Slovenia Data Privacy Laws: GDPR Implementation Guide (2026)

Slovenia holds a distinctive position in EU data protection history as the very last member state to adopt GDPR implementing legislation. While the GDPR applied directly in Slovenia from May 2018, the country did not finalize its national implementing law until December 2022, with ZVOP-2 entering into force in January 2023.

This extended delay created a period of legal uncertainty, but the resulting legislation is one of the more modern GDPR implementations in the EU, incorporating lessons learned from other member states' experiences. This guide covers Slovenia's complete data protection framework and what the new law means for compliance.

Legal Framework and GDPR Implementation

ZVOP-2 (Zakon o varstvu osebnih podatkov) is Slovenia's Personal Data Protection Act, adopted by the Slovenian National Assembly in December 2022 and entering into force on 26 January 2023. The legislation made Slovenia the last EU member state to fully implement the GDPR into its national legal system.

ZVOP-2 replaced the previous Personal Data Protection Act (ZVOP-1) from 2004, which had been partially superseded by the GDPR's direct application but remained in force where its provisions did not conflict with the regulation.

The new law implements and supplements the GDPR with national provisions on several key areas including the supervisory authority's powers, administrative penalties, processing logs, biometric data, video surveillance, and processing for journalistic and academic purposes.

Why the Delay?

Slovenia's nearly five-year delay in adopting implementing legislation resulted from protracted political and legal debates about several contentious provisions. Key areas of disagreement included the scope of the Information Commissioner's powers, the approach to administrative penalties, and the balance between data protection and freedom of expression. Multiple draft versions were proposed and withdrawn before the final text was adopted.

During the interim period (2018-2023), the GDPR applied directly, and provisions of the older ZVOP-1 that did not conflict with the GDPR continued to operate. However, this created practical difficulties, particularly regarding enforcement penalties, as the old law's fine limits were far below what the GDPR envisions.

Constitutional Foundation

The Slovenian Constitution protects the right to privacy through Article 35 (protection of the right to privacy and personality rights) and Article 38, which specifically addresses the protection of personal data. Article 38 provides that the protection of personal data shall be guaranteed, that the use of personal data contrary to the purpose for which it was collected is prohibited, and that the collection, processing, use, and supervision of personal data shall be regulated by law.

The Information Commissioner

The Information Commissioner of the Republic of Slovenia (Informacijski pooblascenec, or IP) serves as the national supervisory authority for both data protection and access to public information. This dual mandate mirrors similar arrangements in Hungary and a few other EU member states.

The Information Commissioner is appointed by the National Assembly for a five-year term and operates independently from the government. The office handles complaints, conducts inspections, issues guidance, and enforces data protection legislation.

Enhanced Enforcement Powers Under ZVOP-2

One of the most significant changes introduced by ZVOP-2 is the expansion of the Information Commissioner's enforcement powers. Under the old ZVOP-1, fines ranged from EUR 4,170 to EUR 12,510, amounts that provided minimal deterrence for larger organizations.

Under ZVOP-2, the Information Commissioner can now impose administrative fines aligned with the GDPR's standard framework: up to EUR 10 million or 2% of worldwide annual turnover for certain violations, and up to EUR 20 million or 4% of worldwide annual turnover for the most serious infringements.

This dramatic increase in potential penalties transforms the enforcement landscape in Slovenia and gives the Information Commissioner meaningful financial tools for the first time since the GDPR began applying.

Fines and Penalties

The penalty framework under ZVOP-2 follows the GDPR's two-tier structure while also establishing specific fine ranges for various categories of violations.

For administrative offenses defined in ZVOP-2 itself, fines for legal entities range from EUR 100 to EUR 40,000. For GDPR violations, the standard GDPR penalty framework applies with the higher ceilings of EUR 10 million or EUR 20 million depending on the violation category.

Because ZVOP-2 only entered into force in January 2023, the enforcement record under the new penalty regime is still developing. The Information Commissioner is expected to pursue more active enforcement now that it has meaningful financial penalty tools available.

