Page 1

HOME NEWS LEGISLATION FORMS PUBLICATIONS ABOUT THE COMMISSIONER

Constitution

Law on Protection of Personal Data

Reform of the European
legislative framework for protection
personal data

Official Gazette of the RS, no. 94/07 - official consolidated text

Information Act
authorized person

PART I - GENERAL PROVISIONS

Personal Protection Act
data
Billing Policy
costs in exercising the right
individual to become acquainted with
own personal data
Rules on management methodology
register of personal data files
Acquisition policy
necessary information for
deciding on the amount of personal
data to third countries
Access to Information Act
of a public nature

+-

Content of the law

Article 1

This Act lays down the rights, obligations, principles and measures to prevent unconstitutional, illegal and
unjustified encroachments on the privacy and dignity of an individual (hereinafter:
individual) in the processing of personal data.

The principle of legality and fairness

Article 2

Inspection Act
General Administrative Act
procedure
Personal Protection Act
data in the field
dealing with criminal offenses

Personal data is processed lawfully and fairly.

Proportionality principle

Article 3

Other laws
Comments Information
Commissioner on proposals
regulations
International regulations

The personal data processed must be relevant and appropriate in scope to the purposes for which they are collected and
further
processed.

Prohibition of discrimination

Article 4

The protection of personal data is guaranteed to every individual, regardless of nationality, race, color, religion,
ethnicity, gender, language, political or other beliefs, sexual orientation, wealth, birth,
education, social status, citizenship, place or type of residence or any other personal circumstance.

Territorial validity of this Act

Article 5

(1) This Act applies to the processing of personal data if the personal data controller is established, has its registered office or is
registered in the Republic of Slovenia or if the branch of the personal data controller is registered in the Republic of Slovenia.
(2) This Act shall also apply if the personal data controller is not established, has no registered office or is not registered in the country
Member State of the European Union or is not part of the European Economic Area and is used for the processing of personal data
automatic or other equipment located in the Republic of Slovenia, unless this equipment is used only for transmission
personal data through the territory of the Republic of Slovenia.
(3) The personal data controller referred to in the preceding paragraph must designate a natural or legal person who has its registered office or is
registered in the Republic of Slovenia, which represents it with regard to the processing of personal data in accordance with this Act.
(4) This Act also applies to diplomatic and consular and other official missions of the Republic of Slovenia abroad.

The meaning of terms

Article 6

The terms used in this Act have the following meaning:
1. Personal data - is any data relating to an individual, regardless of the form in which it is expressed.
2. Individual - is a specific or identifiable natural person to whom personal data relates; he is a natural person
identifiable if it can be identified, directly or indirectly, in particular by reference to an identification number, or
to one or more factors specific to its physical, physiological, mental, economic, cultural or social
identity, the method of identification not incurring high costs, disproportionately or effortlessly
a lot of time.
3. Processing of personal data - means any action or series of actions carried out in relation to personal data,
which are processed automatically or which, in the case of manual processing, are part of the personal data file or are intended to be included in the database
personal data, in particular the collection, retrieval, entry, editing, storage, adaptation or modification, retrieval,
access, use, disclosure by transmission, communication, dissemination or other making available, classification or
linking, blocking, anonymizing, deleting or destroying; processing can be manual or automated (means
processing).
4. Automated processing - is the processing of personal data by means of information technology.
5. Personal data file - is any structured set of data containing at least one personal data that is accessible on
based on criteria that allow the use or aggregation of data, whether the set is centralized, decentralized or
dispersed on a functional or geographical basis; a structured data set is a data set organized on such
a way to determine or enable the identifiability of an individual.
6. Personal data controller - is a natural or legal person or other person in the public or private sector who himself
or, together with others, determines the purposes and means of personal data processing or the person determined by law who
it also specifies the purposes and means of processing.
7. Contractual processor - is a natural or legal person who processes personal data in the name and on behalf of the controller
personal data.
8. User of personal data - is a natural or legal person or other person of the public or private sector to whom
provide or disclose personal information.
9. Transmission of personal data - is the transmission or disclosure of personal data.
10. Foreign user and foreign controller of personal data - is a user of personal data in a third country and a controller
personal data in a third country.
11. Third country - is a country that is not a Member State of the European Union or part of the European Economic Area.
12. Catalog of the personal data collection - is a description of the personal data collection.
13. Register of personal data collections - is a register containing data from catalogs of personal data collections.
14. Personal consent of the individual - is a voluntary statement of the will of the individual that his personal data may be
processed for a specific purpose, and is given on the basis of information to be provided by the controller under this Act;
the personal consent of the individual may be the written, oral or other appropriate consent of the individual.
15. Written consent of the individual - is the signed consent of the individual, which takes the form of a document specified in the contract,
provisions in the contract, annexes to the application or other form in accordance with the law; the signature is also based on the law with the signature
uniform form given by telecommunication and, on the basis of the law, by signature, the uniform form
given by an individual who cannot or cannot write.
16. Oral or other appropriate consent of an individual - is oral or by telecommunication or other appropriate
by means or by any other appropriate means of consent given, from which it may undoubtedly be inferred to the individual
consent.
17. Blocking - is such marking of personal data as to limit or prevent their further processing.
18. Anonymisation - is such a change in the form of personal data that it can no longer be linked to the individual
whether this is only possible with disproportionately high effort, cost or time.
19. Sensitive personal data - are data on racial, national or ethnic origin, political, religious or
philosophical belief, trade union membership, medical condition, sexual life, enrollment or erasure in or out of criminal
records or records kept on the basis of the law governing misdemeanors (hereinafter: misdemeanor records);
Sensitive personal data are also biometric characteristics if their use makes it possible to identify an individual in a relationship
with any of the above circumstances.
20. The same connecting signs - are a personal identification number and other unique identifiers defined by law
individual numbers, with the use of which it is possible to collect or retrieve personal data from those personal data collections
data in which the same connecting characters are also processed.
21. Biometric characteristics - are such physical, physiological and behavioral characteristics that all individuals have, but are
unique and permanent for each individual individually and it is possible to determine the individual with them, especially through use
fingerprint, image of papillary lines from finger, iris, retina, face, ear, deoxyribonucleic
acids and characteristic postures.
22. Public sector - are state bodies, bodies of self-governing local communities, holders of public authority, public agencies,
public funds, public institutes, universities, independent higher education institutions and self-governing national communities.
23. Private sector - are legal and natural persons carrying out an activity under the law governing companies or
public utilities or crafts, and persons governed by private law; the private sector are public economic institutes, public
enterprises and companies, regardless of the share or influence of the state, self - governing local community or
self-governing national communities.

Exceptions to the application of this Act

Article 7
(1) This Act shall not apply to the processing of personal data carried out by individuals exclusively for personal use,
family life or for other domestic needs.
(2) Personal data processed about their members by political parties, trade unions, associations or religious communities shall not be
Articles 26, 27 and 28 of this Act shall apply.
(3) The second paragraph of Article 25 shall not apply to personal data processed by the media for the purposes of informing the public.
Articles 26, 27 and 28 and Part V of this Act.
(4) Personal data controllers with less than 50 employees need not fulfill the obligations referred to in the second paragraph of Article 25.
Article and obligations referred to in Articles 26 and 27 of this Act.
(5) The exceptions referred to in the preceding paragraph shall not apply to personal data files maintained by personal data controllers.
data from the public sector, notaries, lawyers, detectives, bailiffs, private security providers, private health
workers, healthcare providers and personal data controllers who maintain databases containing sensitive
personal data and the processing of sensitive personal data is part of their registered activity.

II. PART - PROCESSING OF PERSONAL DATA

Chapter 1

Legal bases and purposes

General definition

Article 8

(1) Personal data may be processed only if the processing of personal data and the personal data being processed are determined by
by law or if the personal consent of the individual is given for the processing of certain personal data.
(2) The purpose of the processing of personal data must be determined by law, in the case of processing on the basis of personal consent
however, the individual must be informed in advance in writing or in another appropriate manner of the purpose of the processing
personal data.

Legal bases in the public sector

Article 9

(1) Personal data in the public sector may be processed if the processing of personal data and personal data
processed, provided by law. The law may stipulate that certain personal data may be processed only on the basis of personal data
the consent of the individual.
(2) Holders of public authorizations may also process personal data on the basis of the personal consent of an individual without
basis in law, when it is not a question of performing their tasks as holders of public authority. Personal data collections,
resulting from this must be separated from personal data files created from the performance of tasks
holder of public authority.
(3) Notwithstanding the first paragraph of this Article, personal data of individuals who have
concluded a contract with the public sector or, at the initiative of an individual, are in the process of negotiating
if the processing of personal data is necessary and appropriate for the performance of contract negotiations or for the
performance of the contract.
(4) Notwithstanding the first paragraph of this Article, in the public sector, personal data that are
necessary for the exercise of legitimate public sector powers, tasks or obligations, provided that such processing does not
the legitimate interest of the data subject.

