III. Privacy topics
Internet and consumer privacy
The revised Consumer Protection Act (CPA) that was enacted in January 2003 incorporates the EU E-Commerce Directive (2000/31/EC).1 Article 45(a) states that companies (e.g., direct marketing companies) may use the automatic telephone dialling system only with consumer's previous consent. The same is true for fax messages and email messages (i.e. spam). The company must also exclude the consumer from the contact list if he or she makes such a request. The fines average â‚¬4,200 for physical persons and â‚¬12,600 for companies. The CPA only protects individuals, but Article 109 of the Electronic Communications Act protects companies from receiving spam.
There is no regulation of cryptography in Slovenia. The Electronic Commerce and Electronic Signature Act and the PDPA are even encouraging the use of cryptography and digital signatures. Slovenia also has a right against self-incrimination, which means that a suspect is not compelled to reveal his cryptographic keys.2
The Labour Relations Act prohibits employers from asking employees or employment candidates questions about family matters, marital status, pregnancy, or other information that is not work-related.3
The Information Commissioner also prepared draft legislation regarding workplace privacy in 2009, but the draft has not been considered in parliament yet.
Case law also dealing with a form of monitoring employees by the Ministry of Foreign Affairs has been reported above.4
Health and genetic privacy
In 2008 the Patients Rights Act was adopted, which additionally defines rules regarding medical privacy and enacts additional safeguards regarding medical privacy.5
During the same year, the Commissioner dealt with serious cases of inappropriate protection of sensitive personal data.6 During transport to the place where the data (orders for laboratory examinations) were supposed to be destroyed, cardboard boxes containing the data fell out of the truck and caused the data to be scattered across the motorway. The data controller -- a primary healthcare centre -- had entrusted the transport and destruction of files containing personal data to a contracted data processor, registered for performing activities of waste collection and transport. The healthcare centre, however, had not arranged mutual obligations regarding data processing by contract, which it should do according to PDPA. It had not given appropriate instructions as to the protection of data during transport and destruction, nor had it supervised the execution of procedures and measures for personal data protection by the contracted processor. Due to inappropriate protection of personal data and non-compliance with the statutory provisions regarding contractual processing of personal data, the Commissioner fined both the data controller (the health centre) and the processor -- the company contracted to transport and destroy the documentation.7
Another widely publicised case of inappropriate protection of sensitive personal data was uncovered during inspection supervision of the Institute of Oncology. The medical documentation -- medical files containing data on deceased patients -- was found to be stored in more than a hundred open, unprotected cardboard boxes placed in the corridor. Additionally, in the same widely accessible corridor, two cabinets were placed containing partial documentation on patients currently receiving medical treatment. The data controller, which should have protected the data appropriately according to statutory provisions on sensitive data, was fined by the Commissioner.8
The Commissioner has also been supervising protection of personal data by the employees in different registers of public administration, namely the justifications for access to the central register of taxpayers.9 According to the PDPA data controller, in this case the Tax Administration of the Republic of Slovenia was obliged to enable subsequent determination of when personal data were entered into the filing system, used or otherwise processed. Thus the Commissioner was able to investigate all access to the computer base of taxpayers related to 15 publicly well known persons from Slovenia. The Tax Administration handed over to the Commissioner a list of employees who accessed the data of the aforementioned 15 persons within a period of eight months in 2008. Each of the employees was requested to justify the processing of the data and it was determined that only 47 out of 200 employees had accessed the data lawfully, namely for the purpose of conducting a taxation procedure. The rest of the employees had no justifiable reason for accessing the data. Curiosity was named as the most common reason for access to public persons' age or address data. The Commissioner issued warnings to the civil servants who accessed the data without sufficient legal basis as a lesson that personal data may not be accessed without lawful justification.
- 1. Directive 2000/31/EC of the European Parliament and of the Council on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce), 8 June 2000, OJ L 178 17 July 2000, at 1-16, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2000:178:0001....
- 2. Article 5 of the Criminal Proceedings Act.
- 3. Article 26 of the Labor Relations Act.
- 4. Cfr. "Major Privacy & Data Protection Case Law," supra.
- 5. Patient Right's Act (ZPacP), supra.
- 6. 12th Annual Report of Article 29 Data Protection Working Party (2008), supra at 93-94.
- 7. Id., at 93.
- 8. Id., at 93-94.
- 9. Id., at 94.