Slovenia Data Privacy Laws: GDPR, ZVOP-2, and the Information Commissioner (2026)

Slovenia protects personal data through three overlapping layers: the EU GDPR (Regulation 2016/679), ZVOP-2 (in force 26 January 2023), and Article 38 of the 1991 Constitution. The Information Commissioner enforces all three and can impose fines up to EUR 20 million for serious violations.

Slovenia occupies a distinctive position in European data protection history: it was the last EU member state to adopt national legislation implementing the GDPR, completing the transition only in January 2023. Yet the resulting framework is also notably modern, incorporating lessons from nearly five years of practical GDPR experience across the EU.

This guide covers the full Slovenian data protection framework: from the constitutional foundation to ZVOP-2's most innovative provisions, the Information Commissioner's expanding enforcement record, cross-border transfer rules, and the country's emerging role in EU AI Act supervision.

Quick Answer

Slovenia's data protection system is built on three layers. At the top sits the EU GDPR (Regulation 2016/679), which has applied directly since May 25, 2018. Below that is ZVOP-2 (the Personal Data Protection Act), which entered into force on 26 January 2023 and fills in the areas the GDPR left to member states. Underlying both is Article 38 of the Slovenian Constitution, which makes personal data protection a fundamental constitutional right. The Information Commissioner (Informacijski pooblaščenec) enforces all three.

For businesses operating in Slovenia, the practical compliance checklist adds several Slovenia-specific requirements on top of standard GDPR compliance: pre-authorization for biometric data processing, mandatory traceability logs for certain high-risk activities, expanded DPO appointment obligations, and an administrative fine structure routed through the minor-offence (misdemeanour) framework.

Constitutional Foundation: Article 38

Slovenia's 1991 Constitution enshrines personal data protection as an explicit fundamental right. Article 38 guarantees the protection of personal data, prohibits the use of personal data contrary to the purpose for which it was collected, and requires that the collection, processing, use, and supervision of personal data be regulated by statute. It also guarantees judicial protection in cases of abuse.

This is meaningfully different from the EU's approach, where data protection derives partly from Article 8 of the EU Charter of Fundamental Rights (which became legally binding only with the Lisbon Treaty in 2009). Slovenia's constitutional protection predates both the EU Charter and the GDPR by decades.

The Constitutional Court of the Republic of Slovenia (Ustavno sodišče) is the ultimate arbiter of Article 38 rights. Its decisions shape how the Information Commissioner and ordinary courts interpret the boundaries of lawful processing and the reach of data subject rights.

Article 35 of the Constitution provides parallel protection for the general right to privacy and personality rights. Together, Articles 35 and 38 create overlapping layers of constitutional privacy protection that inform every statutory provision in ZVOP-2.

The Road to ZVOP-2: Slovenia's Late Transposition

The GDPR became directly applicable across all EU member states on 25 May 2018. Most member states adopted national implementing laws around the same time or within a year. Slovenia did not. For nearly five years, the country operated under a patchwork of the directly applicable GDPR and the provisions of the old ZVOP-1 (2004) that did not conflict with it.

The delay was not simple administrative slowness. Multiple draft versions of ZVOP-2 circulated between 2017 and 2022, each sparking political and legal controversy over specific provisions. Core disputes included the scope of the Information Commissioner's investigative powers, the mechanism for imposing administrative fines (the GDPR requires large fines, but Slovenian constitutional law constrains how regulatory fines are structured), and the balance between data protection and freedom of expression in journalism and research.

The constitutional constraint on fines is worth understanding. Under Slovenian law, large administrative fines must generally be channelled through the misdemeanour (minor-offence) framework, which carries procedural protections for respondents. ZVOP-2 resolved this by providing that GDPR administrative fines are treated as misdemeanours, with the Information Commissioner acting as the misdemeanour authority. This is why the ZVOP-2 penalty structure looks different from the equivalent provisions in, say, German or French law.

ZVOP-1 had capped fines at EUR 12,510, an amount that provided minimal deterrence for larger organisations. During the ZVOP-1 period, the enforcement environment in Slovenia was among the softest in the EU. ZVOP-2 changed that fundamentally.

The final text was adopted by the National Assembly in December 2022 and entered into force on 26 January 2023, making Slovenia the last EU member state to complete its GDPR implementation.

The Information Commissioner

The Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec) serves as the national supervisory authority under Article 51 of the GDPR. The Commissioner is appointed by the National Assembly for a five-year term and operates independently of the government. The office handles complaints, conducts inspections, issues guidance, issues binding decisions, and enforces both GDPR and ZVOP-2.

Slovenia's Commissioner holds a dual mandate covering data protection and access to public information (under the Access to Public Information Act). This mirrors similar arrangements in Hungary and a few other EU member states. The dual mandate requires the Commissioner to balance competing interests when personal data overlaps with public interest information, a tension that arises frequently in cases involving government officials, public procurement, and judicial records.