Legal bases in the private sector

Article 10

(1) Personal data in the private sector may be processed if the processing of personal data and personal data
processed, provided by law or if the personal consent of the individual is given for the processing of certain personal data.
(2) Notwithstanding the preceding paragraph, the personal data of individuals who have
concluded a contract with the private sector or, at the initiative of an individual, are in the process of negotiating
if the processing of personal data is necessary and appropriate for the performance of contract negotiations or for the
performance of the contract.
(3) Notwithstanding the first paragraph of this Article, personal data may be processed in the private sector if this is necessary due to
the legitimate interests of the private sector and those interests clearly outweigh the interests of the individual,
to which the personal data relate.

Contract processing

Article 11

(1) The personal data controller may entrust individual tasks related to the processing of personal data with a contract
to a contractual processor registered to perform such activity and providing appropriate procedures and measures
referred to in Article 24 of this Act.
(2) The contractual processor may perform individual tasks related to the processing of personal data within the framework
may not process the Client's credentials and personal data for any other purpose. Mutual rights and
obligations shall be governed by a contract, which must be in writing and must include an agreement on procedures and
measures referred to in Article 24 of this Act. The personal data controller shall supervise the implementation of the procedures and measures referred to in Article 24
of this Act.
(3) In the event of a dispute between the personal data controller and the contractual processor, the contractual processor is obliged to do so
the processor shall, at the request of the controller, return the personal data which he has contractually processed
to the manager. Any copies of this information must be destroyed immediately or transmitted to a national authority in accordance with
competent by law to detect or prosecute criminal offenses, by a court or other public authority, if
the law.
(4) In the event of termination of the contractual processor, personal data shall be returned without undue delay.
personal data controller.

Protecting the vital interests of the individual

Article 12

If the processing of personal data is strictly necessary to protect the life or body of an individual, it may be his
they process personal data regardless of the fact that there is no other legal basis for the processing of such data.

Processing of sensitive personal data

Article 13

Sensitive personal data may only be processed in the following cases:
1. if the individual has given his or her explicit personal consent, which is generally written, but also determined in the public sector by
by law;
2. if the processing is necessary in order to fulfill the obligations and special rights of the controller of personal data on
in the field of employment in accordance with the law, which also provides for adequate guarantees of the rights of the individual;
3. if the processing is strictly necessary to protect the life or body of the data subject
or other persons where the data subject is not physically or commercially involved
able to give its consent referred to in point 1 of this Article;
4. if they are processed for the purposes of lawful activities by institutions, associations, societies, religious communities, trade unions or other
non-profit organizations with a political, philosophical, religious or trade union aim, but only if the processing relates to
their members or individuals who are in regular contact with them in relation to these objectives, and if this information is not provided
to other individuals or persons in the public or private sector without the written consent of the individual to whom it relates
refer;
5. if the data subject has made this public without obvious or explicit information
intended to limit the purpose of their use;
6. if for the purposes of health care of the population and individuals and management or provision of health services
processed by healthcare professionals and healthcare associates in accordance with the law;
7. if this is necessary for the purpose of asserting or opposing a legal claim;
8. if so provided by another law for the purpose of exercising the public interest.

Securing sensitive personal data

Article 14

(1) Sensitive personal data must be specially marked and protected during processing in such a way that unauthorized
prevent persons from accessing them, except in the case referred to in point 5 of Article 13 of this Act.
(2) When transmitting sensitive personal data over telecommunication networks, the data shall be deemed to be appropriate
secured if transmitted using cryptographic methods and an electronic signature so that it is secured
their illegibility or unrecognizability during transmission.

Automated decision making

Article 15

Automated processing of personal data, in which a decision can be made about the individual, which results
legal effects in relation to or significantly affected by it and based solely on automated data processing which is
intended to evaluate certain personal aspects relating to him, such as, in particular, his performance at work,
creditworthiness, reliability, conduct or fulfillment of the required conditions is permitted only if the decision is:
1. taken during the conclusion or performance of a contract, provided that the initiative to conclude or
filed by the data subject, fulfilled or that there are appropriate safeguards in place
his legitimate interests, such as, in particular, arrangements which enable him to object to such a decision or to express his
position;
2. determined by law, which also determines measures for the protection of the legitimate interests of the individual to whom they relate
personal data, in particular the possibility of an appeal against such a decision.

Purpose of collection and further processing

Article 16

Personal data may only be collected for specified and lawful purposes and may not be further processed in such a way as to
their processing is inconsistent with these purposes, unless otherwise provided by law.

Processing for historical, statistical and scientific research purposes

Article 17

(1) Irrespective of the original purpose of the collection, personal data may be further processed for historical, statistical and
scientific research purposes.
(2) Personal data shall be transmitted to the user of personal data for the purpose of processing referred to in the preceding paragraph in
in an anonymised form, unless otherwise provided by law, or if the data subject does not
previously given written consent to be processed without anonymization.
(3) Personal data transmitted to the user of personal data in accordance with the preceding paragraph
upon completion of the processing, unless otherwise provided by law. The user of personal data must be the controller of personal data
the person who provided the personal data to him, without delay after their destruction, to inform in writing when and to what
the way he destroyed them.
(4) The results of the processing referred to in the first paragraph of this Article shall be published in an anonymised form, unless otherwise provided by law
or if the data subject has given written consent for publication in a non-anonymised form
or if the written consent of the heirs of the deceased under this Act is given for such publication.

Chapter 2

Protection of individuals

Accuracy and up-to-dateness of personal data

Article 18

(1) The personal data processed must be accurate and up-to-date.
(2) Before entering into the personal data file, the personal data controller may verify the accuracy of personal data by
access to an identity document or other relevant public document of the individual to whom they relate.

Informing the individual about the processing of personal data

Article 19

(1) If personal data are collected directly from the individual to whom they relate, the personal data controller must
data or his representative to communicate the following information to the individual, if the individual is not already familiar with it:
Data on the personal data controller and his / her possible representative (personal name, title or company name, and
address or registered office),
- the purpose of the processing of personal data.
(2) If, in view of the special circumstances of the collection of personal data referred to in the preceding paragraph, it is necessary to ensure
lawful and fair processing of personal data of an individual, the person referred to in the previous paragraph must to the individual
also provide additional information if the individual is not already familiar with it, in particular:
- an indication of the user or type of user of his personal data,
- an indication of whether the collection of personal data is compulsory or voluntary, and the possible consequences if it is not voluntary
provided data
- information on the right to inspect, transcribe, copy, supplement, correct, block and delete personal data,
relating to it.
(3) If personal data have not been collected directly from the individual to whom they relate, the controller must
personal data or his representative to the individual at the latest upon entry or transmission of personal data
communicate the following information to the user of personal data:
Data on the personal data controller and his / her possible representative (personal name, title or company name, and
address or registered office),
- the purpose of the processing of personal data.
(4) If, in view of the special circumstances of the collection of personal data referred to in the preceding paragraph, it is necessary to ensure
lawful and fair processing of personal data of an individual, the person referred to in the previous paragraph must to the individual
also provide additional information, in particular:
- information on the type of personal data collected,
- an indication of the user or type of user of his personal data,
- information on the right to inspect, transcribe, copy, supplement, correct, block and delete personal data,
relating to it.
(5) The information referred to in the third and fourth paragraphs of this Article need not be provided if this would be due to the processing of personal data.
data for historical, statistical or scientific research purposes would be impossible or costly,
disproportionate effort or time-consuming or if the law expressly provides for the registration or
data.

Using the same hyphen

Article 20

(1) When obtaining personal data from personal data collections in the field of health, police, intelligence and security
activities of the state, the defense of the state, the judiciary and the public prosecutor's office, as well as criminal and misdemeanor records
the use of the same connecting sign is permitted in such a way that only this data would be used to obtain personal data
sign.
(2) Notwithstanding the preceding paragraph, the same connecting sign may exceptionally be used for the acquisition of personal data,
if this is the only information in a specific case that can enable a crime to be detected or prosecuted
duties to secure the life or body of an individual or to ensure the performance of intelligence and security tasks
bodies designated by law. An official note or other written record must be made without delay.
(3) The first paragraph of this Article shall not apply to the land register and the court register.

Retention period of personal data

Article 21

(1) Personal data may be stored only for as long as is necessary to achieve the purpose for which they were
collected or further processed.
(2) After fulfilling the purpose of processing, personal data shall be deleted, destroyed, blocked or anonymised if they are not based on
of the law governing archival material and archives defined as archival material, or if the law for individual types
does not specify personal data otherwise.

Transmission of personal data

Article 22

(1) The personal data controller must intervene against the payment of transmission costs, unless otherwise provided by law
personal data to users of personal data.
(2) The administrator of the central population register or records of permanently and temporarily registered residents must, in a manner
designated for the issue of the certificate shall be forwarded to the beneficiary who demonstrates a legal interest in
public sector, the personal name and address of the permanent or temporary residence of the individual against whom he is asserting
their rights.
(3) For each transmission of personal data, the personal data controller must ensure that it is possible later
determine which personal data have been transmitted, to whom, when and on what basis, for a period when it is possible
legal protection of the right of the individual due to inadmissible transmission of personal data.
(4) Notwithstanding the first paragraph of this Article, the personal data controller in the public sector is obliged to the user
personal data in the public sector to provide personal data without paying the costs of transmission, unless the law
provides otherwise or in the case of use for historical, statistical or scientific research purposes.

