Due to technological advances, it is becoming increasingly difficult for people to effectively manage the way their personal information is being collected and stored. It is thus quite surprising that the provisions of the Slovenian Personal Data Protection Act have managed to stay unchanged for almost ten years. But that does not mean that there have been no recent developments in the information privacy regulatory framework.
The most comprehensive changes are those reflected in the European Union Data Protection Reform. We are expecting a smooth and timely transition of the Slovenian jurisdiction to the new rule set. Regarding the changes to the rights of data subjects, we will be especially aware of developments involving the right to be forgotten, now called the right to erasure. We find that with general awareness of this instrument spreading through the public, erasure requests are becoming more and more common, especially with high-net-worth individuals. The data controllers and processors that we work with are, on the other hand, most interested in the new obligation to designate a special data protection officer and the noticeably higher ceiling for fines that can be imposed for breaching data protection rules. Considering the fact that the current Slovenian Personal Data Protection Act sets the maximum fine at only EUR 12,510 while the new fines can potentially go into millions of euros, data protection compliance will gain additional attention.
On the national level, the recent regulatory changes in personal data protection were mostly conducted through executive acts and the guidelines of the Slovenian Information Commissioner. The Government of the Republic of Slovenia has published a decree on unmanned aircraft systems that the Information Commissioner has been requesting for quite some time. The decree primarily regulates flight rules, permits, and supervision, but with regards to data protection the decree also (in Article 19) requires operators of unmanned aircraft weighing 5 kilos or more who are planning to operate in urban areas and operators of unmanned aircraft weighing 25 kilos or more who are planning to operate in other residential, business, or recreational areas to prepare a preliminary assessment of the effects of their activities with regards to personal data protection. This assessment must be prepared on a prescribed form and sent to the Information Commissioner. The assessment must contain information such as the type of data that will be captured, stored, or processed, the legal basis, the purpose of use, and the time period of data storage. This new source of information enables the Information Commissioner to more effectively supervise drone usage, and a fine of up to EUR 2,000 can be levied on operators for not providing the Information Commissioner with the necessary information.
The Information Commissioner has been regularly issuing practical guidelines for database operators about the particular database safety measures required in certain situations and on how invasive data-gathering may be without breaching the minimum statutory level of personal data protection. The changes most relevant to the everyday needs of our corporate clients are those contained in the new Guidelines on personal data protection within employment relationships. These guidelines were necessary, as only biometric measures and video surveillance are specifically regulated in the Personal Data Protection Act, while monitoring Internet, email, and telephone use, gathering specific personal data, and conducting GPS and other types of surveillance on the workplace are not.
As a notable share of the Slovenian economy is still owned (either directly or indirectly) by the Government, the provisions of the regularly amended Public Information Access Act are also an important aspect of the country’s Data Protection practice. As a lot of the amendments involve widening the scope of public disclosure, numerous provisions were considered controversial and were contested in and partially repealed by the Constitutional court.
In January, the Constitutional court delivered another landmark decision preserving the public disclosure requirement for business information in consulting and similar contracts that companies in majority public ownership have entered into with third-party providers. The court has stated that in these cases the needs of the public interest do justify lowering the necessary level of private data protection. Due to the general applicability of this decision, we anticipate that future amendments of the Act will continue to be steered in the direction of increased public disclosure.
By Branko Ilic, Partner, and Miha Babic, Associate, ODI Law
This Article was originally published in Issue 4.2 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.