Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Slovenia - Data Protection

History of Data Protection in SLOVENIA

In Slovenia, the Personal Data Protection Laws of 1990 And 1991 were the first pieces of legislation in this area, quickly finding their way onto the statute books after the political upheavals of the immediately preceding years. These laws were subsequently amended in 1999.

As Slovenia aimed for admittance to the European Union, it became necessary to further amend the laws in order to render them in accord with Directive 95/46/EC. These amendments took place in 2001 and 2002, and on 1 May 2004, Slovenia became a member of the Union.

Summary of Data Protection in SLOVENIA

Title of Data Protection Legislation Personal Data Protection Act 1999
Name of supervisory authority Inspectorate for Personal Data Protection
General Powers of supervisory authority The Act of the 26 June 2001, which amended the Personal Data Protection Act, sets out the functions of the Inspectorate: Article 27a states "the inspectorate shall ensure uniform application of the measures for personal data protection and shall co-operate with the ministry on the preparation of regulations on personal data protection". Article 27d and e sets out the tasks involved in the inspection process:
"As part of inspection, the inspectorate shall:
- supervise the legality of data-processing;
- supervise the application and appropriateness of the procedures and measures for personal data protection as laid down by internal regulations of natural persons and legal entities from Article 14 of this Act;
- supervise the implementation of the provisions of this Act relating to data catalogues, the joint catalogue and the recording of the imparting of personal data to individual users;
- supervise the implementation of the provisions of this Act relating to the conveyance of data out of the country and its placing at the disposal of foreign users."
Article 27e
"In the course of conducting inspection and supervision, an inspector shall be entitled to:
- inspect documentation relating to data-processing, and the conveyance of data outside the country and its placing at the disposal of foreign users;
- inspect the contents of databases, and of data catalogues and the joint personal data catalogue;
- inspect documentation and acts governing the security of personal data;
- inspect premises in which personal data is processed, as well as computer and other equipment and technical documentation;
- check personal data security measures and procedures, and the implementation thereof;
- perform other tasks defined by law."
Who has standing to notify the supervisory authority of breaches? The Inspectorate for Personal Data Protection can begin investigations on its own initiative. Although not outlined explicitly in the law, it is reasonable to assume that they could act on a complaint from at least the data subject, if not anybody.
What are the penalties for data controllers if they breach the law? Articles 30- 34 of the 1999 Act provides for fines to be levied on data controllers if they breach the law.
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? See Article 8, paragraph 4 of the Personal Data Protection Act: "The use of the same connecting code when acquiring personal data from databases covering the areas of public security, national security, national defence, justice and healthcare shall not be permitted".
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably necessary to get consent when is not impracticable or inappropriate.
Does the Data Protection Legislation cover the deceased? Immediate family members can object to the processing of the deceased's personal data (Article 12 of the 1999 Act).
Who is able to indirectly identify the data subject? Anybody.

Laws and Regulations