Ministry of justice of slovenia legislation



старонка1/4
Дата25.04.2016
Памер301 Kb.
#29669
  1   2   3   4


PERSONAL DATA PROTECTION ACT OF THE REPUBLIC OF SLOVENIA

Ministry of Justice of the Republic of Slovenia

2013

MINISTRY OF JUSTICE OF SLOVENIA LEGISLATION
Disclaimer: The English language translation of the text of the Personal Data Protection Act (of the Republic of Slovenia) below is provided just for information only and confers no rights nor imposes any obligations on anyone. Only the official publication of the Personal Data Protection Act in Slovene language, as published and promulgated in the Official Gazette of the Republic of Slovenia, is authentic. The status of the translated text of the Personal Data Protection Act is as of 30 July 2013 and the status of statutes and other information in footnotes and in Appendices is also as of 30 July 2013. The explanatory footnotes and appendices have also been inserted just for information only, and previous text of this Disclaimer also applies to them. While the Government Translation Service prepared the original translation, Ministry of Justice of the Republic of Slovenia performed the substantially corrected translation, terminology decisions and annotations. This translation may not be published in any way, without the prior permission of the Ministry of Justice of the Republic of Slovenia, but may be used for information purposes only. Further editorial revisions of this translation are possible.

On the basis of the second indent, first paragraph of Article 107 and the first paragraph of Article 91 of the Constitution of the Republic of Slovenia, I hereby issue the


DECREE
on the promulgation of the Personal Data Protection Act (ZVOP-1)

I hereby promulgate the Personal Data Protection Act (ZVOP-1), which was adopted by the National Assembly of the Republic of Slovenia at its session of 15 July 2004.

