Following the record-long period, since May 25, 2018, during which Slovenia failed to adopt a relevant GDPR-implementing act, the Slovenian Government has sent a new draft of the Slovenian Data Protection Act for public discussion. If the parliamentary process runs uninterruptedly, the adoption of the new Act can be expected by the fall of this year.
Adoption of the new Act definitely has important implications not only for the business community but for the public sector as well. Once it is adopted, the Information Commissioner will be authorized to impose fines in accordance with the GDPR (which is currently not possible, as there is no legal basis in national laws), since the administrative fines pursuant to the GDPR will have a national status of a misdemeanor and the Information Commissioner will be the competent body for conducting the misdemeanor procedure. There are several other aspects of the proposed Act that are very relevant as well.
Such new provisions will force both international companies present in Slovenia and local companies to revisit their initial regulatory reviews in relation to data protection in Slovenia, which were conducted in 2018. Even though there are no major deviations from the GDPR, the devil is in the details.
Approach to the New Data Protection Act
Slovenia has a long-standing tradition in data protection, as it is a constitutional category. The first Slovenian Data Protection Act was adopted back in 1990, even prior to Slovenian independence. The law was then revised several times, most importantly following Slovenia’s accession to the EU. The idea of having a complete act, covering the field of data protection in one single piece of legislation, is deeply rooted in Slovenian legal culture, and the approach is believed to reaffirm legal certainty. Nevertheless, adoption of the GDPR required a revision of this strategy, and during the last three years several drafts, all with a different technical approach to implementing those GDPR provisions that needed it, were introduced. For the first time, the Slovenian Data Protection Act includes direct references to the GDPR, at least in relation to certain provisions.
The latest draft of the act follows the original from 1990, but it introduces several new legislative drafting styles, similar to those used in Germany, Austria, and the Slovak Republic. The legislative aim was to follow the GDPR, but at the same time widen certain aspects, especially in relation to the applicable legal principles (legality, fairness, proportionality, etc.) and to define some aspects more precisely, as it was believed some areas are intentionally left more general in the GDPR, to allow member states to implement them in a way to foster national peculiarities. The Slovenian legislator thus relied heavily on the opening clauses.
It goes without saying that this approach, at least to a certain degree, reflects the pan-European approach provided in the GDPR. Each country’s unique interpretation of the opening clauses affects whether it diminishes the pan-European approach or merely improves legal certainty. Slovenia’s current draft walks a thin line in this respect.
What Will be Regulated by the New Data Protection Act
In addition to the Information Commissioner’s ability to impose fines in accordance with the GDPR (which are of course much higher than currently applicable Slovenian fines), the draft act, inter alia, regulates the requirements for verifying the age of minors using information society services, conditions for processing personal data of deceased persons, conditions for processing genetic, biometric, and health-related data, the mandatory deletion of personal data after a certain amount of time, conditions for Data Protection Officers, and so on.
It is worth noting that the latest draft is an improvement over previous attempts. For example, it seems there will be no mandatory knowledge of the Slovenian language for Data Protection Officers – this will of course facilitate practices by international companies. On the other hand, there are some specifics that are challenging, such as prohibitions against the use of genetic or biometrical personal data for marketing or similar business purposes, even if the services are free of charge.
Considering the above, the draft still has a long road ahead, but at least it will be an interesting one. The act, once adopted, will definitely gain the attention of companies dealing with personal data.
By Marko Ketler, Senior Partner, and Kevin Rihtar, Senior Associate, Ketler & Partners, Member of Karanovic