1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?
Yes, in relation to a personal data breach, these requirements were introduced by the GDPR. The GDPR introduced a duty to inform the DPA of detected breaches of personal data, if it is (at least) likely that the breach would have endangered the rights and freedoms of individuals.
Where a breach of personal data is likely to give rise to a high risk to the rights and freedoms of individuals, the controller should also report the data breach to the data subject.
Further, under Article 159 of the Electronic communications Act (Zakon o elektronskih komunikacijah; "ZEKom-1"), the provider of a public electronic communications service must inform the Agency for communication networks and services of the Republic of Slovenia (Agencija za komunikacijska omrežja in storitve; "Agency") of personal data breaches that occurred in connection to a publicly available electronic communications service. If the breach would adversely affect the personal data and privacy of the data subject, the provider must also inform the individual subject of the data breach, unless the provider proves to the Agency that it undertook the appropriate technical protection measures.
Operators of essential services and digital service providers have breach notification obligations under Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union ("NIS Directive"). The NIS Directive is implemented in the legal system of the Republic of Slovenia with Information Security Act (Zakon o informacijski varnosti; "ZInfV"). Under Article 31 ZInfV, the Inspector for information safety of a competent national authority ("Inspector") has control over any possible breach under the ZInfV. The Inspector also informs the DPA about the inspection of the personal data breach and/or any possible suspected breach.
Trust service providers have breach notification requirements under Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal markets (eIDAS Regulation).
Specific regulatory issues should always be considered and checked. For example, major security incidents have to be notified by payment services providers under PSD2 (with further guidance provided by the European Banking Authority). PSD2 is implemented in the legal system of Republic of Slovenia with the Payment Services, Services of Issuing Electronic Money and Payment Systems Act (Zakon o plačilnih storitvah, storitvah izdajanja elektronskega denarja in plačilnih sistemih; "ZPIaSSIED"). According to Article 152 of the ZPIaSSIED, the payment service providers, which are established in the Republic of Slovenia, shall inform the Bank of Slovenia about all major operational or security incidents. When the Bank of Slovenia is informed of such incident, it further informs (with undue delay) about the incident the European Banking Authority and the European Central Bank. Additionally, when the Bank of Slovenia assesses the importance of the incident for other relevant authorities of Republic of Slovenia, it shall inform these authorities accordingly.
If the data breach constitutes a criminal offence that is an abuse of personal data under the Slovenian Criminal Code (Kazenski zakonik; "KZ-1"), and if such is detected by a public authority, the latter is obliged to file a criminal complaint with the prosecution authorities.
It should always be considered whether the police or national security services should be notified of the breach. However, there is no legal requirement for such notification, though in certain cases failure to inform the competent authorities of a crime or perpetrator may itself constitute a criminal offense.
1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?
Considering that this obligation in relation to personal data was introduced by the GDPR and Slovenia has not yet adopted a local act further implementing GDPR (referred to as "ZVOP-2"), there are no additional applicable provisions other than the ones stipulated in the GDPR.
In reference to notifications under other legal instruments mentioned above, please see the answer to the previous question. In addition, please refer to the chapter on the European Union for specifics of the notification.
1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?
The DPA has published on its website a non-binding suggested form of the notice based on the minimum requirements stipulated in Article 33 (3) GDPR.
The data controller must give the notice to the Information Commissioner of the Republic of Slovenia without undue delay and, where feasible, not later than 72 hours after having become aware of it. The above notice may be given by regular mail or via email (please see the contact information below).
In reference to notifications under other legal instruments mentioned above, there is no specific guidance on the content or method of giving notice but, in general, communication with the authorities must be in written form.
1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?
According to the GDPR, failure to notify the DPA when necessary is a standalone breach, for which an administrative fine of up to EUR 10,000,000, or in the case of an undertaking, up to 2 % of worldwide annual turnover in the previous financial year, whichever is higher may be imposed. Additionally, corrective measures may be imposed as well. However, it is worth mentioning that until the new legislation following the application of the GDPR in Slovenia is adopted, the DPA cannot impose administrative fines under the GDPR, but only fines under the Personal Data Protection Act, which are not contrary to the GDPR. According to the GDPR, the data subject may also bring compensation claims for failure to notify / as a result of infringement of the GDPR.
Under ZEKom-1 if the provider of the electronic communication service did not inform the affected individual of the breach, the Agency may, after examining the possible negative effects of such breach, instruct the provider to inform the individual of the breach. Failure to notify might result in a fine, the range of which depends on the size of the company pursuant to Companies Act. A fine from EUR 50,000 to EUR 400,000 may be imposed upon a service provider deemed as a larger legal entity, whereas for a service provider deemed as a smaller legal entity or a sole proprietor a fine from EUR 500 to EUR 15,000 may be imposed. The responsible person of the company may be imposed with a fine from EUR 200 to EUR 2,000.
Failure to report a criminal offence of an abuse of personal data that was detected by a public official may result in disciplinary action being taken against the public official and, in severe cases, also criminal liability. As mentioned before, in certain cases failure to inform the competent authorities of a crime or perpetrator may itself constitute a criminal offense.
1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?
We would recommend notifying the affected individuals of a data breach even where there is no express legal requirement, in order to comply with internationally recognized data privacy principles and standards.
In case of credit card data breaches, banks in Slovenia are, pursuant to the Banking Act (Zakon o bančništvu, ZBan-2), only obliged to protect confidential information on the principle level. However, most banks do determine the obligation to notify an individual (e.g. via text message) in the event of a credit card data breach.
1.6 What are the applicable (data protection) laws or guidelines within your country?
The main data protection regulations applicable in Slovenia are the GDPR and to a certain extent, the prior GDPR existing Personal Data Protection Act ("ZVOP-1"). The local act further implementing GDPR has not been adopted yet and is subject of a pending legislative procedure. In relation to the public electronic communication service the applicable law is ZEKom-1. Slovenian Criminal Code (KZ-1) should also be considered.
Next to the guidelines of the Article 29 Working Party / European Data Protection Board there are a number of guidelines, opinions and decisions published on the website of the Information Commissioner of the Republic of Slovenia that prove to be helpful in interpreting the applicable legislation.
1.7 Contact information for the local Data Protection Authority:
Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec)
Dunajska cesta 22, SI-1000 Ljubljana, Slovenia
+386 1 230 97 30
+386 1 230 97 78
For breaches with regards to public electronic communication service the notification authority is:
Agency for communication networks and services of the Republic of Slovenia (Agencija za komunikacijska omrežja in storitve Republike Slovenije)
Stegne 7, p. p. 418, SI-1001 Ljubljana, Slovenia
+386 1 583 63 00
+386 1 511 11 01
For more information, contact:
Bleiweisova cesta 30, 1000 Ljubljana, Slovenia
+386 1 620 5230
+386 1 620 5211