The Inspectorate for Personal Data Protection (the “Inspectorate”) is a special body within Slovenia’s Ministry of Justice, which enforces the Personal Data Protection Act, 1999 (the “Act”). In addition, Slovenia’s Human Rights Ombudsman (the “Ombudsman”) is charged with the role of protecting personal data.
The Act is very comprehensive and was amended in the years 2001, 2002, and later in 2005, to accord with Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995, on the protection of individuals with regard to the processing of personal data and the free movement of such data. The application of the Act extends to any person, irrespective of nationality, race, color, religious belief, or any other personal circumstance.
Personal data processed by individuals exclusively for private use is not protected under the Act. In addition to protecting data from being used unlawfully or in a way that may be harmful to the data subject, the Act also ensures that individuals can access, modify, or delete their personal data at any time. Slovenian law prohibits any type of activity concerning personal data collection and processing not expressly authorized by this Act. Moreover, in Slovenia, public entities may only process personal data that they are legally authorized to process, whereas private entities must receive written consent from the individuals who are the subject of such data.
What limitations are placed on the collection of personal information under the Act? According to the Act, personal data may be collected only for specific and lawful purposes, unless otherwise provided by statute. In addition, collected personal data must be accurate and must be stored in such a way as to ensure its continued accuracy. The Act also details the information that the data collector must provide to the data subject, including an explanation on the purpose of using such data, and contact information for a representative to whom the data subject may direct questions respecting his or her personal data. The collecting party may store the collected personal information only for as long as is necessary in order to carry out the purposes for which the data was collected.
What are the specific duties of persons who are in control of collecting and processing personal data?
Persons who collect and process personal data must establish and follow an internal protocol respecting such activities, which shall accord with the Act's rules. In particular, the Act details the necessary steps that service providers must take to ensure the security of personal data. For instance, the data controller must (1) ensure adequate protection of the premises in which the data is stored, (2) provide security of the software used for storage and processing of personal data, and (3) prevent unauthorized use of stored data during its transmission. The service providers’ internal policies regarding protection of personal data must also ensure that individuals employed or performing temporary work for the entity comply with those security policies both during their employment and thereafter. Finally, the Act set specific rules for the data controller's internal classification of personal data.
What are the roles and powers of the Inspectorate for the Protection of Personal Data and the Ombudsman of Human Rights, respectively?
The Inspectorate’s duties include supervision of the lawful handling of personal data and supervision of proper implementation of relevant laws. As its title suggests, the Inspectorate is entitled to use powers of inspection to perform its supervisory activities. Where the Inspectorate identifies violations respecting processing or use of personal data, it has the power to order rectification of such violations or establish preventive measures to protect the data. Appeals of the Inspectorate’s decisions are handled either directly by the Minister of Justice or submitted to an administrative court. The Inspectorate has a duty to report its activities to the Minister of Justice and to the Ombudsman. The Ombudsman, in turn, carries out independent supervision of the protection of personal data, thereby monitoring the Inspectorate and ensuring proper enforcement of the relevant laws. The Ombudsman has the power to perform its own inspections and undertake other initiatives to protect personal information. Finally, the Ombudsman is also entrusted with the role of deciding which right takes precedence in cases where the constitutionally protected right to protection of personal data conflicts with another right.
