I. Legal framework
Constitutional privacy and data protection framework
Privacy rights are covered in the second section of the Constitution, which protects various aspects of privacy. Article 35 on the Protection of the Right to Privacy and of Personal Rights states, "The physical and mental integrity of each person shall be guaranteed, as shall be his right to privacy and his other personal rights." Article 37 on the Protection of Privacy of Post and Other Means of Communication states, "The privacy of the post and of other means of communication shall be guaranteed. In accordance with the statute, a court may authorise action infringing on the privacy of the post or of other means of communication, or on the inviolability of individual privacy, where such actions are deemed necessary for the institution or continuance of criminal proceedings or for reasons of national security."3
Article 38 on the Protection of Personal Data specifically deals with data protection. It states, "The protection of personal data relating to an individual shall be guaranteed. Any use of personal data shall be forbidden where that use conflicts with the original purpose for which it was collected. The collection, processing and the end-use of such data, as well as the supervision and protection of the confidentiality of such data, shall be regulated by statute. Each person has the right to be informed of the personal data relating to him which has been collected and has the right to legal remedy in the event of any misuse of that data."4
Privacy and data protection laws and regulations
Slovenia has been a member of the European Union since 2004, which means that all EU directives are effective in the country. Slovenia enacted in 1999 the Personal Data Protection Act (PDPA) based on the EU Data Protection Directive 1995/46/EC5 and the Council of Europe (CoE) Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention No. 108).6 In this law, private entities may process personal data only if they have obtained individuals' written consent, or if law regulates the data processing.
On 1 January 2005, a new version of the PDPA came into force. The new act, which modernises the previous version from 2001, follows some changes in the area of personal data processing that occurred in the recent years. PDPA now covers automatic decision making, use of video surveillance cameras, biometrics, collecting of data about entrances and leavings from premises. PDPA meets all requirements of the 1995 EU Data Protection Directive.7
The PDPA provides that everything that is not explicitly allowed in connection with personal data collection and processing is prohibited. Public entities may only process personal data for which they have been granted legal authorisation, while private entities must receive written consent from individuals. Persons whose personal data are gathered must be informed in advance of the purpose of the collection of data (by giving their written consent or where the purpose of collection is authorised by law). In principle, personal data can be gathered and stored for only as long as needed to meet that objective, and deleted or blocked once the objective is met. All exemptions must be defined in the law. Use of video surveillance in the workplace is allowed only under special circumstances (if it is necessary for security of the people or wealth, protecting secret data or business secrets and this purpose cannot be achieved by less intrusive means). Employees must be presented with a written notice about this measure, the same applies to the use of biometrics in the private sector.
The PDPA also defines in detail the duties of the data controller. It is prohibited to use the same identifier in databases maintained in the areas of public safety, state security, defence, judiciary and health. The connection between these databases is allowed only if there is a legal basis or the individual has given his or her written consent. The data controller of such databases must enable access for the individual free of charge within 15 days of receiving his or her request, as well as provide a copy of an individual's personal data within 30 days of receiving the request. If a data controller fails to fulfil this obligation, he or she must provide a motivation for doing so in writing. In case an individual's personal data are transferred to recipients, the data controller must supply, at that individual's request, the list of recipients within a 30-day deadline.
If an individual provides evidence that his or her personal data were gathered in breach of the law, the data controller must delete the data, or update and correct them if the data were inaccurate or incomplete. The data controller must bear those costs, and must also keep a separate catalogue for each database, which contains, among other things, a detailed description of the kind of data gathered and the manner in which they are gathered, the purpose of their use and the duration of storage, the list of their users and a description of how they are secured. Furthermore, the Ministry of Justice, which is responsible for the protection of personal data, must keep a register of all databases containing personal data. Information in this register is provided by data controllers and is publicly available on the Internet.
Special protections are set out for "sensitive data," defined as data on racial or other origins, political, religious or other beliefs, trade union membership, sexual behaviour, criminal convictions and medical data. This data must be specially labelled and may only be transferred across telecommunications networks if it is protected by "encryption methods" and an "electronic signature" that can guarantee illegibility. The law also imposes cross-border restrictions providing that data may only be transferred to countries that have a data protection legal framework as adequate as the Slovenian one. Article 62 explicitly states that there are no cross-border restrictions for the EU member states.
Amendments to PDPA also include exemptions for notification of data filing systems to the Information Commissioner, and the striking of a data controller's obligation to prepare internal acts governing protection of personal data for data controllers with less than 50 employees. There were also adopted special rules governing the costs regarding right of access of an individual to his/her personal data, processed by data controllers.