Enforcement Powers Under ZVOP-2

Under the old ZVOP-1, the Commissioner's fine ceiling was EUR 12,510. Under ZVOP-2, the Commissioner can impose fines aligned with the full GDPR framework:

• Up to EUR 10 million, or 2% of worldwide annual turnover, for violations of processor obligations, data security requirements, DPO rules, and notification obligations
• Up to EUR 20 million, or 4% of worldwide annual turnover, for violations of core GDPR principles, legal basis requirements, data subject rights, and international transfer rules

For violations of ZVOP-2-specific provisions (as opposed to GDPR violations), fines for legal entities range from EUR 100 to EUR 40,000.

All fines are channelled through the misdemeanour procedure, giving respondents procedural rights including the right to be heard and to challenge decisions before the misdemeanour courts.

Recent Enforcement: 2024 Decisions

The GDPRhub enforcement database documents several significant Information Commissioner decisions from 2024:

In case 0609-20/2024/6 (March 2024), the Commissioner held that a controller lacked a lawful basis under Article 6(1) GDPR and had violated the fundamental data processing principles under ZVOP-2's Article 96(1).

In case 0603-56/2024/6, the Commissioner found that the Slovenian Police had unlawfully refused a data subject's erasure request under Article 17 GDPR regarding a SIS II (Schengen Information System) alert and ordered deletion within three days.

In case 0600-43/2024/12 (March 2025), the Commissioner held that redirecting emails from one address to another without a legal basis violated Articles 5(1)(a) and 6(1) GDPR, an important ruling for common IT practices.

In case 0602-18/2024/43 (June 2025), the Commissioner found a controller had failed to respond to a data subject access request within the required period and had failed to provide a complete copy of personal data, violating Articles 12 and 15 GDPR.

These decisions reflect a shift from the near-dormant enforcement environment of the ZVOP-1 era toward active case-by-case enforcement across a range of controller types and violation categories.

Legal Bases for Processing

ZVOP-2 does not modify the six legal bases for processing set out in Article 6 GDPR. All six remain available in Slovenia:

1. Consent of the data subject
2. Performance of a contract or steps prior to entering a contract
3. Compliance with a legal obligation
4. Protection of vital interests
5. Performance of a task in the public interest or exercise of official authority
6. Legitimate interests of the controller or a third party (subject to the balancing test)

ZVOP-2 addresses direct marketing specifically. Where direct marketing relies on legitimate interests under Article 6(1)(f), controllers must ensure the balancing test accounts for data subjects' reasonable expectations. The law does not restrict legitimate interests as a basis for direct marketing but requires careful documentation of the balancing assessment.

For special categories of personal data under Article 9 GDPR (health data, biometric data, racial or ethnic origin, religious beliefs, etc.), explicit consent is required to be genuinely explicit. Information Commissioner guidance treats ticking an express consent checkbox as the standard form for explicit consent to special-category processing.

Data Subject Rights

Slovenia gives full effect to all data subject rights under Chapter III of the GDPR:

• Right of access (Article 15): controllers must respond within one month, with a two-month extension available for complex requests
• Right to rectification (Article 16)
• Right to erasure (Article 17): the right to be forgotten, subject to the GDPR's exceptions
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20): applies only to processing based on consent or contract, carried out by automated means
• Right to object (Article 21): particularly important for direct marketing, where objection is absolute
• Rights related to automated decision-making and profiling (Article 22)

The Information Commissioner provides guidance on exercising these rights at ip-rs.si/en/data-protection/my-rights. Complaints about rights violations can be filed directly with the Commissioner's office without charge.

Data Protection Officers (DPOs)

ZVOP-2 expands on the GDPR's DPO appointment requirements in ways that affect a broader range of organisations.

Under Article 37 GDPR, DPO appointment is mandatory for (1) public authorities, (2) controllers or processors whose core activities require large-scale regular and systematic monitoring of individuals, and (3) controllers or processors whose core activities involve large-scale processing of special categories of data or data relating to criminal convictions.

ZVOP-2 broadens this requirement. The DPO obligation is explicitly extended to a wider category of organisations processing personal data in Slovenia, particularly in the public sector. ZVOP-2 also sets qualification requirements: the DPO must have at least three years of working experience in data protection, or hold nationally or internationally recognised certificates in data protection law.

ZVOP-2 further requires that the DPO's designation be communicated to the Information Commissioner within a specified period and published in a manner accessible to data subjects. This registration and publication requirement goes beyond what the GDPR itself mandates.

