After several years of coordination, the new Personal Data Protection Act (ZVOP-2) entered into force on 26 January 2023. The long-awaited law finally harmonized Slovenian legislation with the General Regulation on the Protection of Personal Data (GDPR). Although GDPR is directly applicable and controllers and processors have already been obliged to act in accordance with it since May 2018, delaying the adoption of a new law caused many problems with GDPR’s implementation. ZVOP-2 eliminates these discrepancies, and the Information Commissioner will now be able to impose high penalties on violators.
After the court paralyzed the Information Commissioner by ruling that due to direct application of the provisions of GDPR, it cannot issue administrative fines under the old ZVOP-1, the new ZVOP-2 cured it form this inability. With the implementation of ZVOP-2, the Information Commissioner acquired an appropriate legal basis for sanctioning potential violators. From now on, the sanctions for infringements, prescribed by GDPR, will be imposed on legal entities, entrepreneurs and to self-employed individuals, as penalties for infringements in the amounts and ranges as specified by GDPR. Practically, this means that the Information Commissioner will now be able to impose fines in the amounts up to 20.000.000 EUR or up to 4 % of the total worldwide annual turnover.
Undertakings, that were so far able to count on case law, will now have to be significantly more attentive to ensure lawfulness of personal data processing. For this purpose, they will first need to learn about all the changes brought about by ZVOP-2, determine their obligations (e.g. appointing data protection officer, making risk assessments, keeping records of processing activities) and take necessary measures to ensure compliance with GDPR and ZVOP-2.
