EPIC --- Privacy and Human Rights Report
|Title Page Previous Next Contents | Country Reports >Republic of Slovenia|
The right to privacy appears in two forms in the 1991 Slovenian Constitution, as an individual right of a private character, and as a human right, meaning that it also has a public nature. Privacy rights are covered in the second section of the Constitution, which protects various aspects of privacy. Article 35 on the Protection of the Right to Privacy and of Personal Rights states, "The physical and mental integrity of each person shall be guaranteed, as shall be his right to privacy and his other personal rights." Article 37 on the Protection of Privacy of Post and Other Means of Communication states, "The privacy of the post and of other means of communication shall be guaranteed. In accordance with the statute, a court may authorize action infringing on the privacy of the post or of other means of communication, or on the inviolability of individual privacy, where such actions are deemed necessary for the institution or continuance of criminal proceedings or for reasons of national security."
Slovenia has been a member of the European Union since 2004, which means that all EU directives are effective in the country. Slovenia enacted in 1999 the Personal Data Protection Act (PDPA) based on the EU Data Protection Directive and the Council of Europe (CoE) Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention No. 108). In this law, private entities may process personal data only if they have obtained individuals' written consent, or if law regulates the data processing. Article 38 of the Constitution states, "The protection of personal data relating to an individual shall be guaranteed. Any use of personal data shall be forbidden where that use conflicts with the original purpose for which it was collected. The collection, processing and the end-use of such data, as well as the supervision and protection of the confidentiality of such data, shall be regulated by statute. Each person has the right to be informed of the personal data relating to him which has been collected and has the right to legal remedy in the event of any misuse of that data."
On January 1, 2005, a new version of the PDPA came into force. The new act, which modernizes the previous version from 2001, follows some changes in the area of personal data processing that occurred in the recent years. PDPA now covers automatic decisionmaking, use of video surveillance cameras, biometrics, collecting of data about entrances and leavings from premises. PDPA meets all requirements of the 1995 EU Data Protection Directive.
The PDPA provides that everything that is not explicitly allowed in connection with personal data collection and processing is prohibited. Public entities may only process personal data for which they have been granted legal authorization, while private entities must receive written consent from individuals. Persons whose personal data are gathered must be informed in advance of the purpose of the collection of data (by giving their written consent or where the purpose of collection is authorized by law). In principle, personal data can be gathered and stored for only as long as needed to meet that objective, and deleted or blocked once the objective is met. All exemptions must be defined in the law. Use of video surveillance in the workplace is allowed only under special circumstances (if it is necessary for security of the people or wealth, protecting secret data or business secrets and this purpose cannot be achieved by less intrusive means). Employees must be presented with a written notice about this measure, the same applies to the use of biometrics in the private sector.
The PDPA also defines in detail the duties of the data controller. It is prohibited to use the same identifier in databases maintained in the areas of public safety, state security, defense, judiciary and health. The connection between these databases is allowed only if there is a legal basis or the individual has given his or her written consent. The data controller of such databases must enable access to the individual free of charge within fifteen days of receiving his or her request, as well as provide a copy of an individual's personal data within thirty days of receiving the request. If a data controller fails to fulfill this obligation, he or she must provide a motivation for doing so in writing. In case an individual's personal data are transferred to recipients, the data controller must supply, at that individual’s request, the list of recipients within a thirty-day deadline.
If an individual provides evidence that his or her personal data were gathered in breach of the law, the data controller must delete the data, or update and correct them if the data were inaccurate or incomplete. The data controller must bear those costs, and must also keep a separate catalogue for each database, which contains, among other things, a detailed description of the kind of data gathered and the manner in which they are gathered, the purpose of their use and the duration of storage, the list of their users and a description of how they are secured. Furthermore, the Ministry of Justice, which is responsible for the protection of personal data, must keep a register of all databases containing personal data. Information in this register is provided by data controllers and is publicly available on the Internet.
Special protections are set out for "sensitive data," defined as data on racial or other origins, political, religious or other beliefs, trade union membership, sexual behavior, criminal convictions and medical data. This data must be specially labeled and may only be transferred across telecommunications networks if it is protected by "encryption methods" and an "electronic signature" that can guarantee illegibility. The law also imposes cross-border restrictions providing that data may only be transferred to countries that have a data protection legal framework as adequate as the Slovenian one. Article 62 explicitly states that there are no cross-border restrictions for the EU member states.
