The National Assembly did not include the proposal of the new Personal Data Protectionin the agenda of its next extraordinary session. This means that the controllers andprocessors will have to comply with the requirements of the General Data ProtectionRegulation no later than 25 May 2018, because there will be no promised adaptationperiod.
The proposal of the Personal Data Protection Act (ZVOP-2) provides temporaryadjustment period allowing controllers and processors to introduce thenovelties in additional transitional period of one year in relation to the use ofconsent, six months in relation to the data processing, nine months in relation to theappointment of the DPO etc. The point of these periods is that the controllers andprocessors who will demonstrate that they started adopting appropriate adjustmentmeasures will not be subjected to sanctions for misdemeanour, which can, in the worst-case scenario, amount to 20 million euros or 4% of the total global turnover in theprevious calendar year.
As the members of the Council of the President of the National Assembly did not approvethe urgent procedure for the adoption of the Personal Data Protection Act (ZVOP-2), theGeneral Data Protection Regulation (GDPR) will become directly applicable on 25 May2018. In several places, the GDPR allows Member States to regulate the mattersdifferently or in more detail and therefore it is necessary for the new Personal DataProtection Act (ZVOP-2) to be adopted as soon as possible, because it will containadditional sector-specific provisions (for example, video surveillance, biometrics, directmarketing), regulate specific procedural aspects (for example, minimum age of childrento give consent), define the relation to other areas and rights (for example access topublic information) and transpose Directive (EU) 2016/680 for police and justice sectorinto Slovenian law.
New act is also necessary to provide legal certainty because thecurrently applicable Personal Data Protection Act (ZVOP-1) is out of date and in someplaces even contrary to the GDPR provisions.The fact that the Personal Data Protection Act (ZVOP-2) has not yet been adopted willcontinue to cause inconveniences for the controllers and processors because they will berequired to compare provisions of the GDPR and the Personal Data Protection Act(ZVOP-2). Where those provisions are conflicting, we suggest taking into account theprovisions that are more advantageous to the individual. There will also befinancial implications of the failure to adopt Personal Data Protection Act (ZVOP-2)because the companies will have to comply their operations first with the provisions ofthe GDPR and then again with the provisions of the Personal Data Protection Act (ZVOP-2).Otherwise, the Government presented the first draft of the Personal Data Protection Act(ZVOP-2) in October 2017, followed by two rounds of public debate, where severalstakeholders commented the text (Information Commissioner submitted 30 pages ofcomments), particularly regarding the regulation of the direct marketing and dataprotection officers (DPO). Even though the proposal of the Personal Data Protection Act(ZVOP-2) takes into consideration quite a few comments given by the public, the
Information Commissioner still believes that the act will require several amendments inthe National Assembly. The proposal of the Personal Data Protection Act (ZVOP-2) wassubject to other critiques as well because it regulates direct marketing in the samemanner as Personal Data Protection Act (ZVOP-1) and requires, at the same time,respect of the principle of traceability.