ZVOP-2: the Slovenian Personal Data Protection Act
En
• ZVOP-2 • IP • DPO • DPA • CYBERSEC • INFOSEC •
ZVOP-2, the Slovenian Personal Data Protection Act, has been in force since January 26, 2023. Despite being three years old, many firms and organizations still struggle to fully understand its requirements. After the initial wave of EU-wide GDPR implementation in 2018, numerous companies relaxed their efforts, partly because the old ZVOP-1 did not provide the Information Commissioner of the Republic of Slovenia (IPRS) with the authority to impose the substantial fines foreseen by GDPR. The Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec) is the national Data Protection Authority for Slovenia in charge of enforcing GDPR in Slovenia. With ZVOP-2 (2023), the situation has changed: the IPRS can now issue fines as administrative offenses, making compliance a business-critical necessity.
The introduction of ZVOP-2 has brought several important changes that firms need to understand. For instance, the age of consent for children using online services is now set at 15 years, in line with the Family Code. Individuals whose rights are violated can now pursue judicial protection directly before the Administrative Court of the Republic of Slovenia. The law also sets a 20-year limit on the protection of personal data of deceased persons, while explicitly facilitating access to data for certain categories of individuals, although care must be taken to assess whether disclosure is appropriate.
ZVOP-2 introduces mandatory processing logs for certain cases, such as large-scale processing of special categories of personal data or systematic monitoring of individuals. Companies are allowed until January 26, 2025, to fully align with this new requirement. The law also explicitly prohibits the use of employee email addresses published on company websites for direct marketing purposes, a restriction that goes beyond the previous ZVOP-1 and the Electronic Communications Act (ZEKom-2). In terms of cross-border transfers, ZVOP-2 removes the former list of third countries with adequate protection, meaning companies must now carefully verify the legal basis for transferring personal data abroad. Videomonitoring practices have also been updated, requiring notices to contain all information specified in ZVOP-2 and GDPR, though merely using a QR code for the IPRS will likely not suffice.
A cornerstone of both GDPR and ZVOP-2 compliance is the appointment of a Data Protection Officer (DPO). This person acts as an internal auditor for personal data protection, advising and supervising compliance with legal obligations, providing staff training, assisting with Data Protection Impact Assessments, and serving as the point of contact for both the supervisory authority and data subjects. The DPO must be independent, have appropriate professional knowledge, and be actively supported by senior management. Their responsibilities include advising on risk assessment, monitoring processing activities, and ensuring confidentiality. Organizations are required to register the DPO’s contact information with the IPRS within eight days of appointment and make it publicly available, for example on the company website.
Not all companies are required to appoint a DPO, but ZVOP-2 sets clear criteria. Public authorities, banks, insurance companies, telecommunication operators, customer loyalty programs, health IT systems, and other entities that conduct large-scale or special-category data processing must appoint a DPO. This is especially important for e-commerse. Private doctors, dentists, and law firms are generally exempt unless they fall under specific conditions. Companies can designate an internal employee or a qualified external contractor, provided there is no conflict of interest. The law also allows for joint DPO appointments across related organizations or professional associations, such as law firms, notaries, or unions, provided certain rules are followed.
Looking into 2026, firms in Slovenia now have a unique opportunity to align their GDPR compliance with other regulatory requirements, such as ZInfV-1, in a harmonized approach. This is particularly important for hotels, which often handle large volumes of guest data, including sensitive information. Compliance is not optional: regardless of changes at the EU level, organizations operating under Slovenian jurisdiction must respect both ZVOP-2 and ZinfV-1. Proper documentation, robust internal policies, and a clearly designated DPO are the foundation for legal protection, risk mitigation, and operational efficiency.
In practice, failing to implement a compliant data protection framework exposes businesses to regulatory fines, reputational damage, and increased vulnerability to cyber fraud. By addressing GDPR and ZVOP-2 obligations proactively, companies can turn compliance into a competitive advantage while safeguarding their clients, employees, and operations.
Info:
clanke045En