According to the Information Commissioner, the PDPA may be amended in the coming months. The most notable amendments include exemptions for notification of data filing systems to the Information Commissioner, and the striking of a data controller’s obligation to prepare internal acts governing protection of personal data for data controllers with less than 50 employees. Other amendments strive to enhance the right of access of an individual to his/her personal data, processed by data controllers, through regulation that will harmonize the tariffs for providing data to the individual.
Article 50 of the Postal Services Act states that providers of postal services should enable an authorized body to access, on the basis of a court order, the content of post. Both telephone operators and providers of postal services must ensure an indelible record of such moves.
The revised Consumer Protection Act (CPA) that was enacted in January 2003 incorporates the EU E-Commerce Directive (2000/31/EC). Article 45a states that companies (e.g., direct marketing companies) may use the automatic telephone dialing system only with consumer's previous consent. The same is true for fax messages and e-mail messages (i.e. spam). The company must also exclude the consumer from the contact list if he or she makes such a request. The fines average EUR 4,200 for physical persons and EUR 12,600 for companies. The CPA only protects individuals, but Article 109 of the Electronic Communications Act of 2004 protects companies from receiving spam.
The Labor Relations Act prohibits employers from asking employees or employment candidates questions about family matters, marital status, pregnancy, or other information that is not work-related.
There is no regulation of cryptography in Slovenia. The Electronic Commerce and Electronic Signature Act and the PDPA are even encouraging the use of cryptography and digital signatures. Slovenia also has a right against self-incrimination, which means that a suspect is not compelled to reveal his cryptographic keys.
With the merger of two offices, the Inspectorate for Personal Data Protection and the Commissioner for Access to Public Information, the Information Commissioner, an autonomous and independent body, was established on the basis of the Information Commissioner Act (ICA) on December 31, 2005. The body supervises both the protection of personal data and access to public information. The competencies of the Information Commissioner, as laid down in ICA, Personal Data Protection Act (PDPA) and Inspection Act (IA), are relatively wide.
The formation of the office of the Information Commissioner had a strong impact on personal data protection in Slovenia. Much of the strengthened activities can be attributed to substantially increased staff, since the Commissioner employed 25 people at the end of 2006, of which 8 were State Supervisors for Personal Data Protection (up from only two at the end of 2004). This staff increase resulted in swifter reactions to complaints, an increased number of legal opinions, a more preemptive approach to data protection and a wider public awareness regarding the right to privacy. The Information Commissioner thus prepared as many as 616 legal opinions in 2006 about various questions as regards personal data processing, issued several guidelines and stimulated public debate on personal data protection.
As concerns the Information Commissioner’s inspection competencies, the number of investigated cases continued to increase dramatically – a total of 231 complaints were received in 2006 (up from 91 in 2005 and 78 in 2004). Of those, 88 were directed towards the public sector and 143 towards the private sector. Most complaints in the public sector dealt with the unlawful transfer of personal data (35), unlawful collection of personal data (17) and insufficient protection of personal data (16), whereas unlawful transfer of personal data (41), unlawful implementation of video surveillance (28), and disproportional collection of personal data (24) were among the most common complaints regarding the private sector. In 41 cases, the State Supervisors found no breaches of the PDPA and these cases were dismissed.
The Information Commissioner also manages and maintains the Register of data filing systems of data controllers (Article 28 of the PDPA), which is available at the Commissioner’s website. The notifications can be submitted and viewed online and the statistics show that more than 7,700 data controllers have entered data on their filling systems, a huge increase from the 973 entries at the end of 2005.
The Commissioner conducted an overview of Slovene legislation in 2006. At the end of 2006, Slovenia had 1,684 Acts (without amendments and official consolidated versions), of which 213 acts stipulate data filing systems. These 213 acts provide authority for 857 filing systems, of which 373 do not have an explicitly stated data processing purpose, which is contrary to Article 38 of the Slovenian Constitution. Furthermore, 127 acts relinquish this obligation to implementing regulations, again contrary to Article 38 of the Constitution.
The Inspection Commissioner investigated a cancer screening center in 2006; she discovered that the levels of security of such sensitive personal health data were absolutely unacceptable and presented a serious breach of the PDPA since both physical and electronic data and archives were practically unprotected and were vulnerable to unauthorized access.
