Slovenia and GDPR – what does the fact that Slovenia did not adopt a GDPR implementing law mean for data protection in Slovenia?
Slovenia is one of the EU member states that has not adopted a GDPR implementing law before 25th of May 2018. In fact, Slovenia might not have such a law for quite some time since, while a draft of the new data protection act is in the parliamentary process since April, the matter has been stalled due to early parliamentary election. Furthermore, it is also uncertain if the draft will be adopted in the current version as there has been notable criticism as to its content, so a revised version of the draft is envisaged to be published in the next months.
While the GDPR is directly applicable, it has left certain questions to the EU member states for (further) regularisation. Since such a law has not been adopted, the Ministry of Justice of the Republic of Slovenia has published explanations of their understanding of the current data protection situation in Slovenia. Given that the competent authority for providing explanations of laws is the parliament as the legislator and, to some extent, the Information Commissioner, these ministry explanations are not binding, but it is nevertheless interesting to see how the current data protection situation in Slovenia is seen through the eyes of a state authority such as the ministry.
In accordance with the explanations, some of the provisions of the current Personal Data Protection Act (ZVOP-1) still remain in force – that is in parts that are not covered by the GDPR. Such are for example the provisions on biometrics, protection of personal data of deceased, judicial protection of rights, direct marketing, video surveillance, registering of entries and exits and database linking.
What is more interesting is the ministry’s view regarding the powers of the Information Commissioner. Namely, the ministry is of the opinion that while at the moment the Information Commissioner has the power to perform inspections under the GDPR as well (and not only the remaining provisions of ZVOP-1), it does not have the power to impose administrative fines and other sanctions for violations of the GDPR but only for violations of the ZVOP-1 in parts that remain in force after the 25th of May. The reasoning behind such opinion lies in the provisions of the Information Commissioner Act (ZInfP) which does not provide for the power to act as a minor offence authority for infringements of the GDPR. In their opinion the provisions of the new ZVOP-2 will be able to provide a legal basis for the Information Commissioner to impose administrative fines but the current legislation does not. This, in the ministry’s opinion, also means that any procedures initiated under ZVOP-1 for matters now regulated by the GDPR will have to be suspended until ZVOP-2 is adopted. The Information Commissioner will, however, have the power to issue inspection sanctions for GDPR infringements as well.
It has, however, been pointed out that for any GDPR infringements as of 25 May 2018 and up to the date of entry into force of the new ZVOP-2, the infringers could be imposed with the administrative fines from the GDPR, if these procedures will be initiated or completed within the general limitation periods for dealing with minor offences.
Additionally, the ministry is of the opinion that the Information Commissioner does not (yet) have the competence to consider the matters from Clauses 16 to 22 of the GDPR which means that individuals only have the right to file for judicial protection under ZVOP-1 but not to file a complaint with the supervisory authority under GDPR.
These are the unbinding opinions of the Ministry of Justice, while the Information Commissioner has not yet issued her views on the matter. It will be interesting to see how these provisions end up being enforced since, while it is envisaged for the new version of the draft ZVOP-2 to be published by the end of summer this year, it might take a lot longer for the law to actually be passed.