TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

SLOVENIA

 

The Information Commissioner website: http://www.ip-rs.si/?id=195

 

The Personal Data Protection Act of the Republic of Slovenia (as amended in October 2007): http://www.ip-rs.si/fileadmin/user_upload/doc/ZVOP-1_in_ZVOP-1a__English_/30.10.07-Personal_Data_Protection_Act_of_Slovenia_status_2007_final_eng.doc

 

What needs to be done prior to collection?

 

NOTIFY THE SUPERVISORY BODY

 

Article 27 – Notification of the Supervisory Body

 

(1)     Data Controller shall supply data from subparagraphs 1, 2, 4, 5, 6, 9, 10, 11, 12 and 13 of the first paragraph of Article 26 (below) of this Act to the National Supervisory Body for Personal Data Protection at least 15 days prior to the establishing of a filing system or prior to the entry of a new type of personal data

 

(2)     Data Controller shall supply to the National Supervisory Body for Personal Data Protection modifications to the data from the previous paragraph no later than 8 days from the date of modification

 

(3)     Deleted

 

Article 26 –Filing System Catalogue

 

Data Controller shall establish for each filing system a filing system catalogue containing:

(1)     Title of the filing system

(2)     Data on the data controller (for natural person: personal name, address where activities are performed or address of permanent or temporary residence, and for sole trader, his official name, registered office, seat and registration number; for legal person, title or registered office and address or seat of the data controller and registration number)

(3)     Legal basis for processing personal data

(4)     The category of individuals to whom the personal data relate

(5)     The type of personal data in the filing system

(6)     Purpose of processing

(7)     Duration and storage of personal data

(8)     Restrictions on the rights of individuals with regard to personal data in the filing system and the legal basis for such restrictions

(9)     Data recipients or categories of data recipients of personal data contained in the filing system

(10) Whether the personal data are transferred to a third country, to where, to whom and the legal grounds for such transfer

(11) A general description of security of personal data

(12) Data on connected filing systems from official records and public books

(13) Data on the representative from the third paragraph of Article 5 of this Act  (for natural person: personal name, address where activities are performed or address of permanent or temporary residence, and for sole trader, his official name, registered office, seat and registration number; for legal person, title or registered office and address or seat of the data controller and registration number)

 

Article 28 – Register

 

The National Supervisory Body for Personal Data Protection shall manage and maintain a Register of Filing Systems containing date from Article 27 of this Act

 

 

 

INFORM THE INDIDUAL OF THE PROCESSING OF THEIR PERSONAL DATA

 

Article 19 - Informing the Individual of the Processing of Personal Data

 

(1)     If personal data are collected directly from the individual to whom they relate, the data controller or his representative must communicate to the individual the following information, if the individual is not yet acquainted with them:

-          Data on the data controller and his possible representative (personal name, title or official name respectively and address or seat respectively)

-          The purpose of the processing of personal data

 

(2)     If in view of the special circumstances of collecting personal data from the previous paragraph there is a need to ensure lawful and fair processing of personal data of the individual, the person from the previous paragraph must also communicate to the individual the additional information, if the individual is not yet acquainted with them, and in particular:

-          A declaration as to the data recipient or the type of data recipients of his personal data

-          A declaration of whether the collection of personal data is compulsory or voluntary, and the possible consequences if the individual will not provide data voluntarily

-          Information on the right to consult, transcribe, copy, supplement, correct, block and erase personal data that relate to him

 

(3)     If personal data were not collected directly from the individual to whom they relate, the data controller or his representative must communicate to the individual the following information no later than on the recording or supply of personal data to the data recipient:

-          Data on the data controller  and his possible representative (personal name, title or official name respectively and address or seat respectively)

-          The purpose of the processing of personal data

 

(4)     If in view of the special circumstances of collecting personal data from the previous paragraph there is a need to ensure lawful and fair processing of personal data of the individual, the person from the previous paragraph must also communicate to the individual the additional information, if the individual is not yet acquainted with them, and in particular:

-          A declaration as to the data recipient or the type of data recipients of his personal data

-          A declaration of whether the collection of personal data is compulsory or voluntary, and the possible consequences if the individual will not provide data voluntarily

-          Information on the right to consult, transcribe, copy, supplement, correct, block and erase personal data that relate to him

 

(5)     Information from the third and fourth paragraphs of this Article shall not need to be ensured if in order to process personal data for historical, statistical or scientific research purposes it would be impossible or would incur large costs or disproportionate effort or would require a large amount of time, or if the recording or supply of personal data is expressly provided by statute.