In September 2005 the Information Commissioner received a complaint that an insurance company provided open access to data of its insurants on its website. Due to weak security, personal data such as name and surname, address, tax number, status data and the insurance policy number of roughly 24,000 insurants (including children and students) were available online by simply entering a seven-digit insurance number. The personal data was organized (almost) alphabetically, thus making it simple to obtain a specific person’s data. The insurance company was issued a fine of 1,000,000 tolars (4,200 EUR) and the person in charge was fined 200,000 tolars (835 EUR) for disregarding the obligations of Article 24 of the PDAP.
Video surveillance is covered in PDPA and Private Protection Act that was enacted in November 2003. PDPA requires that administrators of video surveillances system publish a notice about video surveillance. The notice must contain information about who is and where they are performing video surveillance, and where an individual can get information about data retention periods. The video surveillance system must be protected from unauthorized access. Article 43 of Private Protection Act allows video surveillance systems to be operated only by private guards with a license. The law contains provisions about maximum retention periods of video and audio data. It also mandates video surveillance users to notify people about the monitoring. Failure to notify can carry penalties of up to 12,500 EUR.
In 2006, the Information Commissioner inspected the unlawful video surveillance that was going on for some years in a well-known shopping mall. Paragraph 3 Article 77 of the PDPA clearly states that video surveillance shall be prohibited in work areas outside of the workplace, particularly in changing rooms, lifts and sanitary areas. The inspection procedure performed by the Information Commissioner revealed that the shopping centre had indeed been conducting video surveillance in changing rooms, thus breaching the individual’s right to privacy in national data protection legislation. This case was given great publicity which resulted in an overflow of complaints against several applications of video surveillance that eventually led to both greater awareness as well as increased respect of legal provisions governing video surveillance.
Article 79 of the PDPA states that biometric measures in the public sector may only be provided for by statute if it is necessarily required for the security of people or property or to protect secret data and business secrets and if this purpose cannot be achieved by milder means. Irrespective of this provision, biometric measures may be provided by statute where they involve compliance with obligations arising from binding international treaties or for identification of individuals crossing state borders. This provision provides legal ground for the introduction of biometric passports that were introduced in 2006 to comply with US VISA Waiver Program (VWP) requirements.
Article 80 of the PDPA regulates that the private sector may implement biometric measures only if they are necessarily required for the performance of activities, for the security of people or property, or to protect secret data or business secrets. Biometric measures may only be used on employees if they were informed in writing thereof in advance. If the implementation of specific biometric measures in the private sector is not regulated by statute, a data controller intending to implement biometric measures shall, prior to introducing the measures, be obliged to supply the Information Commissioner with a description of the intended measures and the reasons for the introduction thereof. The Information Commissioner is obliged to decide within two months whether the intended introduction of biometric measures complies with the PDPA. In 2006 the Information Commissioner received 15 prior notifications of intended introduction of biometric measures. Of the 12 issued decisions (all of which involved fingerprints as the method of biometric identification), in 6 cases the applicant was granted the approval, in 3 cases the approval was limited, and in 4 cases the notifications were turned down.
The right to privacy of communication is guaranteed by the Constitution and is also covered by Article 150 of the Penal Code that prescribes sanctions for the violation of the secrecy of means of communication. This article prohibits unauthorized opening of letters and other postal messages and interception of messages transmitted via telecommunications networks, or reading of their contents without opening a letter or other postal messages. Similarly, it prohibits unauthorized acquaintance with the content of a message transmitted by telephone or other telecommunications equipment, as well as the unauthorized forwarding of someone's letter to a third party. Article 151 further prohibits the publication of private communications without consent by the authorized person.
Privacy of communication may only be invaded by a court order, and if such an invasion is deemed necessary for the purpose of criminal proceedings, or in order to protect the security of the state. In Slovenia, this area is regulated by the Criminal Proceedings Act and the Slovenian Intelligence and Security Agency Act (SISAA) and carried out by the police and Slovenian Intelligence and Security Agency (SOVA).
The Criminal Proceedings Act includes a detailed list of criminal offences and cases in which the privacy of communications may be invaded (with a court order), but the SISAA is not as specific. For example, it stipulates that state security is threatened by "activities aimed against . . . the strategic interests of the Republic of Slovenia," but experts draw attention to the problems potentially arising from such a wording that enables broad interpretations of "strategic interests" in contrast to other more well-defined criminal offences. However the SOVA does not prosecute criminal offenders. If it deals with a suspected criminal offence, it must provide information about it to the director general of the police force and the public prosecutor. SOVA is compelled to inform the Prime Minister about its activities and findings, as well as the President of the Republic, the President of the National Assembly and other ministers if these activities are related to their fields of competence.