Breach Notification

Standard GDPR breach notification requirements apply. Under Article 33 GDPR, controllers must notify the Information Commissioner within 72 hours of becoming aware of a personal data breach that poses a risk to the rights and freedoms of individuals. Where notification cannot be made within 72 hours, the reasons for the delay must accompany the notification.

If the breach is likely to result in a high risk to individuals, Article 34 GDPR requires the controller to also notify the affected data subjects without undue delay.

Common breach causes documented in Slovenia include: sending personal data to unauthorised or incorrect recipients; unauthorised access due to software errors or misuse of employee authorisations; ransomware and other cyberattacks; and loss or theft of physical data carriers.

The Information Commissioner accepts breach notifications through its official portal and publishes guidance on notification procedures at ip-rs.si/en.

Mandatory Processing Logs (Traceability)

One of ZVOP-2's most distinctive provisions requires controllers to maintain mandatory processing logs (traceability logs) for certain high-risk activities. This goes beyond the standard Record of Processing Activities (RoPA) required under Article 30 GDPR.

Processing logs are required where:

• An automated system processes personal data of more than 100,000 individuals
• An automated system processes special-category personal data of more than 10,000 individuals
• The processing involves systematic and regular monitoring of individuals
• A Data Protection Impact Assessment has identified a risk that can be effectively managed by maintaining a processing log

The log must record who accessed the personal data, when, and for what purpose, creating an audit trail that the Information Commissioner can examine during investigations and inspections.

Organisations were given a two-year transition period until 26 January 2025 to implement compliant logging systems. That deadline has passed. Failure to maintain adequate logs for covered activities now constitutes a ZVOP-2 violation subject to fines.

Biometric Data: Stricter Than GDPR

Slovenia imposes requirements on biometric data that go significantly beyond what the GDPR requires as a baseline.

In the private sector, processing biometric data as a means of identification or authentication requires prior approval from the Information Commissioner. This pre-authorisation requirement distinguishes Slovenia from the majority of EU member states, which allow biometric processing to proceed on standard GDPR legal bases (typically explicit consent or, in limited cases, employment law necessity) without advance regulatory clearance.

Before processing biometric data, private-sector controllers must also:

• Provide prior written notice to affected individuals
• Obtain supervisory authority approval unless the processing remains under the sole and exclusive control of the individual

ZVOP-2 explicitly prohibits the collection of biometric personal data for marketing purposes. This targeted ban addresses commercial uses such as facial recognition for targeted advertising.

Employers should note that biometric time-and-attendance systems common in Slovenian workplaces fall squarely within this framework. Deploying such a system without Information Commissioner approval creates substantial compliance exposure.

Video Surveillance

ZVOP-2 includes a dedicated chapter on video surveillance that supplements the GDPR's general framework. The rules apply to CCTV and other systematic video monitoring in workplaces, residential buildings, common areas, and public-facing premises.

Key requirements include:

• A legitimate purpose, typically security or property protection
• Clear and conspicuous signage informing individuals that surveillance is operating
• Proportionate retention limits (ZVOP-2 generally provides a default maximum of one year, but shorter periods are expected unless justified)
• A DPIA for large-scale or particularly intrusive surveillance systems

The Information Commissioner has published guidance on acceptable camera placement, particularly for workplace surveillance. Cameras directed at individual workstations require strong justification, and monitoring designed to track employee productivity rather than genuine security interests faces significant scrutiny.

Cross-Border Data Transfers

Slovenia applies the standard GDPR framework for international data transfers without material deviations.

Transfers to countries outside the European Economic Area require one of the following mechanisms:

• An adequacy decision by the European Commission. The EU-US Data Privacy Framework (adopted July 2023) covers transfers to certified US organisations. Other adequacy decisions cover the UK, Switzerland, Japan, Canada (commercial organisations), South Korea, and others.
• Standard Contractual Clauses (SCCs): the 2021 SCCs issued by the European Commission remain the most commonly used tool and require a Transfer Impact Assessment to assess destination-country risk.
• Binding Corporate Rules for intragroup transfers, approved by a lead supervisory authority.
• Approved codes of conduct or certification mechanisms.
• Specific derogations for individual or occasional transfers where other mechanisms are unavailable.

One Slovenia-specific point: transfers to North Macedonia historically benefited from a legacy Slovenian adequacy determination under ZVOP-1. ZVOP-2 does not carry forward this arrangement. Organisations transferring data to North Macedonia must now rely on SCCs or another GDPR-compliant mechanism.

EU AI Act Overlay

Slovenia was among the first EU member states to adopt national AI Act implementation legislation. The Act on the Implementation of the EU Regulation on Harmonised Rules on Artificial Intelligence (ZIUDHPUI) entered into force on 21 November 2025.

ZIUDHPUI establishes the domestic governance structure for the EU AI Act, identifies the market supervisory authorities, sets sanctions for violations, and provides the legal basis for operating regulatory sandboxes.