Mandatory Processing Logs (Traceability)

One of ZVOP-2's most innovative provisions is the requirement for mandatory processing logs in certain circumstances. This traceability requirement goes beyond the standard GDPR record-keeping obligations.

Organizations must maintain processing logs when they conduct large-scale processing of special categories of personal data (health data, biometric data, etc.) or when they systematically monitor individuals. These logs must record who accessed the data, when, and for what purpose, creating an audit trail that the Information Commissioner can examine during investigations.

Organizations were given a transition period until 26 January 2025 to fully implement this logging requirement. From that date forward, failure to maintain adequate processing logs for covered activities constitutes a compliance violation.

Biometric Data: Strict Restrictions

Slovenia takes an unusually strict approach to biometric data processing, with ZVOP-2 establishing multiple layers of protection beyond what the GDPR requires.

In the private sector, the use of biometric data generally requires prior approval from the Information Commissioner. This supervisory authority pre-authorization requirement is more stringent than most EU member states, which typically allow biometric processing based on the GDPR's standard legal bases without requiring advance regulatory clearance.

Additionally, ZVOP-2 explicitly prohibits the collection of biometric personal data for marketing purposes. This targeted prohibition addresses a specific concern about the commercial exploitation of biometric identifiers.

Before processing biometric data, private sector controllers must also provide prior written notice to affected individuals and, unless processing remains under the sole and exclusive control of the individual, obtain supervisory authority approval.

Video Surveillance

ZVOP-2 includes specific provisions on video surveillance that supplement the GDPR's general framework. The law establishes rules for the use of CCTV cameras in various contexts including workplaces, residential buildings, and public-facing premises.

Key requirements include the need for a legitimate purpose (typically security and property protection), clear signage informing individuals about the surveillance, proportionate retention periods, and data protection impact assessments for large-scale systems.

The Information Commissioner has issued guidance on acceptable camera placement, particularly regarding workplace surveillance where employee privacy interests must be balanced against security justifications.

Age of Digital Consent

Slovenia set the age of digital consent at 15 years old. Children aged 15 and older can independently consent to information society services such as social media platforms. Children under 15 require parental authorization.

Freedom of Information

Like Hungary, Slovenia's Information Commissioner holds a dual mandate covering both data protection and access to public information. The Access to Public Information Act establishes transparency obligations for government bodies, and the Information Commissioner enforces both privacy protection and public information access rights.

This dual role requires the Commissioner to balance competing interests when personal data intersects with public interest information, particularly regarding government officials and public spending.

Data Breach Notification

Standard GDPR breach notification requirements apply in Slovenia. Controllers must notify the Information Commissioner within 72 hours of becoming aware of a data breach that poses a risk to individuals' rights and freedoms. The Commissioner provides notification guidance and procedures on its website.

International Data Transfers

Slovenia follows the standard GDPR framework for international data transfers. Transfers outside the EEA require an adequacy decision, appropriate safeguards such as Standard Contractual Clauses or Binding Corporate Rules, or applicable derogations.

Practical Compliance Tips

Organizations operating in Slovenia should be aware that the enforcement environment is transitioning. With ZVOP-2 providing the Information Commissioner with meaningful penalty powers for the first time, a period of increased enforcement activity is expected.

Review any biometric data processing activities carefully. Slovenia's requirement for prior supervisory authority approval is more restrictive than most EU member states, and processing biometric data without this clearance creates significant compliance risk.

Implement processing logs for any large-scale processing of special category data or systematic monitoring activities. The January 2025 transition period has expired, and organizations should now have fully operational logging systems in place.

Organizations that relied on the relatively low penalty ceilings under the old ZVOP-1 as a factor in their compliance cost-benefit analysis should recalibrate. The jump from a maximum of EUR 12,510 to EUR 20 million fundamentally changes the risk calculus.

Disclaimer: This article provides general information about Slovenia's data privacy laws and is not legal advice. Data protection laws change frequently. Consult a qualified attorney licensed in Slovenia for guidance on your specific situation.