In general, a judge's warrant must be issued prior to a house search or telephone tapping. A new Law on the Police, adopted in 1998, allows secret observation and following, and secret police collaboration, to be authorized under very special circumstances by a General Police Director. However, the wording of the SISAA allows for potential abuse on the part of the SOVA, because it could result in SOVA acquiring too easily a court warrant for communications interception.
On May 1, 2004, the Electronic Communications Act came in effect. This Act regulates Internet communications; is compatible with the EU Privacy and Electronic Communications Directive, and replaces the former Telecommunications Act. Article 104 is about traffic data. It requires that subscribers and users' traffic data processed and stored by an operator, be erased or made anonymous as soon as it is no longer needed for the transmission of a message. Operators may store and process traffic data required for billing and interconnection payments only until payment for services or if they have the user's prior consent. Location data other than traffic data relating to users may be processed only in anonymous form or on the basis of the user's prior consent, according to Article 106. Article 107 states that operators shall be obliged at their own expense to ensure adequate equipment and appropriate interfaces enabling lawful interception of communications in their networks, and minister for information society shall prescribe the equipment and determine appropriate interfaces in ordinance, with agreement with the minister for internal affairs, the minister for defense, and the director of SOVA.
On June 1, 2004, an important discussion took place at a meeting among representatives of the Ministry of Information Society, the Ministry of the Interior, police authorities and some Internet service providers (ISPs) (including a representative of SISPA, the Slovenian ISP association) to discuss the implementation of the requirement of the Electronic Communications Act that compels operators to pay the expenses for equipment enabling lawful interception of communications in their networks. Since these expenses are estimated to be between EUR 100,000 and EUR 700,000 per operator, small ISPs have a good reason to fear for their survival. In response to those concerns, representatives of the Ministry of the Interior and the police proposed to create one central interception center to decrease the costs per operator. Concerns were also shared that small ISPs may not have enough people and expertise to operate interception devices. The police offered to help manage them.
The Act on Electronic Communications was amended in December 2006 in order to transpose the EU Data Retention Directive into the Slovenian legal system. The amendments foresee a 24-month retention of traffic data; both the Information Commissioner and members of civil society criticized the amendment. The amendment concerning data retention of telephony services will enter into force on September 15, 2007, whereas data retention in the field of internet, e-mail and internet telephony enter into force on March 15, 2009. Inspections concerning retention of traffic data are assigned to the Information Commissioner.
The Penal Code specifies sanctions for an invasion of territorial privacy in Articles 149 and 152. Article 149 prohibits unauthorized recording or image taking of individuals or their premises if such an act entails a serious invasion of privacy. Article 152 specifies sanctions for the violation of dwellings through an unauthorized entry into, or search of, private facilities, or an attempt to do so. Intrusion into a computer system is the subject of Article 242, but such an intrusion is punishable only if it is connected with business dealings, and made with the aim of acquiring illegal property-related benefits, or causing material harm to others. Article 154 provides for sanctions and prohibits any use of personal data that is in breach of the law, or any intrusion into an electronic database for the purpose of obtaining some item of information for personal use or for a third party's use. Article 225 also prohibits unauthorized access to an unprotected database, the modification and copying of its content or the insertion of viruses. The conditions under which personal data may be gathered, processed and used are regulated by the PDPA.
Police have a right to take a picture, fingerprints and saliva samples from suspects, as provided by Article 149 of the Criminal Proceeding Act. Police also can use DNA samples for criminal investigations.
Slovenia has ID cards. The ID Card Act requires all adults to have and carry a valid ID card with a photograph (Article 2) and to show it to authorities when required. Non-compliance with this requirement carries fines of up to 420 EUR. Slovenia is included in the US visa waiver program and is required to produce biometric passports. Slovenia began issuing the passports in August 2006.
The Law on National Statistics regulates the privacy of information collected for statistical purposes. In July 2000, the Health Insurance Data Collections Act came into force. The Act sets out restrictions on the collection, use and exchange of health data.
On May 3, 2005, the Electronic Central Register started to operate in Slovenia. This is a reference electronic population register enabling authorized administrators to access the population registry electronically. The register combined three separate registries that were kept on paper. It includes all information associated with births, deaths and marriages, as well as name changes, adoptions, recognitions of fatherhood and divorces. At the same time, an electronic register of households was set up. This means that all registers associated with administrative bodies have now been computerized. The project was launched in 2004 and cost SIT 216 million (EUR 900,000), which includes the upgrade of the population register as well as the registers of foreigners and citizenships.
