Senior management and organisation
Please identify the authority’s senior management.
The head of the Slovenian National Supervisory Body for Personal Data Protection (the Information Commission) is Mojca Prelesnik (contact information at www.ip-rs.si/en/about/information-Commission/).
There are four deputies each responsible for their own specific area:
- Alenka Jerše (responsible for legal and international);
- Andrej Tomšič (responsible for prevention);
- Jože Bogataj (responsible for inspections); and
- Kristina Kotnik Šumah (responsible for access to public sector information).
The secretary general of the Information Commission is Sanja Vraber.
When was the head of the authority appointed?
The information commissioner was appointed in July 2014.
How long is their term of office?
Five years, with one reappointment.
What is the process for nominating the head of the authority?
The information commissioner is appointed by the National Assembly on the proposal of the president. To be appointed the information commissioner must:
- be a citizen of the Republic of Slovenia;
- hold a university degree;
- have at least five years' professional experience; and
- not have been convicted by a final decision of a criminal offence punishable by unconditional deprivation of liberty.
What was the authority’s budget for the most recently available financial year?
The work of the Information Commission is financed from the state budget. In the 2017 fiscal year, total funds allocated by the National Assembly to finance the operations of the Information Commission amounted to €1,459,747.90 (€1,306,000 for wages; €134,247.90 for material costs; and €19,500 for investments). In the 2016 fiscal year total funds allocated amounted to €1,335,457.02 and in the 2015 fiscal year to €1,243,661.35.
How many data protection/privacy-focused staff does the authority employ?
Currently there are 42 employees in total for both areas of the Information Commission’s work (data protection and access to public information), including 19 legal experts and three IT experts; approximately 23 employees work exclusively in the area of data protection.
Contacting the authority
How and where should companies or their advisers contact the authority to notify a data breach? Please specify individuals, email addresses, URLs for online forms, etc.
The Information Commission has prepared a special form that can be used to notify a data breach. The form and other relevant information regarding notification are available at
How and where should companies or their advisers contact the authority to start the binding corporate rules approval process? Please specify individuals, email addresses, URLs for online forms, etc.
Companies or their advisers should contact the Information Commission by post (our address is Dunajska cesta 22, 1000 Ljubljana) or email ([email protected]).
What other contact information should companies and their advisers be aware of?
Legal and enforcement framework
What are your investigative powers?
In addition to the powers as defined by the GDPR, according to article 19 of the Inspection Act the inspector has, in conducting an inspection relating to a natural or legal person, the right to:
- inspect premises, facilities, equipment, work equipment, installations, articles, goods, materials, books, contracts, deeds and other documents, business documents and state bodies, corporations, institutions, other organisations and communities and private individuals;
- enter the land of natural and legal persons;
- inspect business books, contracts, deeds and other documents and business documentation and, when managed and stored in electronic format, require the production of their written form, which must certify authentic electronic form;
- hear the parties and witnesses in administrative proceedings;
- review documents that can identify persons;
- obtain and use personal data and other information from official records and other databases for free which are necessary for carrying out the inspection;
- take samples of goods and carry out examinations of samples taken for free;
- take samples of materials and equipment for free for the purpose of investigations;
- photograph or record persons, premises, facilities, plant, fixtures and other items on another medium;
- reproduce documents, audiovisual records and other documents;
- seize objects, documents and samples in the preservation of evidence;
- make a fake purchase if it enables detection of signs of an offence being committed, or to obtain information on the offender; and
- perform other actions that are in accordance with the purpose of inspection.
Furthermore, in accordance with article 53 of the Personal Data Protection Act, the Information Commission and its inspectors have the right to:
- review the documentation relating to the processing of personal data, regardless of its confidentiality or secrecy, and the transfer of personal data to a third country and the transmission to third parties of personal data;
- review the contents of personal data collections, regardless of their confidentiality or secrecy;
- review the documentation and acts governing the protection of personal data;
- inspect the premises, computer and other equipment, and technical documentation in which personal data are processed;
- check the measures and procedures for securing personal data and their implementation; and
- exercise other powers provided by the law governing inspection, by the law governing general administrative procedure and other laws.
Can you search premises or force the disclosure of information without having to approach the courts?