Protection of personal data of deceased individuals

Article 23

(1) The controller of personal data may provide data on the deceased individual only to those users of personal data
data authorized by law to process personal data.
(2) Notwithstanding the previous paragraph, the personal data controller shall forward the data on the deceased individual to the person who is
under the law governing inheritance, his legal heir of the first or second hereditary order, if for the use of personal
data shows a legal interest, and the deceased individual did not prohibit the transmission of this personal data in writing.
(3) Unless otherwise provided by law, the personal data controller may also provide the data referred to in the preceding paragraph
any other person who intends to use this data for historical, statistical or scientific research
purposes if the deceased individual did not prohibit the transmission of this personal data in writing.
(4) If the deceased individual has not submitted the prohibition referred to in the preceding paragraph, the persons who, according to the law governing inheritance,
his legal heirs of the first or second hereditary order shall prohibit in writing the transmission of his data if the law
does not specify otherwise.

Chapter 3

Personal data protection

Content

Article 24

(1) The protection of personal data comprises organizational, technical and logical-technical procedures and measures by which
protect personal data, prevent accidental or intentional unauthorized destruction of data, their alteration
or loss and unauthorized processing of this data by:
1. protect premises, equipment and system software, including input-output units;
2. protects the application software with which personal data are processed;
3. prevents unauthorized access to personal data during their transfer, including transfer via
telecommunications
resources and networks;
4. provides an effective means of blocking, destroying, deleting or anonymising personal data;
5. enables later determination of when individual personal data were entered into the personal data file,
used or otherwise processed and who did so, for a period when legal protection of the right is possible
individual for the inadmissible transmission or processing of personal data.
(2) In the case of the processing of personal data accessible via a telecommunication means or network, they must
hardware, system and application software to ensure that the processing of personal data in personal data files
data within the limits of the authorization of the user of personal data.
(3) Procedures and measures for the protection of personal data must be appropriate to the risk it poses
the processing and nature of certain personal data being processed.
(4) Officials, employees and other individuals who perform work or tasks for persons who process personal data,
they are obliged to protect the confidentiality of personal data with which they become acquainted in the performance of their functions, work and tasks.
The duty to protect the confidentiality of personal data also obliges them after the termination of their function, employment, performance of work or
tasks or the provision of contractual processing services.

Duty of insurance

Article 25
(1) Personal data controllers and contractual processors are obliged to ensure the protection of personal data in a manner
referred to in Article 24 of this Act.
(2) The controllers of personal data shall prescribe in their acts the procedures and measures for the protection of personal data and
designate the persons responsible for certain personal data files and the persons who, due to the nature of their work
process certain personal data.

Chapter 4

Notification of personal data files

Catalog of personal data collection

Article 26

(1) The controller of personal data shall establish a catalog of the personal data file for each personal data collection, which
contains:
1. the name of the personal data file;
2. data on the personal data controller (for a natural person: personal name, business address or address
permanent or temporary residence, and for a sole proprietor of an individual, the company name, registered office and registration number;
for a legal entity: name or company name and address or registered office of the personal data controller and registration number);
3. the legal basis for the processing of personal data;
4. the categories of data subjects;
5. types of personal data in the personal data file;
6. purpose of processing;
7. period of retention of personal data;
8. restrictions on the rights of individuals with regard to personal data in the personal data file and the legal basis for restrictions;
9. users or categories of users of personal data contained in the personal data file;
10. the fact whether personal data are exported to a third country, where, to whom and the legal basis for the export;
11. general description of personal data protection;
12. data on related databases of personal data from official records and public books;
13. data on the representative referred to in the third paragraph of Article 5 of this Act (for a natural person: personal name, address
performance of an activity or the address of permanent or temporary residence, and for a sole proprietor of an individual
company name, registered office and registration number; for a legal entity: title or company name and address or registered office of the personal data controller
data and registration number).
(2) The personal data controller must take care of the accuracy and up-to-dateness of the contents of the catalog.

Informing the supervisory authority

Article 27

(1) The personal data controller shall forward the data referred to in points 1, 2, 4, 5, 6, 9, 10, 11, 12 and 13 of the first paragraph
Article 26 of this Act to the State Supervisory Body for Personal Data Protection at least 15 days before
setting up a personal data file or entering a new type of personal data.
(2) The personal data controller shall forward to the National Supervisory Body for the Protection of Personal Data
changes to the data referred to in the previous paragraph no later than eight days from the day of the change.

Register

Article 28

(1) The state supervisory body for the protection of personal data shall keep and maintain the register of personal data collections which it contains
data referred to in Article 27 of this Act, in the manner determined by the methodology of its management.
(2) The register shall be kept by means of information technology and shall be published on the website of the National Supervisory Authority for
protection of personal data (hereinafter: the website).
(3) The Rules on the methodology referred to in the first paragraph of this Article shall be determined by the Minister responsible for justice on the proposal of the
State Supervisor or Chief State Supervisor for Personal Data Protection (hereinafter:
Chief State Supervisor).

III. PART - INDIVIDUAL RIGHTS

Insight into the register

Article 29

(1) The state supervisory body for the protection of personal data must allow everyone to inspect the register of personal data files.
data and a transcript of the data.
(2) Access to and transcription of data must be permitted and made possible, as a rule, on the same day, but no later than within eight days, otherwise
the request shall be deemed to have been rejected.

The right of the individual to be informed

Article 30

(1) The controller of personal data must, at the request of an individual:
1. provide access to the catalog of the personal data collection;
2. confirm whether or not data relating to him are being processed and allow him to inspect the personal data contained in
in the personal data file and refer to it, and their copying or copying;
3. provide a printout of personal data contained in the personal data file and relating to it;
4. provide a list of users to whom personal data have been provided, when, on what basis and for what
purpose;
5. provide information on the sources on which the records contained in the individual personal data file are based and on
processing methods;
6. provide information on the purpose of the processing and the type of personal data being processed, as well as any necessary explanations regarding it
with that;
7. explain technical or logical-technical decision-making procedures, if it performs automated decision-making with processing
personal data of the individual.
(2) The extract referred to in point 3 of the preceding paragraph may not replace a document or certificate in accordance with the regulations on administrative or other
procedure, which is indicated on the printout.

Pairing process

Article 31

(1) The request referred to in Article 30 of this Act shall be submitted in writing or orally to the minutes with the personal data controller. Required
may file once every three months, regarding the processing of sensitive personal data and personal data in accordance with the provisions of 2.
Chapter VI. part of this law once a month. Where necessary to ensure fair, lawful or
proportionate processing of personal data, in particular where the personal data of an individual are included in a personal data file
frequently updated or provided or could be frequently updated or provided to users of personal data, must
allow the data controller to submit the request within a shorter relevant period, not less than
five days from the date of acquaintance with the personal data relating to him or refusal of such acquaintance.
(2) The personal data controller must enable the individual to inspect, transcribe, copy and confirm according to points 1 and 2.
of the first paragraph of Article 30 of this Act, as a rule, on the same day as the receipt of the request, but no later than within 15 days, or
notify in writing within 15 days of the reasons why he will not allow inspection, transcription, copying or issuance of the certificate.
(3) Extract from point 3, list from point 4, information from points 5 and 6 and explanation from point 7 of the first paragraph of Article 30
of this Act, the personal data controller must provide the individual within 30 days from the day of receipt of the request,
or inform him in writing within the same period of the reasons why he will not be given a printout, list, information or explanation
mediated.
(4) If the operator does not act in accordance with the second and third paragraphs of this Article, the request shall be deemed to have been rejected.
(5) The costs related to the request and insight referred to in this Article shall be covered by the personal data controller.
(6) For transcription, copying and written confirmation according to point 2 and for the extract referred to in point 3, the list referred to in point 4, the information referred to in points 5 and 6.
points and the explanation referred to in point 7 of the first paragraph of Article 30 of this Act, the personal data controller may
charges the individual only material costs according to a predetermined price list, provided that the oral certificate is after 2.
point, oral information according to point 5, oral information after point 6 and oral explanation according to point 7 free of charge. If
the individual, despite obtaining oral certificates, information or explanations under points 2, 5, 6 and 7 of the first paragraph of Article 30 of this
of the law requires a confirmation, information or explanation in writing, the personal data controller must provide it.
(7) The Minister responsible for justice shall, on the basis of the proposal of the Information Commissioner, prescribe the price list with rules.
charging of material costs referred to in the previous paragraph and publishing it in the Official Gazette of the Republic of Slovenia.

The right to supplement, correct, block, delete and object

Article 32

(1) The controller of personal data must, at the request of the individual to whom the personal data relate, supplement,
correct, block or delete personal data which an individual proves to be incomplete, inaccurate or out of date, or
that they have been collected or processed in violation of the law.
(2) The personal data controller must, at the request of the individual, inform all users of personal data and
contractual processors to whom he provided personal data of the individual before the measures referred to in
of the previous paragraph, on their supplementation, correction, blocking or deletion under the previous paragraph. Exceptionally, he doesn't have that
necessary if this would result in high costs, disproportionate effort or time.
(3) An individual whose personal data are processed in accordance with the fourth paragraph of Article 9 or the third paragraph of Article 10.
Article of this Act, has the right to demand the termination of their processing at any time with an objection. Contract manager
grants if the individual proves that the conditions for processing under the fourth paragraph of Article 9 or under the third are not met
paragraph 10 of Article 10 of this Act. In this case, his personal data may no longer be processed.
(4) If the administrator does not satisfy the objection referred to in the preceding paragraph, the individual who filed the objection may request that
processing in accordance with the fourth paragraph of Article 9 or the third paragraph of Article 10 of this Act shall be decided by the State
supervisory authority for the protection of personal data. An individual may file a request within seven days of service of the decision on
contract.
(5) The state supervisory body for the protection of personal data shall decide on the request referred to in the preceding paragraph within two months of
receiving requests. The submitted request suspends the processing of the personal data of the individual in respect of which he / she submitted the request.
(6) The costs of all actions of the personal data controller referred to in the preceding paragraphs shall be borne by the controller.

