top of page

Slovenia finally adopts European GDPR into national law


Slovenia has finally fallen into the line with every other European Union country by adopting the EU’s General Data Protection Regulation (GDPR) into national law.

EU member countries were expected to have implement the GDPR by mid-2018, and the European Commission issuing a statement last year saying Slovenia had “failed to fulfil its obligations stemming from the GDPR.”

The legislation that has now been adopted was drafted under the previous Slovenian government but was  changed to include a provision under which personal data protection is a human right.

The Data Protection Act ("ZVOP-2") comes into force on 26 January 2023 and the failure to update the national data protection legislation ("ZVOP-1") following the enactment of the GDPR, created uncertainty about fines for breaches of the GDPR.

In 2021 the national courts took the view that a breach of GDPR provisions may carry fines set out in ZVOP-1 although this clarification triggered fears of administrative overreach.

The Democratic Party, the senior partner in the previous coalition government, argued there was too much emphasis on protecting the interests of the state and argued it would give the Information Commissioner “absolute power”.

New Slovenia, their former coalition partners, raised concerns over administrative excess for businesses, such as an obligation to keep a log of personal data processing. Crucially, the Information Commissioner remains in charge of oversight, although the judiciary, intelligence and security services remain outside those checks.

Mark Dutton, director W Denis, believes the onset of more regulations means European businesses need to ensure they have adequate insurance cover.

He said: “ Companies need to have a robust suite of insurances not just to protect the business and its assets/liabilities around the use of data, but also directors and officers face management liability exposures concerned with their behaviour and conduct in complying with the raft of laws and regulations. “

The adoption of ZVOP-2 means the introduction of a data processing log, separate from the data protection impact analysis (DPIA) governed by the GDPR, for certain categories of data processing, including collection, change and disclosure.

It also sees the introduction of a new category of data processing, categorised as "special processing", which covers specific large-scale data processing within information systems. On top of GDPR requirements, special processing is subject to heightened security and incident reporting requirements.

The legislation allows for the processing of publicly available contact data or contact data obtained upon previous individuals' consent or voluntary disclosure, except for direct marketing purposes.

The move also expands the possibility of biometric data processing in the private sector while CCTV in public spaces has been made subject to more detailed regulation.

W Denis Europe arranges comprehensive insurance for EEA based businesses, large and small, including Cyber, Errors & Omissions, Directors & Officers Liability and much more. If you wish to discuss your insurance requirements, please visit or contact Vida Jarašiūnaitė or Mark Dutton

bottom of page