 

 

What needs to be done prior to shipping?

 

PART V – TRANSFER OF PERSONAL DATA

 

Article 62 – Transfer of Personal Data to Member States of the European Union and the EEA

 

Whenever personal data are supplied to data controller, data processor or data recipient established, has its seat or is registered in a Member State or the European Union or the EEA or otherwise subject to the legal order thereof, the provisions of this Act on the transfer of personal data to third countries shall not apply.

 

Article 63 – Transfer of Personal Data to Third Countries

 

(1)     The supply of personal data that are processed or will be processed only after being supplied to a third country, shall be permitted in accordance with the provisions of this Act and provided that the National Supervisory Body issues a decision that the country to which the data are transferred ensures an adequate level of protection of personal data

 

(2)     The decision from the previous paragraph shall not be required if the third country is on the list of those countries from Article 66 (below) of this Act that have been found to fully ensure an adequate level of protection of personal data

 

(3)     The decision from the first paragraph of this Article shall not be required if the third country is on the list of those countries from Article 66 of this Act that have been found in part to ensure an adequate level of protection of personal data, if those personal data are transferred and for those purposes for which an adequate level of protection has been found

 

Article 64 – Procedure for determining an adequate level of protection for personal data

 

(1)     The National Supervisory Body shall initiate a procedure to determine an adequate level of protection of personal data in a third country on the basis of a conclusion of inspection supervision or at the suggestion of a natural person or legal person who can show a legal interest in the issuing of a decision

 

(2)     At the request of the National Supervisory Body, the Ministry responsible for foreign affairs shall obtain from the competent body of a third party the necessary information as to whether such country ensures an adequate level of protection of personal data.

 

(3)     The National Supervisory Body may obtain additional information on the adequate level of protection of personal data in a third country directly from other supervisory bodies and the competent body of the European Union

 

(4)     The National Supervisory Body shall issue a decision within two months of receipt of full information from the second and third paragraphs of this Article. It may also issue a decision only for a certain type of personal data or for their processing for an individual purpose

 

(5)     The National Supervisory Body shall be obliged no later than 15 days of the issuing of a decision that a third country fails to ensure an adequate level of protection of personal data to inform the competent body of the European Union in writing

 

Article 66 – List

 

The National Supervisory Body shall maintain a list of third countries for which it finds that have fully or partly ensured an adequate level of protection of personal data, or have not ensured such protection. If it has been determined that a third country only partly ensures an adequate level of protection of personal data, the list shall also set out in which part an adequate level has been ensured. The Chief National Supervisor shall publish the list in the Official Gazette of the Republic of Slovenia.

 

 

What are the sanctions for non-compliance?

 

PART VII – PENAL PROVISIONS - Article 91

 

A fine from EUR 4.170 to 12.510 shall be imposed for a minor offence on a legal person, sole trader or individual independently performing an activity:

-          If he does not inform the individual of the processing of personal data in accordance with Article 19

-          If he fails to ensure that the filing system catalogue contains data provided by statute (Article 26)

-          If he fails to supply data for the needs of the Register of Filing Systems (Article 27)

-          If he acts in contravention of Article 63 or in contravention of Article 70 transfers data to a third country

 

A fine from EUR 830 to 2.080 shall be imposed for a minor offence from the previous paragraph on the responsible person of the legal person, sole trade or individual independently performing an activity

 

A fine from EUR 200 to 830 shall be imposed for a minor offence on an individual who commits the Act from the first paragraph of this Article

 

APPENDIX 4 – CRIMINAL CODE - Article 154 – Abuse of Personal Data

 

Whoever contrary to the Statute uses personal data, which may be kept only on the basis of the statute or on the basis of the personal consent of the individual, to whom the personal data relate, shall be punished by a fine or by imprisonment of up to 1 year.

 

APPENDIX 4 – CRIMINAL CODE – Article 179 – Monetary Compensation

 

 

 

Please refer to The Information Commissioner website for further details on the Statute

 
© TRILANTIC - All rights reserved. | Disclaimer | Client Login