On 15 July 2022, the Government of the Republic of Slovenia again accepted for consideration the long-awaited Personal Data Protection Act (ZVOP-2), which details the implementation of the General Data Protection Regulation (GDPR) and regulates areas that were not previously defined.


An important novelty of ZVOP-2 are administrative penalties for offences in the field of personal data protection, which are significantly higher than those currently defined in Slovenian legislation and which could not be imposed before the adoption of ZVOP-2. The maximum amount of the administrative fine will now be EUR 20,000,000.00 or, in the case of a company, 4% of the total global annual turnover in the previous fiscal year, whichever is higher.

On 17 July 2022, the Information Commissioner also began to call upon all controllers and processors to fulfil their obligation to designate a data protection officer. According to Article 37 of the GDPR, a data protection officer must be designated by controllers and processors:

  • in the public sector (with some exceptions),
  • in the private and public sector, if their core activities include regular and systematic monitoring of data subjects on a large scale (by virtue of nature, scope or purposes),
  • in the private and public sector, if their core activities include processing on a large scale of special categories of data (racial or ethnic origin, political opinion, religious or philosophical beliefs or trade union membership, genetic data, biometric data, health-related data, data on entry or deletion of criminal records regarding convictions or offences).


ZVOP-2 regulates in more detail areas that were not previously regulated, among others:

  • judicial enforcement of data subjects’ rights against the personal data controller directly in court/administrative dispute without prior proceedings before the Inf. Commissioner,
  • detailed regulation of the procedure for exercising the rights of a data subject before the controller or processor and charging for the provision of data, which also includes securing the data and the mandatory use of administrative procedure provisions,
  • mandatory keeping of data processing logs in automated systems for two years,
  • implementation of special security measures in the processing of specific categories of personal data, particularly compliance with the provisions of the Information Security Act (Official Gazette of the Republic of Slovenia, no. 30/18 and 95/21) on security requirements and notification of incidents (which includes preparation of Information Security Management System and Business Continuity Management System documentation and systemic prevention of disclosure of personal data to third p.),
  • detailed definition of the circumstances that require a data protection impact assessment DPIA and the circumstances that require a review of the DPIA,
  • detailed regulation of the procedure for transmission of data between controllers,
  • determination of the maximum retention period for personal data and the duty to ensure documented deletion of data,
  • the conditions for the designation of a data protection officer DPO and the definition/prohibition of conflict of interest in the designation of a DPO,
  • the method for preparing approved sectoral/industry codes of conduct and certification of compliance with certification mechanisms according to Articles 41 and 42 of the GDPR,
  • deepening the duties of video-surveillance providers and video s. in public areas,
  • expanding the duties of biometrics providers and limiting the processing of genetic data,
  • when is the processing of publicly available contact data permitted and when is copying of personal documents allowed.


The ZVOP-2 and GDPR require data controllers to continue the activities that they had already carried out under ZVOP-1, i.e. preparation of mandatory:

  • filing system catalogues, now ‘Information that must be provided to the data subject’ and ‘Records of processing activities’ (previously Article 26 of the ZVOP-1, now Articles 13, 14 and 15 of the GDPR and Article 30 of the GDPR),
  • rules and operational procedures on the protection of personal data (previously Article 25 of the ZVOP-1, now Articles 24, 25 and 32 of the GDPR), and
  • data processing contracts with each contractual processor of personal data (previously Article 11 of the ZVOP-1, now Article 28 of the GDPR).


The GDPR also require that controllers perform activities that were not required before:

  • perform a prior data protection impact assessment DPIA (Article 35 of the GDPR),
  • draw up detailed consents for the processing of personal data (Article 7 of the GDPR),
  • the obligation to take data protection into account in the planning and operation of IT systems, the services offered and the related processing of data (privacy by design and default, Article 25 of the GDPR),
  • the obligation to keep processing records for data processors (Article 30 of GDPR),
  • the obligation to inform supervisory authorities and data subjects about personal data breaches (Articles 33 and 34 of the GDPR),
  • designation of a data protection officer who may also be an external contractor (Article 37 of the GDPR).