Besides the PDPA, there is also specific legislation regarding processing of personal data in different specified sectors. Among this sector-based legislation is the Electronic Communications Act (ZEKom-B) that was recently amended in 2009.8 The amendment to the Act shortened the data retention period (from 24 months to 14 months for telephone communications, and eight months for internet communication) and defined new rules (with appropriate safeguards) for fast disclosure of traffic and location data in cases involving the protection of human life.9 Additional safeguards regarding privacy and data retention are defined in the General Act on the Secrecy, Confidentiality and Safety of Electronic Communications, the Retention of Data and the Protection of Data Stored, adopted in 2008.
In 2008 the Patients Rights Act was also adopted. Some of its provisions deal with medical privacy.10
The Law on National Statistics regulates the privacy of information collected for statistical purposes.11
The Penal Code specifies sanctions for an invasion of territorial privacy in Articles 149 and 152. Article 149 prohibits unauthorised recording or image taking of individuals or their premises if such an act entails a serious invasion of privacy. Article 152 specifies sanctions for the violation of dwellings through an unauthorised entry into, or search of, private facilities, or an attempt to do so.
Data protection authority
With the merger of two offices, the Inspectorate for Personal Data Protection and the Commissioner for Access to Public Information, the Information Commissioner, an autonomous and independent body, was established on the basis of the Information Commissioner Act (ICA) on 31 December 2005.12 The body supervises both the protection of personal data and access to public information.13 The competencies of the Information Commissioner, as laid down in ICA, Personal Data Protection Act (PDPA) and Inspection Act (IA), are relatively wide.14
The formation of the office of the Information Commissioner had a strong impact on personal data protection in Slovenia. Much of the strengthened activities can be attributed to substantially increased staff, which resulted in swifter reactions to complaints, an increased number of legal opinions, a more pre-emptive approach to data protection and a wider public awareness regarding the right to privacy.
As concerns the Information Commissioner's inspection competencies, the number of investigated cases continued to increase dramatically -- a total of 231 complaints were received in 2006 (up from 91 in 2005 and 78 in 2004). Of those, 88 were directed towards the public sector and 143 towards the private sector. Most complaints in the public sector dealt with the unlawful transfer of personal data (35), unlawful collection of personal data (17) and insufficient protection of personal data (16), whereas unlawful transfer of personal data (41), unlawful implementation of video surveillance (28), and disproportional collection of personal data (24) were among the most common complaints regarding the private sector. In 41 cases, the State Supervisors found no breaches of the PDPA and these cases were dismissed.15
During 2009, the Information Commissioner received 624 applications and complaints as to suspected violations of the provisions of the Personal Data Protection Act; namely 219 in the public sector and 405 in the private sector. There were 165 applications and complaints against public sector legal entities, 54 procedures were initiated ex officio; whereas 332 applications and complaints were made against private sector entities, and 73 procedures initiated ex officio. Statistical data indicates that the number of applications as to alleged violations of Slovenia's Personal Data Protection Act remained at almost the same level as in 2008 (from 1996 to 2008 the number of complaints increased exponentially). Following assessment of the received applications and ex officio cases, 124 inspection procedures were initiated in relation to public sector entities, and 267 in private sector entities. 298 physical inspections were carried out in the scope of inspection procedures. On the basis of Article 33 of the Inspection Act, 66 cautions were issued in relation to minor irregularities. Also handed down were 47 regulatory and administrative decisions whereby the liable persons were ordered to undertake measures to rectify the established irregularities. Finally, 338 inspection procedures were concluded with a decision to stay the proceedings. In 2009, most cases of suspected violations of the Personal Data Protection Act pertained to: illegal collection or request for personal data (134 instances); disclosure of personal data to unauthorised users by a personal data collection controller (110); illegal publication of personal data, for example on notice boards and in the media (77); illegal video surveillance (57); insufficient security measures to ensure adequate protection of personal data (54); misuse of personal data for the purpose of direct marketing (38); other issues, such as illegal implementation of biometrics, as well as the processing of personal data in a manner discordant with the purpose for which it was collected (27).16
The Information Commissioner also manages and maintains the Register of data filing systems of data controllers which is available at the Commissioner's website.17
In 2008 the Information Commissioner decided on a case pertaining to the illegal processing of personal data in relation to two insurance companies. The inspection procedure revealed that personal data in relation to 2,382 erstwhile insured persons had been transferred, without any legal basis or the consent of the individuals to which the data pertained. The Information Commissioner levied fines as a consequence of the unlawful collection and transmission of personal data pertaining to 26 individuals, for whom conclusive evidence has been provided, as well as for making such data available and not providing any traceability as to the transfer itself. One insurance company lodged an appeal against the Information Commissioner's ruling and requested judicial protection; the other insurance company has settled one half of the imposed fine, and formally appealed in relation to the remainder. The fines are the highest ever imposed by the Information Commissioner.
