> Personal Data Protection

New Personal Data Protection Act comes into force on 26 January 2023 – what does it bring?

The new Personal Data Protection Act (ZVOP-2) was adopted by the National Assembly on 15 December 2022 and published in the Official Journal on 27 December 2022, with a 30-day vacatio legis. This means that it will enter into force on 26 January 2023.

With its entry into force, the new much-anticipated ZVOP-2[1] brings some important changes, the most important of which is that the Information Commissioner (which remains the supervisory authority) will be able to impose the fines prescribed by the General Data Protection Regulation (GDPR). In transitional provisions, the Act provides that minor offence proceedings initiated before the Information Commissioner or the courts before the entry into force of ZVOP-2 shall be concluded in accordance with the previous Personal Data Protection Act (Official Journal of the Republic of Slovenia, No. 94/07 – official consolidated text; hereinafter: ZVOP-1), unless ZVOP-2 is more lenient for the offender. However, inspection procedures initiated pursuant to ZVOP-1 shall continue in accordance with ZVOP-2.

The novelties we reported on in early 2022 have largely been retained in the final version of the law, so we will not repeat them here. Among the unmentioned novelties and those that may be regulated slightly differently than foreseen in the draft from the previous blog post, we would like to highlight the following:

  1. ZVOP-2 provides for two new grounds for the processing of special categories of personal data, namely (i) the processing of data relating to national or ethnic origin in the public sector, inter alia, for the purposes of ensuring equal opportunities, guaranteed special rights and the like, and (ii) the processing of all special categories of personal data in the intelligence, security and counter-intelligence fields, where so provided by law.
  2. repeals the list of third countries referred to in Article 66 of ZVOP-1, i.e. countries which have been found by the Information Commissioner to have an adequate level of protection of personal data, or not to have such a level of protection, in whole or in part. Taking into account the decisions adequacy decisions adopted by the European Commission[2], this will mean that Macedonia will no longer be on the list of third countries for which no additional basis for personal data transfers is required, and (pending any new decisions) it will be necessary to find another legal basis (e.g. standard contractual clauses) for personal data transfers to Macedonia.
  3. It also regulates a transitional period until the implementation of the accreditation procedures, as these will be implemented as of 1.January 2024. In the interim period, processing operations subject to certification (e.g. processing of biometric data) are deemed to comply with the criteria of the certification mechanism, provided that the processing operations are in compliance with the rules on the protection of personal data.
  4. It also allows controllers some time to comply with the new obligation to keep processing logs (Article 22 of ZVOP-2). It foresees that the keeping of processing logs must be brought in line with the law only within 2 years of its entry into force, i.e. by 26. January 2025.

In addition to video surveillance and biometrics, the law also regulates certain other areas left to the Member States by the GDPR (such as processing for scientific research, statistical and archival purposes, and the protection of freedom of expression and access to public information in relation to the protection of personal data), and sets out the powers of the supervisory authority as well as fines for breaches of the provisions of the ZVOP-2.


[1] We have been waiting for it since 25 May 2018.
[2] Which in part relate to the same countries as did the decisions of the information commissioner.