Procedure for supplementing, correcting, blocking, deleting and objecting

Article 33

(1) The request or objection referred to in Article 32 of this Act shall be submitted in writing or orally to the minutes with the personal data controller.
(2) The personal data controller must complete, correct, block or delete personal data within 15 days
from the date of receipt of the request and inform the applicant or inform him within the same time limit of the reasons
which he will not do. He must decide on the objection within the same time limit.
(3) If the personal data controller does not act in accordance with the preceding paragraph, the request shall be deemed to have been rejected.
(4) If the personal data controller finds that the personal data are incomplete, inaccurate or out of date, he shall supplement or
corrects and informs the individual, unless otherwise provided by law.
(5) The costs related to the supplementation, correction and deletion of personal data, notification and decision on the objection shall be covered by
personal data controller.

Judicial protection of individual rights

Article 34

(1) An individual who finds that his rights determined by this Act have been violated may request judicial protection throughout
time as long as the violation lasts.
(2) If the violation referred to in the preceding paragraph has ceased, the individual may file an action to establish that the violation existed,
if he is not afforded other judicial protection in respect of the infringement.
(3) In the proceedings, the competent court shall decide in accordance with the provisions of the law governing the administrative dispute, insofar as this law does not provide otherwise.
(4) The public shall be excluded from the proceedings, unless the court decides otherwise on the proposal of an individual for justified reasons.
(5) The procedure is necessary and a priority.

Interim injunction

Article 35

In a lawsuit filed for violation of the rights referred to in Article 32 of this Act, an individual may request the court to
impose final decisions in an administrative dispute on the controller in order to prevent any processing
disputed personal data if it would be difficult for the data subject to be affected by their processing
reparable damage and the postponement of processing does not run counter to the public interest and there is no risk of the counterparty incurring
major irreparable damage.

Restriction of individual rights

Article 36

(1) The rights of an individual referred to in the third and fourth paragraphs of Article 19, Articles 30 and 32 of this Act may be
exceptionally for reasons of protection of the sovereignty and defense of the state, protection of national security and constitutional order
state, the security, political and economic interests of the state, the exercise of police powers, the
detection, detection, proof and prosecution of criminal offenses and misdemeanors, detection and punishment of violations of ethical
standards for certain professions, for monetary, budgetary or fiscal reasons, for the purpose of police control and
the data subject or the rights and freedoms of others.
(2) The restrictions referred to in the preceding paragraph may be determined only to the extent necessary to achieve the purpose for which
a limit is set.

IV. DEL

INSTITUTIONAL PROTECTION OF PERSONAL DATA

Chapter 1

Personal data protection supervisory authority

Supervisory Authority

Article 37

(1) The state supervisory body for the protection of personal data (hereinafter: the state supervisory body) has a position
supervisory authority for the protection of personal data.
(2) The state supervisory body shall perform inspection supervision over the implementation of the provisions of this Act and other tasks thereafter
the law and other regulations governing the protection or processing of personal data or the removal of personal data from
Of the Republic of Slovenia. The state supervisory body also performs other tasks in accordance with the law.
(3) The state supervisory body shall ensure the uniform implementation of measures in the field of personal data protection.

Position and organization of the state supervisory body

Article 38

(expired)

Funds for the work of the state supervisory body

Article 39

(expired)

Appointment of the Chief State Supervisor

Article 40

(ceased to branch)

Dismissal of the Chief State Supervisor

Article 41

(expired)

Page 2

Replacing the Chief State Supervisor

Article 42

(expired)

Supervisor

Article 43

(expired)

Independence of supervisors

Article 44

(expired)

Employment and assignments to the state supervisory body

Article 45

(expired)

Chapter 2

Tasks of the state supervisory body

Reports of the state supervisory body

Article 46

(expired)

Cooperation with other bodies

Article 47

In its work, the state supervisory body cooperates with state bodies competent for the protection of the European Union
individuals in the processing of personal data, international organizations, foreign supervisory authorities for protection
personal data, institutions, associations, non-governmental organizations in the field of personal data protection or privacy, and
other organizations and bodies on all matters relevant to the protection of personal data.

Regulatory powers

Article 48

(1) The state supervisory body shall give preliminary opinions to ministries, the National Assembly, and bodies of self-governing local bodies
community, other state bodies and holders of public authority on the harmonization of the provisions of draft laws and others
regulations with laws and other regulations governing personal data.
(2) (expired)

Publicity of work

Article 49
(1) The state supervisory body may:
1. publishes an internal newsletter and professional literature;
2. publishes on the website or in another appropriate manner the preliminary opinions referred to in the first paragraph of Article 48 of this Act,
after the law or other regulation has been adopted and published in the Official Gazette of the Republic of Slovenia, in the newsletter
self-governing local communities or published in another lawful manner;
3. publish the requirements referred to in the second paragraph of Article 48 of this Act on the website or in another appropriate manner,
after receiving them by the Constitutional Court;
4. publish on the website or in another appropriate manner the decisions and resolutions of the Constitutional Court on the requirements referred to in
the second paragraph of Article 48 of this Act;
5. publish on a website or in another appropriate manner the decisions and rulings of courts of general jurisdiction; and
administrative court relating to the protection of personal data so that personal data cannot be deduced from them
clients, victims, witnesses or experts;
6. gives non-binding opinions on the compliance of codes of professional ethics, general business conditions or theirs
proposals with regulations in the field of personal data protection;
7. Gives optional opinions, clarifications and views on personal data protection issues and publishes them on
website or other appropriate means;
8. prepares and gives optional instructions and recommendations regarding the protection of personal data in a particular field;
9. make public statements on inspections carried out in individual cases;
10. conducts press conferences related to the work of the state supervisory body and transcripts of statements or recordings of statements with
press conferences published on the website;
11. publishes other important notices on the website.
(2) In order to exercise the powers referred to in points 6, 7 and 8 of the preceding paragraph, the state supervisory body may call upon k
representatives of associations and other non-governmental organizations in the field of personal data protection and privacy
and consumers.

Chapter 3

Inspection control

Application of the law governing inspections

Article 50

The provisions of the law governing inspections shall apply to the performance of inspections under this Act,
as much as this
the law does not provide otherwise.

Scope of inspection

Article 51
As part of the inspection, the state supervisory body shall:
1. control the lawfulness of the processing of personal data;
2. monitor the adequacy of measures for the protection of personal data and the implementation of procedures and measures for
protection of personal data under Articles 24 and 25 of this Act;
3. supervise the implementation of the provisions of the law governing the catalog of personal data files, the register of personal data files and
recording the transmission of personal data to individual users of personal data;
4. supervises the implementation of the provisions of the law regarding the export of personal data to a third country and their transmission
foreign users of personal data.

Direct inspection

Article 52

(1) Inspection supervision shall be performed directly by the supervisor within the limits of the competence of the state supervisory body.
(2) The supervisor shall demonstrate the authorization to perform inspection tasks with an official card containing
a photograph of the supervisor, his personal name, professional or scientific address and other necessary information. Shape and
the content of the service card shall be prescribed in more detail by the minister responsible for justice.

Powers of the supervisor

Article 53

When performing inspections, the supervisor is entitled to:
1. review documentation relating to the processing of personal data, regardless of its confidentiality or secrecy,
and the export of personal data to a third country and the transfer of personal data to foreign users;
2. inspect the contents of personal data files, regardless of their confidentiality or secrecy, and catalogs of personal data files
data;
3. review the documentation and acts governing the protection of personal data;
4. inspect the premises in which personal data, computer and other equipment and technical equipment are processed
documentation;
5. verify measures and procedures for the protection of personal data and their implementation;
6. exercise other powers determined by the law governing inspections and the law governing general administrative
process;
7. perform other matters determined by law.

Inspection measures

Article 54

(1) A supervisor who, in carrying out an inspection, establishes a violation of this Act or another law or regulation
regulates the protection of personal data, has the right immediately:
1. order that any irregularities or deficiencies which it finds be remedied in a manner and within a time limit which it shall determine;
2. order a ban on the processing of personal data by persons in the public or private sector who have not provided or not
implement measures and procedures for the protection of personal data;
3. order a ban on the processing of personal data and the anonymisation, blocking, deletion or destruction of personal data
data when it finds that personal data are processed in contravention of the provisions of the law;
4. order a ban on the export of personal data to a third country or their transfer to foreign users of personal data
data if they are exported or transmitted in contravention of the provisions of law or a binding international treaty;
5. order other measures determined by the law governing inspections and the law governing general administrative
process.
(2) The measures referred to in the preceding paragraph may not be ordered against a person who is in the electronic communications network
provides data transmission services, including temporary data storage and other data-related operations,
which are principally or wholly for the purpose of providing or facilitating the transmission of data over networks,
interest in the content of this information and is not a person who, alone or with a limited circle of
effectively control access to this data.
(3) If the inspector finds during the inspection that there is a suspicion of committing a criminal offense or misdemeanor,
criminal complaint or carry out procedures in accordance with the law governing misdemeanors.