No. 001-22-148/04

Ljubljana, 23 July 2004


Dr. Janez Drnovšek

President



of the Republic of Slovenia

PERSONAL DATA PROTECTION ACT (ZVOP-1)1

PART I

GENERAL PROVISIONS
Contents of the Act
Article 1
This Act determines the rights, responsibilities, principles and measures to prevent unconstitutional, unlawful2 and unjustified encroachments on the privacy and dignity of an individual3 (hereinafter: individual) in the processing of personal data.
Principle of lawfulness and fairness
Article 2
Personal data shall be processed lawfully4 and fairly.
Principle of proportionality
Article 3
Personal data that are being processed must be adequate and in their extent appropriate in relation to the purposes for which they are collected and further processed.
Prohibition of discrimination
Article 4
Protection of personal data shall be guaranteed to every individual irrespective of nationality5, race, colour, religious belief, ethnicity, sex, language, political or other belief, sexual orientation, material standing, birth, education, social position, citizenship, place or type of residence or any other personal circumstance.
Territorial application of this Act
Article 5
(1) This Act shall apply to the processing of personal data if the data controller is established, has its seat or is registered in the Republic of Slovenia, or if a subsidiary of the data controller is registered in the Republic of Slovenia.
(2) This Act shall also apply if the data controller is not established, does not have its seat or is not registered in a Member State of the European Union or is not a part of the European Economic Area and for the processing of personal data the data controller uses automated or other equipment located in the Republic of Slovenia, except where such equipment is used solely for the transfer of personal data across the territory of the Republic of Slovenia.
(3) The data controller from the previous paragraph must appoint a natural person or legal person that has its seat or is registered in the Republic of Slovenia to represent it in respect of the processing of personal data in accordance with this Act.
(4) This Act shall also apply to diplomatic-consular offices and other official representative offices of the Republic of Slovenia abroad.
Meaning of terms
Article 6
Terms used in this Act shall have the following meanings:
1. Personal data - is any data relating to an individual, irrespective of the form in which it is expressed.
2. Individual - is an identified or identifiable natural person to whom personal data relates; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, where the method of identification does not incur large costs or disproportionate effort or require a large amount of time.
3. Processing of personal data - means any operation or set of operations performed in connection with personal data that are subject to automated processing or which in manual processing are part of a filing system or which are intended for inclusion in a filing system, such as in particular collection, acquisition, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, communication, dissemination or otherwise making available, alignment or connecting, blocking, anonymising, erasure or destruction; processing may be performed manually or by using automated technology (means of processing).
4. Automated processing – is the processing of personal data using information technology means.
5. Filing system – is any structured set of data containing at least one piece of personal data, which is accessible according to criteria enabling the use or combination of the data, irrespective of whether the set is centralised, decentralised or dispersed on a functional or geographical basis; a structured set of data is a set of data organised in such a manner as to identify or enable identification of an individual.
6. Data controller - is a natural person or legal person or other public or private sector person which alone or jointly with others determines the purposes and means of the processing of personal data or a person provided by statute that also determines the purposes and means of processing.
7. Data processor - is a natural person or legal person that processes personal data on behalf and for the account of the data controller.
8. Data recipient – is a natural or legal person or other private or public sector person to whom personal data are supplied or disclosed.
9. Supply of personal data – is the supply or disclosure of personal data.
10. Foreign recipient and foreign data controller – is a recipient of personal data in a third country and a data controller in a third country.
11. Third country - is a country that is not a Member State of the European Union or a part of the European Economic Area.
12. Filing system catalogue - is a description of a filing system.
13. Register of Filing Systems - is a register containing data from filing system catalogues.
14. Personal consent of an individual – is a voluntary statement of the will of an individual that his personal data may be processed for a specific purpose, and this is given on the basis of information that must be provided to such individual by the data controller pursuant to this Act; personal consent of an individual may be written, oral or some other appropriate consent of the individual.
15. Written consent of the individual - is the signed consent of the individual having the form of a document, the provision of a contract, the provision of an order, an appendix to an application or other form in accordance with statute; a signature shall also mean on the basis of a statute a form equivalent to a signature given by means of telecommunication and a form equivalent by statute to a signature given by an individual who does not know how to write or is unable to write.
16. Oral or other appropriate consent of the individual - is consent given orally or by means of telecommunication or other appropriate means or in some other appropriate manner from which it can be concluded unambiguously that the individual has given his consent.
17. Blocking - is such labelling of personal data that restricts or prevents their further processing.
18. Anonymising - is such alteration to the form of personal data such that they can no longer be linked to the individual or where such link can only be made with disproportionate efforts, expense or use of time.
19. Sensitive personal data - are data on racial, national or ethnic origin, political, religious or philosophical beliefs, trade-union membership, health status, sexual life, the entry in or removal from criminal record or records of minor offences that are kept on the basis of a statute that regulates minor offences (hereinafter: minor offence records); biometric characteristics are also sensitive personal data if their use makes it possible to identify an individual in connection with any of the aforementioned circumstances.
20. Same connecting codes - are the personal identification number and other uniform identification numbers defined by statute relating to an individual that can be used to obtain or retrieve personal data from filing systems in which the same connecting codes are also processed.
21. Biometric characteristics - are such physical, physiological and behavioural characteristics which all individuals have but which are unique and permanent for each individual specifically and which can be used to identify an individual, in particular by the use of fingerprint, recording of papillary ridges of the finger, iris scan, retinal scan, recording of facial characteristics6, recording of an ear, DNA scan and characteristic gait.
22. Public sector - are state bodies, bodies of self-governing local communities, holders of public powers, public agencies, public funds, public institutes, universities, independent institutions of higher education and self-governing communities of nationalities.
23. Private sector - means legal or natural persons performing an activity in accordance with the statute regulating commercial companies or a commercial public service or craft, and persons of private law; public commercial institutes, public companies and commercial companies, irrespective of the share or influence held by the state, self-governing local communities or self-governing communities of nationalities, are a part of the private sector.

Exceptions in the application of this Act

Article 7


(1) This Act shall not apply to the processing of personal data performed by individuals exclusively for personal use, family life or for other domestic needs.
(2) Articles 26, 27 and 28 of this Act shall not apply to personal data, which are processed by political parties, trade unions, associations or religious communities relating to their members.
(3) The second paragraph of Article 25, Articles 26, 27 and 28, and Part V of this Act shall not apply to personal data which are processed by the media for the purposes of informing the public.
(4) Data controllers with fewer than 50 employees shall not be required to fulfil the obligation laid down in the second paragraph of Article 25, and shall not be required to fulfil the obligations laid down in Articles 26 and 27 of this Act.
(5) The exemptions laid down in the preceding paragraph shall not apply to filing systems kept by data controllers in the public sector, notaries public, attorneys, detectives, bailiffs, private security providers, private healthcare workers, healthcare providers, and to data controllers that keep filings systems containing sensitive personal data and processing of sensitive personal data is a part of their registered activity.