In Slovenia, AI Act supervision is distributed across five authorities. The Information Commissioner was designated as the market supervisory authority for the highest-risk AI systems, specifically including:

• AI systems used for social scoring of individuals
• AI systems for predicting the commission of crimes
• AI systems that understand or infer emotions in workplaces and educational settings
• High-risk AI systems in the fields of biometrics, education, crime prevention and investigation, migration and border control, and justice and elections

This designation creates a direct overlap between data protection and AI governance. An AI system that processes biometric data for identification purposes faces both ZVOP-2's biometric pre-authorisation requirement and the Information Commissioner's AI Act market supervision. Both obligations flow through the same authority.

The remaining four supervisory authorities under ZIUDHPUI are: AKOS (Agency for Communication Networks and Services), Banka Slovenije (Bank of Slovenia), the Insurance Supervision Agency, and the Market Inspectorate.

Penalties and Enforcement

The penalty structure under ZVOP-2 operates on two tracks.

GDPR violations attract the standard GDPR fine tiers, routed through the misdemeanour framework:

• Tier 1: up to EUR 10 million or 2% of global annual turnover (whichever is higher) for violations of processor obligations, security requirements, DPO rules, certification obligations, and breach notification
• Tier 2: up to EUR 20 million or 4% of global annual turnover (whichever is higher) for violations of core principles, legal basis requirements, data subject rights, and international transfer rules

ZVOP-2-specific violations carry fines for legal entities of EUR 100 to EUR 40,000.

Criminal liability is also possible. Misuse of personal data constitutes a criminal offence under the Slovenian Penal Code, carrying a fine or imprisonment of one to five years.

The transition from ZVOP-1's EUR 12,510 cap to the current EUR 20 million maximum represents a roughly 1,600-fold increase in maximum exposure for the most serious violations. Organisations that previously treated Slovenian data protection compliance as low-stakes must fundamentally recalibrate their risk assessments.

Recent Developments (2024-2026)

Processing log compliance (January 2025): The two-year transition period for implementing mandatory processing logs under ZVOP-2 expired on 26 January 2025. The Information Commissioner has signalled that log-keeping compliance is an active enforcement priority.

AI Act implementation (November 2025): Slovenia enacted ZIUDHPUI on 21 November 2025, among the first EU member states to do so, and designated the Information Commissioner as the lead supervisor for high-risk AI systems in its designated areas.

Enforcement activity (2024): The Information Commissioner issued multiple substantive decisions in 2024, covering failures to respond to data subject access requests, unlawful email redirection without a legal basis, unlawful refusal of erasure requests by the Slovenian Police, and missing data processing contracts. This marks a meaningful step up from the minimal enforcement activity of the ZVOP-1 era.

EDPB cooperation: Slovenia's Information Commissioner participates in the European Data Protection Board's consistency and cooperation mechanisms. As cross-border enforcement cases involving large technology platforms increasingly involve lead supervisory authorities in other member states, the Commissioner acts as a concerned supervisory authority for cases affecting Slovenian residents.

Business Compliance Checklist

Organisations operating in Slovenia should work through these steps in addition to standard GDPR compliance:

Biometric data audit: Identify any processing of biometric data used for identification or authentication. If processing occurs in the private sector, verify that Information Commissioner pre-authorisation has been obtained. Confirm that biometric data is not being collected for marketing purposes.

Processing log implementation: Assess whether any processing activities meet the thresholds for mandatory logs (more than 100,000 individuals in automated systems, or more than 10,000 individuals for special-category data). If so, verify that compliant logs are operational. The January 2025 transition deadline has passed.

DPO appointment review: Determine whether your organisation is required to appoint a DPO under ZVOP-2's expanded criteria. If so, verify that the DPO meets the qualification requirements (three years of experience or recognised certification), has been communicated to the Information Commissioner, and is accessible to data subjects.

Video surveillance review: Audit all CCTV systems for compliance with ZVOP-2's notice, purpose limitation, and retention requirements. Ensure that workplace cameras are not directed at individual workstations without documented justification.

Transfer mechanism update: If transferring personal data to North Macedonia, confirm that SCCs or another GDPR-compliant mechanism is in place.

AI system assessment: If deploying AI systems, determine whether any fall within the categories where the Information Commissioner has market supervisory authority under ZIUDHPUI. Systems involving biometrics, social scoring, or emotion detection face dual oversight from ZVOP-2 and the AI Act framework.

Breach notification readiness: Verify that internal breach detection and notification procedures can meet the 72-hour notification window to the Information Commissioner and, where required, communication to affected data subjects.

---

This article provides general information about Slovenia's data privacy laws and is not legal advice. Data protection law is complex and changes frequently. Consult a qualified attorney licensed in Slovenia for guidance on your specific situation.