Judicial protection

Article 55

There is no appeal against the decision or resolution of the supervisor referred to in the first paragraph of Article 54 of this Act, but an administrative dispute is allowed.

Notifying the applicant

Article 56

The supervisor is obliged to inform the notifier of all significant findings and actions in the inspection procedure.
supervision.

Competences of the state supervisory body regarding access to public information

Article 57

(expired)

Secrecy

Article 58

(1) The supervisor is obliged to protect the confidentiality of personal data, which he becomes acquainted with during the inspection
supervision, even after leaving the service of supervisor.
(2) The duty referred to in the preceding paragraph shall also apply to all civil servants in the state supervisory body.

Chapter 4

Cooperation and external control in the field of personal data protection

Ombudsman

Article 59

(1) The Ombudsman (hereinafter: the Ombudsman) shall perform his duties in the field of protection.
personal data in relation to state bodies, bodies of self-governing local communities and public institutions
powers under the law governing the Ombudsman.
(2) The protection of personal data is a special area of ​the ombudsman for which one of the deputy ombudsmen is in charge.

Annual Report

Article 60

In his annual report, the Ombudsman reports to the National Assembly on his findings, proposals and recommendations, as well as on the
in the field of personal data protection.

Competence of the National Assembly

Article 61

The situation in the field of personal data protection and the implementation of the provisions of this Act shall be monitored by the competent working body
National Assembly.

PART V

EXPORT OF PERSONAL DATA

Chapter 1

Export of personal data to the Member States of the European Union and the European Economic Area

Free movement of personal data

Article 62

When personal data are transferred to the personal data controller, contractual processor or user of personal data
established, established or registered in a Member State of the European Union or of the European Economic Area
space or otherwise subject to its legal order, the provisions of this Act on the export of personal data shall not apply
to third countries.

Chapter 2

Export of personal data to third countries

General provision

Article 63

(1) Transmission of personal data which are or will be processed only after the transmission to a third party
State is admissible in accordance with the provisions of this Act and provided that the national supervisory authority
the country to which they are exported ensures an adequate level of protection of personal data.
(2) The decision referred to in the preceding paragraph shall not be required if the third country is on the list of those countries referred to in Article 66 of this Act,
which have been found to fully ensure an adequate level of protection of personal data.
(3) The decision referred to in the first paragraph of this Article shall not be required if the third country is on the list of those countries referred to in Article 66 of this Article.
which have been found to provide in part an adequate level of protection of personal data, if provided
those personal data and for those purposes for which an appropriate level of protection has been established.

The process of determining the appropriate level of personal data protection

Article 64

(1) The national supervisory authority shall introduce a procedure for determining the appropriate level of protection of personal data in a third country at
on the basis of the findings of the inspection or on the proposal of a natural or legal person who may show a legal interest in
issuing a decision.
(2) At the request of the state supervisory body, the ministry responsible for foreign affairs shall obtain from the competent body
third country the necessary information on whether that country provides an adequate level of protection of personal data.
(3) The state supervisory body may obtain additional information on the appropriate level of protection of personal data in a third country
directly from other supervisory authorities and from the competent authority of the European Union.
(4) The state supervisory body shall issue a decision within two months of receiving the complete information referred to in the second and third
paragraph of this Article. It may also issue a decision only on a certain type of personal data or their processing for
specific purpose.
(5) The state supervisory body shall be obliged no later than within 15 days from the issuance of the decision that the third country does not provide
appropriate levels of personal data protection, inform the competent authority of the European Union in writing.

Judicial protection

Article 65

There is no appeal against the decision referred to in the fourth paragraph of Article 64 of this Act, but an administrative dispute is allowed.

List

Article 66

(1) The state supervisory body shall keep a list of third countries for which it has established that they have fully or partially
adequate level of protection of personal data or that they are not guaranteed. If it is found that the third country only partially
ensures an adequate level of protection of personal data, the list shall also indicate in which part the appropriate level is
guaranteed.
(2) The Chief State Supervisor shall publish the list referred to in the preceding paragraph in the Official Gazette of the Republic of Slovenia.

Binding of the state supervisory body in decision - making

Article 67

When deciding, the national supervisory authority is bound by the decisions of the competent body of the European Union regarding the assessment, or a third party
States shall ensure an adequate level of protection of personal data.

Deciding on the amount of personal data

Article 68
(1) When deciding on the appropriate level of personal data protection in a third country, the state supervisory body is obliged to establish all
circumstances relating to the export of personal data. Above all, it must take into account the type of personal data, the purpose and the duration
proposed treatments, legislation in the country of origin and in the recipient country, including personal protection
data of foreign nationals, and measures to protect personal data used in them.
(2) In deciding on the previous paragraph, the state supervisory body shall take into account in particular:
1. whether the personal data disclosed are used only for the purpose for which they were disclosed, or whether the purpose may be changed
only with the permission of the controller of the personal data he has provided or with the personal consent
the data subject;
2. whether the data subject has the opportunity to find out for what purpose it was used
personal data to whom it was transmitted and the possibility of correcting or deleting inaccurate or out-of-date personal data.
data, unless this is prevented by the binding nature of binding international treaties;
3. whether the foreign operator implements appropriate organizational and technical procedures and measures to protect personal data
data;
4. whether a contact person has been appointed who is authorized to provide information to the individual to whom it relates
personal data, or to the state supervisory authority on the processing of personal data that have been disclosed;
5. whether a foreign user may disclose personal data only on condition that it is with another foreign user to whom
personal data provided, adequate protection of personal data also ensured for foreign citizens;
6. whether effective legal protection is provided to individuals whose personal data have been disclosed.

Rules

Article 69

At the proposal of the Chief State Supervisor, it shall be issued by the Minister responsible for justice with the consent of the Minister responsible for
foreign affairs, rules specifying which information is considered necessary for decision-making
national supervisory authority on the export of personal data to third countries.

Special provisions

Article 70

(1) Notwithstanding the first paragraph of Article 63 of this Act, personal data may be disclosed and transmitted to a third country,
if:
1. so provided by another law or a binding international treaty;
2. the personal consent of the data subject is given and he is aware of the consequences
such intervention;
3. the withdrawal is necessary for the performance of the contract between the data subject, and
personal data controllers or to carry out pre-contractual measures taken in response to a request
the data subject;
4. the withdrawal is necessary for the conclusion or performance of a contract for the benefit of the individual to whom the personal data relate
data concluded between the personal data controller and a third party;
5. the removal is necessary in order to protect the life or body of the individual to whom it is endangered from serious danger
relate to personal data;
6. the removal is made from registers, public books or official records, which are intended by law to provide information
are available to the general public or to any person who may have a legal interest in
in an individual case, the conditions set for inspection by law are met;
7. the personal data controller shall ensure appropriate measures for the protection of personal data and fundamental rights; and
freedoms of individuals and indicate the possibilities for their exercise or protection, in particular in the provisions of
general terms and conditions.
(2) In the case of the export of personal data pursuant to point 7 of the preceding paragraph, the person who intends to disclose personal data must
data, obtain a special decision of the state supervisory authority that allows the export of personal data.
(3) A person may disclose personal data only after receiving the decision referred to in the preceding paragraph, by which the export is permitted.
(4) There is no appeal against the decision referred to in the second paragraph of this Article, but an administrative dispute is allowed. Procedure in an administrative dispute
is necessary and preferred.
(5) The state supervisory body shall be obliged to do so no later than within 15 days from the issuance of the decision referred to in the second paragraph of this Article
forwarded to the competent authority of the European Union and to the Member States of the European Union.
(6) If, after receiving the decision, the competent authority of the European Union decides that the removal is based on a decision from another
paragraph of this Article is inadmissible, the state supervisory body shall be bound by this decision and shall be obliged within five days of receiving it.
of this decision, issue a new decision to the person referred to in the second paragraph of this Article, prohibiting him / her from further removal of personal data
data.

Recording amounts

Article 71

The export of personal data to a third country shall be recorded in accordance with the provisions of point 10 of the first paragraph of Article 26 of this
of the law.

VI. DEL

SECTORAL ARRANGEMENTS

Chapter 1

Direct marketing

Rights and duties of the operator

Article 72

(1) The personal data controller may use personal data of individuals collected from publicly available data
resources or in the course of lawful pursuit of activities, including for the purpose of offering goods, services, employment or
performing work using postal services, telephone calls, e-mail or other telecommunication means
(hereinafter: direct marketing) in accordance with the provisions of this chapter, unless otherwise provided by other law.
(2) For the purposes of direct marketing, the personal data controller may use only the following personal data which
collected in accordance with the previous paragraph: personal name, address of permanent or temporary residence, telephone
number, e-mail address and fax number. Based on the personal consent of the individual, the controller may
personal data also processes other personal data, and sensitive personal data only if it has the personal consent to do so.
an individual who is explicit and, as a rule, in writing.
(3) The controller of personal data must carry out direct marketing in such a way that the individual, when carrying out direct marketing
marketing information on his rights under Article 73 of this Act.
(4) If the personal data controller intends to transfer the personal data referred to in the second paragraph of this Article to others
users of personal data for direct marketing purposes or contractual processors is obliged to do so
inform the individual and obtain his / her written consent before providing personal data. Notification
it must contain information to the individual about the intended transfer of personal data, which data he intends to provide
to communicate to whom and for what purpose. The costs of the notification shall be borne by the controller of personal data.

