Slovenia Compare Privacy Laws

While the General Data Protection Regulation (GDPR) acts as the primary privacy framework across the European Union, it allows member states to introduce national deviations through designated “opening clauses.” After a significant delay, Slovenia finalized its local implementation with the Personal Data Protection Act (ZVOP-2), which entered into force on January 26, 2023.

Regulated by the Information Commissioner (Informacijski pooblaščenec – IP), the Slovenian landscape is known for its highly detailed rules regarding surveillance, biometrics, and the data of deceased individuals. At Complico Consulting GmbH, we specialize in decoding these localized laws to keep your operations secure, compliant, and thriving in the Slovenian market.

Key Deviations: Slovenia’s ZVOP-2 vs. EU GDPR

To ensure full compliance and avoid scrutiny from the Information Commissioner, companies must adjust their internal privacy frameworks to account for the following Slovenia-specific deviations:

1. The Age of Digital Consent is Lowered to 15

Under Article 8 of the GDPR, the default age for a child to provide valid digital consent (for social media, apps, and online services) is 16.

The Slovenian Deviation: Slovenia has lowered this threshold to 15 years old.

Compliance Action: If your digital services target teenagers in Slovenia, your consent management platforms (CMPs) and age-verification gates must be calibrated to this 15-year threshold. For users under 15, verifiable parental consent is mandatory.

2. Strict Controls on Biometric Data

Slovenia places much stricter constraints on biometric data (fingerprints, facial recognition, etc.) than the baseline GDPR requirements, especially in the private sector.

The Slovenian Deviation:

• Mandatory Certification: Biometric measures in the private sector must be certified in accordance with ZVOP-2 standards.

• Prior Notification: Before starting biometric processing, a company must provide the Information Commissioner with a detailed description and the reasons for the measure.

• Consent & Alternatives: If biometrics are used in a contract with a consumer, the business must offer an alternative means of identification that does not involve biometric data.

• Marketing Prohibition: The use of biometric data for marketing or similar commercial purposes is strictly prohibited, even with the data subject’s consent.

3. Rigorous Video Surveillance (CCTV) Rules

ZVOP-2 introduces some of the most detailed CCTV regulations in Europe, particularly concerning public spaces and license plate recognition.

The Slovenian Deviation:

• Public Area Restrictions: CCTV in public areas is only permitted in specifically justified cases where there is a serious danger to life, health, or property security that cannot be addressed by milder means.

• Automatic License Plate Recognition (ALPR): ZVOP-2 prohibits the use of automatic license plate recognition in public spaces (e.g., public parking lots) unless specifically authorized by law.

• Notification Distance: Signs informing people of CCTV must be visible from a distance that allows individuals to choose not to enter the monitored area.

4. Protection of Deceased Persons’ Data

The GDPR generally only protects the data of living individuals. However, Slovenia has extended these protections significantly.

The Slovenian Deviation: ZVOP-2 provides a special legal status for the personal data of deceased persons for 20 years after their death.

• Access Rights: Close relatives or entities with a proven legal interest can exercise data protection rights on behalf of the deceased.

• Consent: If the deceased individual gave specific consent (or withdrawal of consent) for data processing during their lifetime, that wish must be respected posthumously.

5. The “Responsible Person” Fine System

One of the most unique aspects of the Slovenian legal system is how it applies administrative fines.

The Slovenian Specificity: In Slovenia, GDPR violations are treated as “minor offences” (misdemeanours). This allows the Information Commissioner to impose fines not only on the company (the legal entity) but also on the responsible person within the entity (e.g., the CEO, director, or DPO).

• Corporate Fines: Up to €20 million or 4% of global turnover.

• Individual Fines: Fines for responsible individuals typically range from €200 to €4,000, depending on the size of the entity and the severity of the breach.

Why Partner with Complico Consulting GmbH?

Operating in Slovenia requires a partner who understands the high transparency standards of the Information Commissioner and the unique “Responsible Person” liability risks. A generic EU privacy policy is rarely sufficient to meet the strict certification requirements for biometrics or the specific notification rules for CCTV.

At Complico Consulting GmbH, we provide the localized expertise you need:

• ZVOP-2 Gap Analysis: We evaluate your current data processing activities against the specific Slovenian requirements for biometrics and public surveillance.

• DPO & Representation: We ensure your Data Protection Officer structure meets Slovenian independence standards and manage all mandatory registrations with the Information Commissioner.

• Liability Mitigation: We help identify and train “Responsible Persons” within your organization to minimize the risk of individual fines.

• Deceased Data Strategy: For healthcare and financial firms, we help implement the 20-year post-mortem data management workflows required by law.

Secure Your Presence in Slovenia

Don’t let the complexities of ZVOP-2 or the threat of personal liability slow down your expansion. Contact Complico Consulting GmbH today for a comprehensive review of your Slovenian data protection strategy.