Major privacy and data protection case law
In 2008, the Information Commissioner issued a regulatory decision in a case against the Ministry of Foreign Affairs regarding the lawfulness of the processing of personal data by means of acquiring a copy of telephone numbers from a fixed telephone network including those numbers which had been dialled as well as those numbers from which incoming calls had been made. The Ministry was ordered to destroy the CD on which the related list of telephone numbers was stored.18
For the purpose of the internal investigation within the Ministry and with the aim of identifying the employee who handed over a diplomatic mail to a journalist of the daily newspaper all traffic data from a certain period were collected. Thus a database was created containing approximately 110,000 items of traffic data. In accordance with the Electronic Communications Act19 the traffic data are granted double protection, namely the protection of the privacy of correspondence and other means of communication according to Article 37 of the Constitution of the Republic of Slovenia and also the protection of personal data according to the Article 38 of the Constitution.20 Since traffic data are considered to be personal data as they relate to an identified or identifiable natural person, in a case of illegal intervention such as this, there was a double violation of rights, namely on the side of the employees of the Ministry as well as on the side of all those called by the employees or who dialled the latter's telephone numbers. The Information Commissioner stated that the Ministry acquired and used the data for the inadmissible purpose of investigating the traffic data to establish which employees called the newspaper. Additionally, from the point of view of the principle of proportionality, the case of a clear lack of proportionality was established as by virtue of the acquisition of the aforementioned traffic data, no evidence has been found that someone actually leaked a specific document.21
Other relevant case law concerning privacy and data protection is categorised and discussed under the corresponding section.22
- 1. Constitution of the Republic of Slovenia 1991, available at http://www.up-rs.si/up-rs/uprs-eng.nsf/dokumentiweb/063E5907BE5B679CC125....
- 2. Komentar Ustave Republike Slovenije (Comments about the Constitution of the Republic of Slovenia) 369 (Sturm & Lovro eds., Ljubljana, Fakulteta za podiplomske drzavne in evropske studije 2002).
- 3. The means of communication are interpreted in the widest sense of the word: it may include telephone communications, emails, SMS messages and the like, since the form or content of communication is irrelevant in this context. Privacy protection also applies to private telecommunication systems, as well as traffic data, which are also an integral part of communications (i.e., telephone numbers, data about the duration of a communication or the quantity of data transmitted, etc.). Id. at 395-396.
- 4. Constitution of the Republic of Slovenia 1991, supra.
- 5. Directive 1995/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 24 October 1995, Official Journal L. 281, 23 November 1995, at 31--50, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:E....
- 6. Personal Data Protection Act, Official Gazette of the Republic of Slovenia, No.86/04 and 113/05, available at http://www.ip-rs.si/index.php?id=339.
- 7. Directive 1995/46/EC, supra.
- 8. A 2007 version of the Act (before it was amended in 2009) is available in English at http://www.ip-rs.si/index.php?id=504.
- 9. ZeKOM-B, 2009 amended version available in Slovenian at http://www.uradni-list.si/1/objava.jsp?urlid=2009110&stevilka=4985. Cfr. Section "Data Retention," infra in this Report.
- 10. Patient Right's Act (ZPacP), in Slovenian at http://www.ip-rs.si/zakonodaja/zakon-o-pacientovih-pravicah/.
- 11. Law on National Statistics, 25 July 1995.
- 12. Information Commissioner Act, published in Official Gazette of the Republic of Slovenia, No. 113/2005, unofficial English translation available at Information Commissioner's website, at http://www.ip-rs.si/index.php?id=325.
- 13. Id.
- 14. Inspection Act, Official Gazette of the Republic of Slovenia No.43/07.
- 15. Email from Sonia Bien and Andrej Tomsic, Information Commissioner of Slovenia, to Allison Knight, Research Director, Electronic Privacy Information Center, 30 May 2007 (on file with EPIC).
- 16. For more detailed information, see Information Commissioner 2009 Annual report, available in English at http://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/Annual-report-200....
- 17. Information Commissioner of Slovenia, in Slovenian at http://www.ip-rs.si.
- 18. 12th Annual Report of Article 29 Data Protection Working Party (2008), 16 June 2009, at 92, available at http://www.ip-rs.si/index.php?id=325.
- 19. Cfr. Section "Data retention," infra.
- 20. Cfr. Section "Constitutional Privacy and Data Protection Framework," supra.
- 21. 12th Annual Report of Article 29 Data Protection Working Party (2008), supra, at 92.
- 22. Cfr. Section "Data Protection Authority," supra and Sections "Data Retention," "Video surveillance," "Health & Genetic Privacy," and "Financial Privacy", infra.