PART II

PROCESSING OF PERSONAL DATA




Chapter 1




Legal grounds and purposes




General definition

Article 8


(1) Personal data may only be processed if the processing of personal data and the personal data being processed are provided by statute, or if the personal consent of the individual has been given for the processing of certain personal data.
(2) The purpose of processing personal data must be provided by statute, and in cases of processing on the basis of personal consent of the individual, the individual must be informed in advance in writing or in another appropriate manner of the purpose of processing of personal data.
Legal grounds in the public sector
Article 9
(1) Personal data in the public sector may be processed if the processing of personal data and the personal data being processed are provided by statute. Statute may provide that certain personal data may only be processed on the basis of personal consent of the individual.
(2) Holders of public powers may also process personal data on the basis of personal consent of the individual without statutory grounds where this does not involve the performance of their duties as holders of public powers. Filing systems created on such basis must be held separate from filing systems created on the basis of the performance of duties of the holder of public powers.
(3) Irrespective of the first paragraph of this Article, in the public sector personal data may be processed in respect of individuals that have contractual relations with the public sector or on the basis of the individual’s initiative are negotiating on the conclusion of a contract, provided that the processing of personal data is necessary and appropriate for conducting negotiations for the conclusion of a contract or for the fulfilment of a contract.
(4) Irrespective of the first paragraph of this Article, personal data may in exceptions be processed in the public sector where they are essential for the exercise of lawful7 competences, duties or obligations by the public sector, provided that such processing does not encroach on the justified interests of the individual to whom the personal data relate.

Legal grounds in the private sector
Article 10
(1) Personal data in the private sector may be processed if the processing of personal data and the personal data being processed are provided by statute, or if the personal consent of the individual has been given for the processing of certain personal data.
(2) Irrespective of the previous paragraph, in the private sector personal data may be processed in respect of individuals that have contractual relations with the private sector or on the basis of the individual’s initiative are negotiating on the conclusion of a contract, provided that the processing of personal data is necessary and appropriate for conducting negotiations for the conclusion of a contract or for the fulfilment of a contract.
(3) Irrespective of the first paragraph of this Article, personal data may be processed in the private sector if this is essential for the fulfilment of the lawful8 interests of the private sector and these interests clearly outweigh the interests of the individual to whom the personal data relate.
Contractual Processing
Article 11
(1) Data controller may by contract entrust individual tasks related to processing of personal data to data processor that is registered to perform such activities and ensures the appropriate procedures and measures pursuant to Article 24 of this Act.
(2) Data processor may perform individual tasks associated with processing of personal data within the scope of the client’s authorisations, and may not process personal data for any other purpose. Mutual rights and obligations shall be arranged by contract, which must be concluded in writing and must also contain an agreement on the procedures and measures pursuant to Article 24 of this Act. Data controller shall oversee the implementation of procedures and measures pursuant to Article 24 of this Act.
(3) In the event of a dispute between the data controller and the data processor, the data processor shall be bound on the basis of a request from the data controller to return to the controller without delay the personal data processed under contract. He shall be obliged to destroy immediately or to supply any copies of such data to the state body competent by statute for detection or prosecution of criminal offences, to a court or to another state body, if so provided by statute.
(4) In the event of cessation of a data processor, personal data shall be returned to the data controller without unnecessary delay.

