respond to data subject’s access request at they followed the DPA’s order to take a decision.

English Summary


On 31 August 2023 the data subject received a marketing message. As he was curious to know how the controller obtained his data, he sent him a data access request, to which the controller did not reply. Therefore, the data subject filed a complaint with the Slovenian DPA.

On 18 October 2023, the controller was requested by the DPA to take a written decision on the applicant's request in accordance with Article 12 GDPR and Article 15 GDPR.

On 3 November 2023, the data controller sent an email to the DPA, indicating that they responded to the request for access to personal data and removed the data subject from the customer database.

On 8 November 2023, the data subject informed that he received a response in which the controller apologized for the delayed response. However, the apology did not change the fact that the controller missed the legally prescribed deadline, thereby violating the law and committing an offense for which a fine is prescribed.

The controller stated the data subject had voluntarily subscribed to receive notifications on 19 June 2015. In connection with this, the applicant pointed out that there were changes in data protection legislation in recent years, and controllers were required to re-obtain consent for further use or delete data. Therefore, the data subject’s claimed that retaining the data for 8 years longer and starting using the same data after a period of 8 years was unlawful and unsolicited marketing communication.

The data subject insisted on reporting the violations, believing that the controller stored and used his data without a legal basis.


The DPA acknowledged that the controller complied with the data subject’s request after the expiration of a 1-month deadline. However, the controller remedied this breach by a response to the data subject based on the DPA’s request of 18 October 2023. As a result, the DPA did not find a violation of unlawful storage of data lacking a basis according to Article 6(1) GDPR.

Regarding the allegations concerning the unlawful use of personal data for direct marketing, the DPA stated that it is not competent to take action in the area regulated by the Slovenian Electronic Communications Act which mirrors the ePrivacy Regulation.

Consequently, the DPA found no infringements on the side of the controller and the controller was not ordered to take any specific measures.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.