According to article 19 of the Inspection Act and article 53 of the Personal Data Protection Act, the Information Commission has the power to inspect premises, and computer and other equipment and technical documentation in which personal data are processed. The inspector also has the power to access the relevant documentation regarding the processing of personal data. In most cases we do not need to approach the court in order to do so; however, an order from the court has to be issued prior to the inspection of premises of individuals, or in cases where this would be required in line with article 37 of the Constitution to ensure respect of the right to communication privacy. If the person, without justifiable reasons, does not permit the inspector to enter the premises, or inspect other equipment or facilities, the inspector has the right to enter the premises with the assistance of the police (article 20 of the Inspection Act).
What fines can you impose on companies that breach data protection rules?
The GDPR has not been implemented in Slovenia in the form of a special new PDPA yet. Therefore, at the moment the Information Commission is competent to impose fines in accordance with the rules laid out in Personal Data Protection Act; the procedure to impose penalties regulated in the GDPR has not been defined yet. The Personal Data Protection Act is available at http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO3906.
The fines are regulated in part VII of the Personal Data Protection Act. The Information Commission has the power to impose the minimum penalty envisaged in the law. According to judgment of the Supreme Court of Slovenia there should be as many offences as there are injured parties. Furthermore, article 17 of the Minor Offences Act regulates the allowed range of imposed fines. For example a fine may be imposed for a legal person in the range of €200 to €250,000; or for medium-sized or large companies, €400 to €500,000.
What other measures can you take against companies that breach data protection rules?
The Information Commission has the power to issue a sanction or a warning. In terms of sanctions, it can issue a fine or a reminder. The Minor Offences Act is the law that regulates the measures mentioned.
What measures other than fines can you impose on a company that is breaching data protection rules?
The inspector at the Information Commission has the following powers in cases where a breach of the data protection rules has been established:
- to order the elimination of irregularities or deficiencies the inspector detects in a manner, and within an interval, that is defined by the inspector;
- to order the prohibition of processing of personal data by persons in the public or private sector who have failed to ensure, or failed to implement, measures and procedures to secure personal data;
- to order the prohibition of processing of personal data and the anonymisation, blocking, erasure or destruction of personal data whenever he concludes that the personal data is being processed in contravention of the statutory provisions; and
- to order the prohibition of the transfer of personal data to third countries, or their supply to foreign data recipients, if they are transferred or supplied in contravention of the statutory provisions or binding international treaty.
What emergency or interim measures can you take pending the full conclusion of your investigations?
The inspector may, in the event of the urgent need to protect the rights and freedoms of individuals, before the conclusion of the investigations with an interim decision, order all measures specified above.
Priorities and the future
What are your enforcement priorities over the next year? For example, are you targeting any particular topics, or industry sectors?
The Information Commission will this year (as in previous years) carry out, in addition to the handling of complaints, planned inspections in areas where, according to the risk assessment, there is a greater likelihood of violation of personal data protection rules; or in areas where the sensitivity of the processing of personal data is increased due to potential risks of serious adverse consequences for individuals to whom the data relates.
In carrying out such inspections, the Information Commission gives special attention in particular to the verification and provision of information security aimed at preventing the unauthorised processing of personal data, and the accidental or unauthorised destruction or loss of personal data. Planned inspections of compliance with the provisions of the regulations in the field of personal data protection will be carried out in the following year at selected ministries, administrative units, health institutions and private sector management units that carry out extensive processing of personal data.
What data protection/privacy-related guidelines have you issued to date?
To date we have issued a number of guidelines, and all are available on at www.ip-rs.si/publikacije/prirocniki-in-smernice/. Currently we are revising several guidelines in order for them to be in accordance with the GDPR. So far two guidelines adjusted to the new regulation have been published (guidelines on consumer protection, and guidelines on data protection impact assessment).
Are you working on any further data protection/privacy guidelines or guidance, or on amending any of your current guidance? If so, what?
At the moment we are revising several guidelines, such as those on transfers to third countries, processing of personal data, privacy online, privacy policies, etc.
Would you like to see further reforms to your laws (beyond GDPR implementation legislation, if applicable) or to your enforcement framework? If so, what?
The GDPR has not been fully implemented in Slovenia yet, therefore our main priority at the present moment is the implementation of the law.