Every person has the right to acquire information held by a public body, according to Article 39 of the Slovenian Constitution. In 2003, the Access to the Public Sector Information Act (APSIA) was enacted. It determines which public bodies are responsible for providing information and establishes an independent body, the Deputy for Access to Public Sector Information, whose main function is to be an appeal administrative body. The APSIA guarantees a free insight into public sector information and costs of transcripts are limited only to material costs. All public sector information must also be provided on the Internet, according to Article 10. Some types of information, such as personal data, or information important for national security are excluded from public sector information. The Ministry of Information Society is also required to issue a catalogue of public institutions that are bounded to APSIA. Slovenian Freedom of Information legislation is based on the guidelines of Article XIX and is harmonized with all the European laws dealing with access to public information. The new version of the APSIA Act is being prepared. If it is adopted, it will extend the right to access public information with the introduction of the so-called "public interest test." The test allows Deputy to decide that some information must be made public, even when the legal exceptions to the contrary exists, if the greater public interest in that information prevails. Another proposed change is that commercial use of public information will not be free of charge as it is now.
Slovenia is a member of the Council of Europe (CoE) and has signed and ratified Convention No. 108. It has also signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. In May 2004, Slovenia ratified the CoE Convention on Cybercrime and the Additional Protocol with provisions against racism and xenophobia in virtual networks.
Constitution of the Republic of Slovenia 1991, available at
 Komentar Ustave Republike Slovenije (Comments about the Constitution of the Republic of Slovenia) 369 (Sturm & Lovro eds., Ljubljana, Fakulteta za podiplomske drzavne in evropske studije 2002).
 The means of communication are interpreted in the widest sense of the word: it may include telephone communications, e-mails, SMS messages and the like, since the form or content of communication is irrelevant in this context. Privacy protection also applies to private telecommunication systems, as well as traffic data, which are also an integral part of communications (i.e., telephone numbers, data about the duration of a communication or the quantity of data transmitted, etc.) Id. at 395-396.
Data Protection Act (Official Gazette of the Republic of Slovenia, no.86/04 and
113/05), available at
 Constitution of the Republic of Slovenia 1991, supra.
 Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L. 281, 23/11/1995 p. 0031 - 0050.
 Email from Sonia Bien and Andrej Tomsic, Information Commissioner of Slovenia, to Allison Knight, Research Director, Electronic Privacy Information Center, May 30, 2007 (on file with EPIC).
 Article 26 of the Labor Relations Act.
 Article 5 of the Criminal Proceedings Act.
Commissioner Act, published in Official Gazette of the Republic of Slovenia,
no.113/2005, unofficial translation available at Information
 Information Commissioner Act, available at <http://www.ip-rs.si/index.php?id=519>.
 Inspection Act (Official Gazette of the Republic of Slovenia, no.43/07).
 Email from Sonia Bien and Andrej Tomsic, supra.
Commissioner of Slovenia,
 Email from Sonia Bien and Andrej Tomsic, supra.
 Article 49, Law on the Police, July 18, 1998.
 Not all
Slovenian ISPs are members of
 Proceedings from the meeting: Ministry of Information Society, Realisation of lawful interception of telecommunications traffic which flows over the Internet, June 1, 2004 (on file with EPIC).
 Unfortunately, this wording could lead to a situation in which an intrusion into a computer system not resulting in material harm, or not yielding other kinds of benefit for the intruder, would not be sanctioned. In such a case Article 309, which sanctions the production or acquisition of tools for intrusion into a computer system, has to be applied.
 Law on
National Statistics, July 25,
 "E-Register of Births, Deaths and Marriages Launched," Public Relation and Media Office, available at <http://www.uvi.si/eng/slovenia/publications/slovenia-news/2014/2018/>.
 APSIA is
 See <http://www.article19.org/>
November 23; 1993; ratified May 27, 1994; entered into force September 1, 1994.
 Signed May 14, 1993; ratified June 28, 1994; entered into force June 28, 1994.
 Convention on Cybercrime (CETS No.: 185), available at <http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CM=8&CL=ENG>.
 Additional Protocol to the Convention on Cybercrime, Concerning the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems (CETS No.: 189), available at <http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=189&CM=8&CL=ENG>.