New Personal Data Protection Act Adopted (ZVOP-2)
On 15 December 2022, the National Assembly adopted a new Personal Data Protection Act (hereinafter "ZVOP-2"). The act was published in the Official Gazette of the Republic of Slovenia on 27 December 2022 and will enter into force on 26 January 2023.
The Act transposes the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation), which has been directly applicable since 25 May 2018. The Act introduces some structural changes and a small number of substantive changes, which will have a significant impact on the area of personal data protection.
The new law sets out slightly different introductory principles from the current Personal Data Protection Act (ZVOP-1) and sets out a new way of processing specific types of data. Some previously established terms in the field of personal data protection are also regulated differently.
A key change concerns mainly the business and public sector is the new regulation of the position of Data Protection Officers. In this respect, the law does not introduce a new regulated profession, however, sets out the conditions to be met by these persons. They are required to have practical experience or knowledge in the field of personal data protection, to have no criminal record and to have the capacity to act. A facilitated system for the selection of the authorised person is also provided for.
The Register of personal data collections is abolished, as well as the obligation to notify these collections to the Information Commissioner. This regime is replaced in ZVOP-2 by a processing register for controllers and processors of personal data, which is kept by the controller.
From the individual's point of view, the law removes certain obstacles to the exercise of their rights, by also including partial application of the provisions of the General Administrative Procedure Act. The individual can thus lodge a request for protection directly with the Information Commissioner. Another possibility offered by the new law is to file a separate action before the Administrative Court, without the need to exhaust other legal remedies. A person may bring an action in respect of infringements in the field of the protection of personal rights, for as long as the infringement continues, and may also include a claim for damages in the action.
The new law gives the Information Commissioner slightly more powers, as it can also conduct public interest (ex officio) inspections under the rules of the inspection procedure included in the Inspection Act.
The law also affects some sectoral laws, introducing new rules on video surveillance (for business premises, the workplace and public passenger transport) and biometrics.
How can EY help?
At EY, we follow the changes in the legal area on a regular basis and we keep you informed. Our legal experts can help you identify the legal risks that these changes may bring and advise you on the best way to adapt and conduct business accordingly.