Protection of the vital interests of the individual
Article 12
If processing of personal data is necessarily required to protect the life or body of an individual, his personal data may be processed irrespective of the fact that there are no other statutory legal grounds for the processing of such data.
Processing of sensitive personal data
Article 13
Sensitive personal data may only be processed in the following cases:
1. if the individual has given explicit personal consent for this, such consent as a rule being in writing, and in the public sector provided by statute;
2. if the processing is necessary in order to fulfil the obligations and special rights of a data controller in the area of employment in accordance with statute, which also provides appropriate guarantees for the rights of the individual;
3. if the processing is necessarily required to protect the life or body of an individual to whom the personal data relate, or of another person, where the individual to whom the personal data relate is physically or contractually9 incapable of giving his consent pursuant to subparagraph 1 of this Article;
4. if they are processed for the purposes of lawful10 activities by institutions, societies, associations, religious communities, trade unions or other non-profit organisations with political, philosophical, religious or trade-union aim, but only if the processing concerns their members or individuals in regular contact with them in connection with such aims, and if they do not supply such data to other individuals or persons of public or private sector without the written consent of the individual to whom they relate;
5. if the individual to whom the sensitive personal data relate publicly announces them without any evident or explicit purpose of restricting their use;
6. if they are processed by health-care workers and health-care staff in compliance with statute for the purposes of protecting the health of the public and individuals and the management or operation of health services;
7. if this is necessary in order to assert or oppose a legal claim;
8. if so provided by another statute in order to implement the public interest.

Protection of sensitive personal data
Article 14
(1) Sensitive personal data must during processing be specially marked and protected, such that access to them by unauthorised persons is prevented, except in instances from subparagraph 5 of Article 13 of this Act.
(2) In the transmission of sensitive personal data over telecommunications networks, data shall be considered as suitably protected if they are sent with the use of cryptographic methods and electronic signatures such that their illegibility or non-recognition is ensured during transmission.
Automated decision-making
Article 15
Automated data processing, in which a decision may be taken regarding an individual that could have legal effect in relation to him, or substantive influence on him, and which is based solely on automated data processing intended for the evaluation of certain personal aspects relating to him, such as in particular his success at work, credit rating, reliability, handling or compliance with conditions required, shall only be permitted if the decision:
1. is taken during the conclusion or implementation of a contract, provided that the request to conclude or implement a contract submitted by the individual to whom the personal data relate has been fulfilled or that there exist appropriate measures to protect his lawful11 interests, such as in particular agreements enabling him to object to such decision or to express his position;
2. is provided by statute which also provides measures to protect the lawful12 interests of the individual to whom the personal data relate, particularly the possibility of legal remedy against such decision.


Purpose of collection, and further processing
Article 16
Personal data may only be collected for specific and lawful13 purposes, and may not be further processed in such a manner that their processing would be counter to these purposes, unless otherwise provided by statute.
Processing for historical, statistical and scientific-research purposes
Article 17
(1) Irrespective of the initial purpose of collection, personal data may be further processed for historical, statistical and scientific-research purposes.
(2) Personal data shall be supplied to the data recipient for the purpose of processing from the previous paragraph in an anonymised form, unless otherwise provided by statute or if the individual to whom the personal data relate gave prior written consent for the data to be processed without anonymising.
(3) Personal data supplied to data recipient in accordance with the previous paragraph shall on completion of processing be destroyed, unless otherwise provided by statute. The data recipient shall be obliged without delay after destruction of the data to inform the data controller who supplied him the personal data in writing when and how he destroyed them.
(4) Results of processing from the first paragraph of this Article shall be published in anonymised form, unless otherwise provided by statute or unless the individual to whom the personal data relate gave written consent for publication in a non-anonymised form or unless written consent for such publication has been given by the heirs to the deceased person under this Act.

Chapter 2
Protection of individuals
Accuracy and up to date personal data
Article 18
(1) Personal data being processed must be accurate and kept up to date.
(2) Data controller may prior to input into a filing system verify the accuracy of personal data by examining an identity document or other suitable public document of the individual to whom the data relate.
Informing the individual of the processing of personal data
Article 19
(1) If personal data are collected directly from the individual to whom they relate, the data controller or his representative must communicate to the individual the following information, if the individual is not yet acquainted with them:

- data on the data controller and his possible representative (personal name, title or official name respectively and address or seat respectively),

- the purpose of the processing of personal data.
(2) If in view of the special circumstances of collecting personal data from the previous paragraph there is a need to ensure lawful14 and fair processing of personal data of the individual, the person from the previous paragraph must also communicate to the individual the additional information, if the individual is not yet acquainted with them, and in particular:

- a declaration as to the data recipient or the type of data recipients of his personal data,

- a declaration of whether the collection of personal data is compulsory or voluntary, and the possible consequences if the individual will not provide data voluntarily,

- information on the right to consult, transcribe, copy, supplement, correct, block and erase personal data that relate to him.