The right of the individual

Article 73

(1) An individual may at any time, in writing or in another agreed manner, request that the personal data controller permanently or
temporarily ceases to use his personal data for the purpose of direct marketing. Personal data controller
is obliged to prevent the use of personal data for the purpose of direct marketing within 15 days and to do so in
within a further five days, inform the requesting person in writing or by other agreed means.
(2) The costs of all actions of the personal data controller in connection with the request referred to in the preceding paragraph shall be borne by the controller.

Chapter 2

Video surveillance

General provisions

Article 74

(1) The provisions of this Chapter shall apply to the implementation of video surveillance, unless otherwise provided by another law.
(2) A person of the public or private sector who performs video surveillance must publish a notice to that effect. Notice must be
visibly and distinctly published in a way that enables the individual to become acquainted with its implementation at the latest when
video surveillance is started over it.
(3) The notification referred to in the preceding paragraph must contain the following information:
1. that video surveillance is carried out;
2. the name of the public or private sector person performing it;
3. telephone number to obtain information on where and for how long the CCTV footage is stored
system.
(4) The individual referred to in the second paragraph of this Article shall be deemed to have been informed of the processing of personal data
under Article 19 of this Act.
(5) The video surveillance system with which video surveillance is carried out must be protected against access by unauthorized persons.

Access to official office or business premises

Article 75

(1) The public and private sectors may carry out video surveillance of access to their official business or business premises,
if necessary for the safety of people or property, in order to ensure control of entry into or exit from or from official premises
or business premises or if due to the nature of the work there is a possibility of endangering employees. He makes the decision
a competent official, head, director or other competent or authorized individual of a public sector entity, or
private sector entities. The written decision must explain the reasons for introducing video surveillance. Introduction
video surveillance may also be determined by law or a regulation adopted on its basis.
(2) Video surveillance may be carried out only in such a way that even the recording of the interior of residential
buildings that do not affect the access to their premises, nor the recording of entrances to apartments.
(3) It is necessary to inform in writing all employees in the public or private sector who
perform work in a controlled area.
(4) The collection of personal data pursuant to this Article shall contain a recording of an individual (picture or voice), the date and time of entry and
exits the space, but may also be the personal name of the recorded individual, the address of his permanent or temporary
residence, employment, number and details of the nature of his identity document and the reason for his entry,
personal data is collected in addition to or by recording a video surveillance system.
(5) The personal data referred to in the preceding paragraph may be kept for a maximum of one year after their creation, after which they shall be deleted if the law does not
provides otherwise.

Multi-apartment buildings

Article 76

(1) The introduction of video surveillance in a multi-apartment building requires the written consent of co-owners who own more than 70
percent of co-ownership shares.
(2) Video surveillance may be introduced in a multi-apartment building only when this is necessary for the safety of people and property.
(3) Only access to the entrances and exits of multi-apartment buildings may be monitored by video surveillance in a multi-apartment building.
buildings and their common areas. It is forbidden to carry out video surveillance of the caretaker's apartment and workshop for
janitor.
(4) It is prohibited to enable or carry out real-time or subsequent review of recordings of a video surveillance system
via internal cable television, public cable television, the Internet or other telecommunications
means capable of transmitting these recordings.
(5) It is prohibited to record the entrances to individual dwellings with a video surveillance system.

Workspaces

Article 77

(1) The implementation of video surveillance within work premises may be carried out only in exceptional cases when this is absolutely necessary.
for the safety of people or property or for the protection of classified information and business secrets, but this purpose is not possible
achieved by milder means.
(2) Video surveillance may be carried out only in respect of those parts of the premises where it is necessary to protect the interests from the previous
paragraph.
(3) It is prohibited to carry out video surveillance in workplaces outside the workplace, especially in changing rooms, lifts and
sanitary facilities.
(4) Employees must be notified in writing in advance of the implementation of video surveillance pursuant to this Article.
implementation.
(5) Prior to the introduction of video surveillance in a public or private sector entity, the employer must consult
representative trade unions at the employer.
(6) In the field of state defense, intelligence and security activities of the state and protection of classified information, no
paragraphs 4 and 5 of this Article shall apply.

Chapter 3

Biometrics

General provision

Article 78

By processing biometric characteristics, the characteristics of an individual are identified or compared so that his or her own can be executed
identification or verification of its identity (hereinafter: biometric measures) under the conditions set out in this
the law.

Biometric measures in the public sector

Article 79

(1) Biometric measures in the public sector may be determined only by law if this is strictly necessary for the safety of people or
property or for the protection of classified information and business secrets, and this purpose cannot be achieved by
funds.
(2) Notwithstanding the preceding paragraph, biometric measures may be determined by law if the obligations referred to in
binding international treaties or to identify individuals when crossing national borders.

Biometric measures in the private sector

Article 80

(1) The private sector may implement biometric measures only if they are strictly necessary for the performance of activities for the safety of people.
or property or to protect classified information or business secrets. He can only implement biometric measures over his own
employees if they have been notified in writing in advance.
(2) If the implementation of certain biometric measures in the private sector is not regulated by law, the manager is personal
data that intends to implement biometric measures, is obliged to submit to the state supervisory authority before the introduction of measures
a description of the intended measures and the reasons for their introduction.
(3) After receiving the information referred to in the preceding paragraph, the state supervisory body shall be obliged within two months
decide whether the introduction of biometric measures is intended in accordance with this Act, in particular the conditions referred to in the first sentence
the first paragraph of this Article. The time limit may be extended by a maximum of one month if the introduction of these measures would affect more than
20 employees in a private sector person, or if a representative trade union at the employer requires participation in
administrative procedure.
(4) The personal data controller may implement biometric measures after receiving the decision referred to in the preceding paragraph, with
which the implementation of biometric measures is permitted.
(5) There shall be no appeal against the decision of the state supervisory body referred to in the third paragraph of this Article, but an administrative
dispute.

Biometric measures related to public sector employees

Article 81

Notwithstanding the provisions of Article 79 of this Act, biometric measures may be introduced in the public sector in connection with entry into
the building or parts of the building and recording the presence of employees at work, which is carried out with the reasonable use of another,
the third and fourth paragraphs of Article 80 of this Act.

Chapter 4

Records of entrances and exits from the premises

Evidence

Article 82

(1) A person of the public or private sector may, for the purposes of protecting the property, life or body of individuals
and the order in its premises requires the individual who intends to enter or leave that premises to indicate all
or certain personal data referred to in the second paragraph of this Article and the reason for entry or exit. If necessary, you can personal
the data is also checked by inspecting the personal document of the individual.
(2) Only the following personal data on an individual may be kept in the records of entries and exits: personal name, number
and type of identity document, address of permanent or temporary residence, employment and date, time and reason for entry
or exits into or out of the premises.
(3) The records referred to in the preceding paragraph shall be considered official records in accordance with the law governing the general administrative procedure,
if it is necessary to obtain information in terms of the benefit of the minor or for the exercise of police and intelligence
security activities.
(4) Personal data from the records referred to in the second paragraph of this Article may be kept for a maximum of three years from the entry, after which
deleted or otherwise destroyed, unless otherwise provided by law.

Chapter 5

Public books and protection of personal data

The legitimate purpose of the public book

Article 83

Personal data from the public book regulated by law may be used only in accordance with the purpose for which they were used
collected or
processed if the lawful purpose of their collection or processing is fixed or determinable.

Chapter 6

Linking personal databases

Official records and public books

Article 84

(1) Collections of personal data from official records and public books may be linked, if so provided by law.
(2) Controllers or controller of personal data who connects two or more databases of personal data kept for
for various purposes, they are obliged to inform the state supervisory authority in writing in advance.
(3) If at least one personal data file to be linked contains sensitive data, or if the linking
result in the disclosure of sensitive data or the use of the same linker is required to perform the integration
sign, the connection is not allowed without the prior permission of the state supervisory authority.
(4) The state supervisory body shall permit the connection referred to in the preceding paragraph on the basis of a written application of the personal controller
data if it finds that personal data controllers provide adequate protection of personal data.
(5) There shall be no appeal against the decision referred to in the preceding paragraph, but an administrative dispute shall be allowed.

Article 85
It is prohibited to link personal data files from criminal records and misdemeanor records with other databases
personal data and to connect personal data collections from criminal records and misdemeanor records.

Special provision

Article 86

The register of personal data files contains data on related personal data collections from official records and public books
run separately.

Chapter 7

Professional supervision

Application of the provisions of this chapter

Article 87

Unless otherwise provided by other law, the provisions of this chapter shall apply to the processing of personal data by a professional
supervision provided by law.

General provisions

Article 88

(1) A person of the public sector performing professional supervision (hereinafter: professional supervision provider) may
processes personal data processed by personal data controllers over which it has jurisdiction by law
carry out professional supervision.
(2) The provider of professional supervision has the right to inspect, print, transcribe or copy all personal data
from the previous paragraph, and in their processing for the purposes of professional supervision and preparation of a report or assessment, he is obliged
protect their secrecy. In the report or assessment at the end of the expert supervision, the expert supervision expert may
records only those personal data that are necessary to achieve the purpose of professional supervision.
(3) The costs of inspection, printing, transcription or copying referred to in the preceding paragraph shall be borne by the personal data controller.

Professional supervision and additional processing of personal data

Article 89
(1) The provider of professional supervision may, in performing professional supervision, in accordance with the first paragraph
Article 88 of this Act processes personal data, informs the individual to whom the personal data relate in writing,
to carry out expert supervision and to inform him that he may submit his views in writing or orally.
(2) The individual referred to in the preceding paragraph may submit to the provider of professional supervision for the purposes of implementation
personal data of another individual who could be involved in the matter in which the professional supervision is carried out,
what did he know. If the provider of professional supervision finds that this is necessary, he also conducts an interview with another individual.

Professional supervision and sensitive personal data

Article 90

If sensitive personal data is processed during the performance of professional supervision, the provider of professional supervision shall do so
make an official note or other official record in the file of the personal data controller.

VII. DEL

CRIMINAL PROVISIONS

General violations of the provisions of this Act

Article 91

(1) A fine of 4,170 to 12,510 euros shall be imposed on a legal person, sole proprietor or
self-employed individual:
1. if he processes personal data without having a basis for this in law or in the personal consent of the individual (Article 8);
2. if he entrusts individual tasks related to the processing of personal data to another person without concluding a contract in
in accordance with the second paragraph of Article 11;

3. if it processes sensitive personal data in contravention of Article 13 or does not protect it in accordance with Article 14;
4. if it automatically processes personal data in contravention of Article 15;
5. if it collects personal data for purposes that are not specified and lawful, or if it further processes them in contravention of 16.
article;
6. if it provides the user of personal data with personal data in contravention of the second paragraph of Article 17 or if it does not
destroys personal data in accordance with the third paragraph of Article 17 or fails to publish the results of processing in accordance with the fourth
paragraph 17 of Article 17;
7. if he does not inform the individual about the processing of personal data in accordance with Article 19;
8. if he uses the same connecting sign in contravention of Article 20;
9. if it does not delete, destroy, block or anonymise personal data after the purpose of the processing has been fulfilled in accordance with
the second paragraph of Article 21;
10. if he acts in contravention of Article 22;
11. if it fails to ensure that the catalog of the personal data file contains the data specified by law (Article 26);
12. if he does not provide data for the needs of the register of personal data collections (Article 27);
13. if he acts in contravention of the first or second paragraph of Article 30 or if he acts in contravention of the second, third or fifth
paragraph 31 of Article 31;
14. if he acts in contravention of Article 32 or if he acts in contravention of the second or fifth paragraph of Article 33;
15. if, contrary to the first paragraph of Article 63 or contrary to Article 70, he exports personal data to a third country.
(2) A fine of 830 to 2,080 euros shall also be imposed on the responsible person of a legal person for the misdemeanor referred to in the preceding paragraph,
a sole proprietor of an individual or an individual self-employed.
(3) A fine of 830 to 2,080 euros shall be imposed on the responsible person of a state body or body for a misdemeanor.
a self-governing local community that commits an act referred to in the first paragraph of this Article.
(4) A fine of 200 to 830 euros shall be imposed on an individual who commits an act referred to in the first paragraph of this Article.

Page 3

Breach of the provisions on contractual processing

Article 92

(1) A fine of 4,170 to 12,510 euros shall be imposed on a legal person, sole proprietor or
an individual who carries out an activity independently if he exceeds the powers contained in the contract referred to in the second paragraph of Article 11.
Article or does not return personal data in accordance with the third paragraph of Article 11.
(2) A fine of 830 to 2,080 euros shall also be imposed on the responsible person of a legal person for the misdemeanor referred to in the preceding paragraph,
a sole proprietor of an individual or an individual self-employed.
(3) A fine of 830 to 2,080 euros shall be imposed on the responsible person of a state body or body for a misdemeanor.
a self-governing local community that commits an act referred to in the first paragraph of this Article.
(4) A fine of 200 to 830 euros shall be imposed on an individual who commits an act referred to in the first paragraph of this Article.

Violation of the provisions on personal data protection

Article 93

(1) A fine of 4,170 to 12,510 euros shall be imposed on a legal person, sole proprietor or
an individual who independently carries out an activity if he processes personal data in accordance with this Act and fails to provide it
protection of personal data (Articles 24 and 25).
(2) A fine of 830 to 1,250 euros shall also be imposed on the responsible person of a legal person for the misdemeanor referred to in the preceding paragraph,
a sole proprietor of an individual or an individual self-employed.
(3) A fine of 830 to 1,250 euros shall be imposed on the responsible person of a state body or body for a misdemeanor.
a self-governing local community that commits an act referred to in the first paragraph of this Article.
(4) A fine of 200 to 830 euros shall be imposed on an individual who commits an act referred to in the first paragraph of this Article.

Infringement of the provisions on direct marketing

Article 94

(1) A fine of 2,080 to 4,170 euros shall be imposed on a legal person, sole proprietor or
an individual who independently carries out an activity if he processes personal data for purposes in accordance with this Act
direct marketing and does not comply with Article 72 or Article 73.
(2) A fine of 410 to 1,250 euros shall also be imposed on the responsible person of a legal person for the misdemeanor referred to in the preceding paragraph,
a sole proprietor of an individual or an individual self-employed.
(3) A fine of 200 to 830 euros shall be imposed on an individual who commits an act referred to in the first paragraph of this Article.

Violation of general provisions on video surveillance

Article 95

(1) A fine of 4,170 to 12,510 euros shall be imposed on a legal person, sole proprietor or
self-employed individual:
1. if it fails to publish the notice in the manner referred to in the second paragraph of Article 74;
2. if the notification does not contain the information referred to in the third paragraph of Article 74;
3. if it does not secure the video surveillance system by which video surveillance is carried out, contrary to the fifth paragraph of Article 74.
Article.
(2) A fine of 830 to 1,250 euros shall also be imposed on the responsible person of the legal entity for the misdemeanor referred to in the preceding paragraph.
a person, a sole proprietor of an individual or a self-employed individual.
(3) A fine of 830 to 1,250 euros shall be imposed on the responsible person of a state body or body for a misdemeanor.
a self-governing local community that commits an act referred to in the first paragraph of this Article.
(4) A fine of 200 to 830 euros shall be imposed on an individual who commits an act referred to in the first paragraph of this Article.

Violation of the provisions on video surveillance regarding access to official office or business premises

Article 96

(1) A fine of 4,170 to 12,510 euros shall be imposed on a legal person, sole proprietor or
self-employed individual:
1. if it carries out video surveillance without a reasoned written decision or without any other legal basis referred to in the first paragraph of Article 75.
article;
2. if it carries out video surveillance by recording the interior of residential buildings which do not affect access to
their premises or recordings of entrances to dwellings (second paragraph of Article 75);
3. if he does not inform the employees in writing (third paragraph of Article 75);
4. if he keeps personal data in contravention of the fifth paragraph of Article 75.
(2) A fine of 830 to 1,250 euros shall also be imposed on the responsible person of a legal person for the misdemeanor referred to in the preceding paragraph,
a sole proprietor of an individual or an individual self-employed.
(3) A fine of 830 to 1,250 euros shall be imposed on the responsible person of a state body or body for a misdemeanor.
a self-governing local community that commits an act referred to in the first paragraph of this Article.
(4) A fine of 200 to 830 euros shall be imposed on an individual who commits an act referred to in the first paragraph of this Article.

Violation of the provisions on video surveillance in multi-apartment buildings

Article 97

(1) A fine of 2,080 to 8,340 euros shall be imposed on a legal person, sole proprietor or
an individual who independently performs an activity that performs video surveillance in contravention of Article 76.
(2) A fine of 410 to 1,250 euros shall also be imposed on the responsible person of a legal person for the misdemeanor referred to in the preceding paragraph,
a sole proprietor of an individual or an individual self-employed.
(3) A fine of 830 to 1,250 euros shall be imposed on the responsible person of a state body or body for a misdemeanor.
a self-governing local community that commits an act referred to in the first paragraph of this Article.
(4) A fine of 200 to 410 euros shall be imposed on an individual who commits an act referred to in the first paragraph of this Article.

Violation of the provisions on video surveillance in the workplace

Article 98

(1) A fine of 4,170 to 12,510 euros shall be imposed on a legal person, sole proprietor or
an individual who independently performs an activity that performs video surveillance in work premises in contravention of Article 77.
(2) A fine of 1,250 to 2,080 euros shall also be imposed on the responsible person of the legal entity for the misdemeanor referred to in the preceding paragraph.
a person, a sole proprietor of an individual or a self-employed individual.
(3) A fine of 1,250 to 2,080 euros shall be imposed on the responsible person of a state body or body for a misdemeanor.
a self-governing local community that commits an act referred to in the first paragraph of this Article.
(4) A fine of 830 to 1,200 euros shall be imposed on an individual who commits an act referred to in the first paragraph of this Article.

Violation of public sector biometrics provisions

Article 99
(1) A fine of 4,170 to 12,510 euros shall be imposed for a misdemeanor on a public sector legal entity that performs biometric
measures contrary to Article 79.
(2) A fine of 1,250 to 2,080 euros shall also be imposed on the responsible person of the legal entity for the misdemeanor referred to in the preceding paragraph.
public sector entities.
(3) A fine of 1,250 to 2,080 euros shall also be imposed on the responsible person for the misdemeanor referred to in the first paragraph of this Article.
a state body or a body of a self-governing local community that commits an act referred to in the first paragraph of this Article.

Violation of the provisions on biometrics in the private sector

Article 100
(1) A fine of 4,170 to 12,510 euros shall be imposed on a legal person, sole proprietor or
an individual who independently performs an activity that carries out biometric measures in contravention of Article 80.
(2) A fine of 1,250 to 2,080 euros shall also be imposed on the responsible person of the legal entity for the misdemeanor referred to in the preceding paragraph.
a person, a sole proprietor of an individual or a self-employed individual.

Violation of the provisions on the register of entries and exits

Article 101

(1) A fine of 2,080 to 4,170 euros shall be imposed on a legal person, sole proprietor or
self-employed individual:
1. who uses the records of entries and exits as official records in contravention of the third paragraph of Article 82;
2. who acts in contravention of the fourth paragraph of Article 82.
(2) A fine of 200 to 830 euros shall also be imposed on the responsible person of a legal person, an independent
an individual entrepreneur or an individual who independently performs an activity that commits an offense referred to in the preceding paragraph.
(3) A fine of 200 to 830 euros shall be imposed on a responsible person of a state body or a body of self-government for a misdemeanor.
a local community that commits an offense referred to in the first paragraph of this Article.
(4) A fine of 200 to 410 euros shall be imposed on an individual who commits an offense referred to in the first paragraph of this Article.

Violation of the provisions on the interconnection of personal data files

Article 102

(1) A fine of 830 to 2,080 euros shall be imposed on a responsible person of a state body or self-governing body for a misdemeanor.
local community, which connects personal data files in contravention of the third paragraph of Article 84.
(2) A fine of 830 to 2,080 euros shall be imposed on a responsible person of a state body or self-governing body for a misdemeanor.
local community, which connects personal data files from criminal records and misdemeanor records with other databases
personal data or connects databases of personal data from criminal records with a collection of personal data from misdemeanors
records (Article 85).

Violation of the provisions on professional supervision

Article 103

(1) A fine of 4,170 to 12,510 euros shall be imposed on a legal person for a misdemeanor:
1. if it carries out professional supervision in contravention of the second paragraph of Article 88;
2. if he does not make an official note or other official record in contravention of Article 90 of this Act.
(2) A fine of 830 to 1,250 euros shall also be imposed on the responsible person of the legal entity for the misdemeanor referred to in the preceding paragraph.
persons.
(3) A fine of 830 to 1,250 euros shall be imposed on the responsible person of a state body or body for a misdemeanor.
self-governing
local community that commits the act referred to in the first paragraph of this Article.
(4) A fine of 200 to 830 euros shall be imposed on an individual who commits an act referred to in the first paragraph of this Article.

The Personal Data Protection Act - ZVOP-1 (Official Gazette of the Republic of Slovenia, No. 86/04) contains the following transitional and final
provisions:

VIII. DEL

TRANSITIONAL AND FINAL PROVISIONS

Powers of the Commissioner for Access to Public Information regarding the Protection of Personal Data

Article 104

- ZInfP complied with

(expired)

Deadline for issuing implementing regulations

Article 105

(1) The rules referred to in the third paragraph of Article 28 and Article 69 of this Act shall be issued within two months of the entry into force of this
of the law.
(2) The regulation referred to in the second paragraph of Article 52 of this Act shall be issued by 1 January 2006.

Transitional arrangements

Article 106

(1) Public funds may process and collect on the basis of personal consent from individuals personal data
relate to them if this information is necessary and appropriate for the performance of their tasks and responsibilities, notwithstanding the provisions of
laws governing their tasks and competencies and the provisions of this Act, until the enactment of a special law that will
settled these issues.
(2) The controllers of personal data may disclose and publish to the public a personal name, title or function, official
the telephone number and e-mail address of the supervisor and those employees whose work is important
due to business with customers or users of services, until the entry into force of a special law that will regulate these issues.

The term personal data controller

Article 107

The terms "personal data controller", "data controller" or "database controller" or "controller
databases ”specified in the laws shall be considered the term“ personal data controller ”under this Act.

Commencement of operation of the National Supervisory Authority for Personal Data Protection

Article 108

- ZInfP complied with

(expired)

Appointment of the Chief State Supervisor

Article 109

- ZInfP complied with

(expired)

Acquisition of employees and archives

Article 110

- ZInfP complied with

(expired)

Application of individual provisions of this Act

Article 111

(1) The provisions of the second paragraph of Article 48 and points 3 and 4 of the first paragraph of Article 49 of this Act shall begin
to be applied from the day of the commencement of operation of the National Supervisory Body for Personal Data Protection.
(2) Until the establishment of the website of the National Supervisory Authority for Personal Data Protection, the information provided by
this Act is published by the state supervisory body on its website, published on the website of the Ministry of
justice.

Completion of ongoing procedures

Article 112

If the decision or resolution of the inspector is issued before the entry into force of this Act, the procedure shall be terminated in accordance with the provisions of the Act on
protection of personal data (Official Gazette of the Republic of Slovenia, No. 59/99, 57/01, 59/01 - amended, 52/02 - ZDU-1 and 73/04 - ZUP-C).

Transfer of management of the register of personal data collections

Article 113

(1) Joint catalog of personal data kept in accordance with the provisions of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, no.
59/99, 57/01, 59/01 - corr., 52/02 - ZDU-1 and 73/04 - ZUP-C), shall be renamed into
register of personal data files.
(2) Until 1 January 2006, the register referred to in the preceding paragraph shall be kept and maintained by the Ministry of Justice, and from that date
hand it over to the National Supervisory Authority for Personal Data Protection.

Addition of data in the register of personal data collections

Article 114

Personal data controllers who provided personal data in accordance with the provisions of the Personal Data Protection Act
(Official Gazette of the Republic of Slovenia, No. 59/99, 57/01, 59/01 - amended, 52/02 - ZDU-1 and 73/04 - ZUP-C) into the common catalog of personal data
they must submit all the data referred to in Article 27 of this Act to the competent authority referred to in Article 113 of this Act within one year after
the entry into force of the implementing regulation referred to in the third paragraph of Article 28 of this Act.

Termination

Article 115

(1) On the day this Act enters into force, the Personal Data Protection Act shall cease to be in force (Official Gazette of the Republic of Slovenia, No. 59/99, 57/01,
59/01 - amended, 52/02 - ZDU-1 and 73/04 - ZUP-C).
(2) The second indent shall cease to be valid on the day of the commencement of the work of the State Supervisory Body for the Protection of Personal Data.
the first paragraph and the third paragraph of Article 13 of the Decree on Bodies within Ministries (Official Gazette of the Republic of Slovenia, No. 58/03).
(3) The provisions of the first paragraph of Article 110 and the second paragraph of Article 111 shall cease to apply on the day this Act enters into force.
of the Electronic Communications Act (Official Gazette of the Republic of Slovenia, No. 43/04) in the part determining the collection, processing and publication
EMŠO - unique personal identification numbers of the citizen.

Change in second law

Article 116

In the Act on Ratification of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Official
list RS, no. 11/94 - International Treaties, no. 3/94) in Article 3, the words “science and technology” shall be replaced by
the text "justice".

Entry into force

Article 117

This Act shall enter into force on 1 January 2005.

Amendments to the Personal Data Protection Act - ZVOP-1A (Official Gazette of the Republic of Slovenia, No. 67/07)
contains the following transitional and final provision:

Transitional provision

Article 17

The Minister responsible for justice shall issue the rules referred to in the seventh paragraph of Article 31 of the Act within sixty days after
entry into force of this Act.

Final provision

Article 18

This Act shall enter into force on the day following its publication in the Official Gazette of the Republic of Slovenia, and Article 3 of this Act shall enter into force
apply on the sixtieth day after the publication of this Act.

ABOUT US

OFFICE HOURS

LINKS

Information Commissioner
Dunajska cesta 22
1000 Ljubljana, Slovenia

MON - FRI
10.00 - 12.00 and 14.00 - 15.00

Public information
Manuals and guidelines
Forms
Privacy policy
Information on the processing of personal data
Accessibility statement
Support for small businesses
Rights of individuals

Map (source: najdi.si)
T: 01 230 97 30
F: 01 230 97 78
E-mail: gp.ip (at) ip-rs.si
Reporting violations: instructions and form

A personal visit is only possible in advance
announce to the above electronic
address or telephone number.

Telephone protection consultancy
personal data takes place within
project »Program of Justice, Equality and
citizenship 2014-2020 ”funded by
European Union.