(3) If personal data were not collected directly from the individual to whom they relate, the data controller or his representative must communicate to the individual the following information no later than on the recording or supply of personal data to the data recipient:

- data on the data controller and his possible representative (personal name, title or official name respectively and address or seat respectively),

- the purpose of the processing of personal data.
(4) If in view of the special circumstances of collecting personal data from the previous paragraph there is a need to ensure lawful15 and fair processing of personal data of the individual, the person from the previous paragraph must also communicate to the individual additional information, and in particular:

- information on the type of personal data collected,

- a declaration as to the data recipient or the type of data recipients of his personal data,

- information on the right to consult, transcribe, copy, supplement, correct, block and erase personal data that relate to him.


(5) Information from the third and fourth paragraphs of this Article shall not need to be ensured if in order to process personal data for historical, statistical or scientific-research purposes it would be impossible or would incur large costs or disproportionate effort or would require a large amount of time, or if the recording or supply of personal data is expressly provided by statute.

Use of the same connecting code
Article 20
(1) In the acquisition of personal data from filing systems in the areas of health, police, national intelligence-security activities, national defence, judiciary and the state prosecution and criminal record and minor offence records, the same connecting code may not be used in such manner that only such code would be used to obtain personal data.
(2) Irrespective of the previous paragraph, the same connecting code may exceptionally be used to obtain personal data if this is the only item of data in a specific case that can enable the detection or prosecution of a criminal offence ex officio, to protect the life or body of an individual, or to ensure the implementation of the tasks of the intelligence and security bodies provided by statute. An official annotation or other written record must be made thereof without delay.
(3) The first paragraph of this Article shall not apply to the land register and the commercial register.
Duration of storage of personal data
Article 21
(1) Personal data may only be stored for as long as necessary to achieve the purpose for which they were collected or further processed.
(2) On completion of the purpose of processing, personal data shall be erased, destroyed, blocked or anonymised, unless pursuant to the statute governing archive materials and archives they are defined as archive material, or unless a statute otherwise provides for an individual type of personal data.
Supply of personal data
Article 22
(1) Data controllers shall be obliged against payment of the cost of supply, unless otherwise provided by statute, to supply personal data to data recipients.
(2) The data controller of the Central Population Register or of Records of Permanently and Temporarily Registered Residents shall be obliged in the manner defined for the issuing of certificates to supply to authorised party demonstrating a lawful interest in exercising rights before public sector persons the personal name and address of permanent or temporary residence of an individual against whom they are exercising their rights.
(3) Data controller shall be obliged for each supply of personal data to ensure that it is subsequently possible to determine which personal data were supplied, to whom, when and on what basis, for the period covered by statutory protection of the rights of an individual due to non-allowed supply of personal data.
(4) Irrespective of the first paragraph of this Article, data controllers in the public sector shall be bound to supply to data recipient in the public sector personal data without payment of the cost of supply, unless otherwise provided by statute or unless it involves use for historical, statistical or scientific-research purposes.
Protection of personal data of deceased individuals
Article 23
(1) Data controller may supply data on a deceased individual only to those data recipients authorised to process personal data by statute.
(2) Irrespective of the previous paragraph, data controller shall supply data on a deceased individual to the person who under the statute governing inheritance is the deceased person’s legal heir of the first or second order, if they demonstrate a lawful interest in the use of personal data and the deceased individual did not prohibit in writing the supply of such personal data.
(3) Unless otherwise provided by statute, a data controller may also supply data from the previous paragraph to any other person intending to use such data for historical, statistical or scientific-research purposes if the deceased individual did not prohibit in writing the supply of such personal data.
(4) If the deceased individual did not issue a prohibition from the previous paragraph, persons who under the statute governing inheritance are his legal heirs of the first or second order may prohibit in writing the supply of his data, unless otherwise provided by statute.
Chapter 3
Security of Personal Data
Contents
Article 24
(1) Security of personal data comprises organisational, technical and logical-technical procedures and measures to protect personal data, and to prevent accidental or deliberate unauthorised destruction, modification or loss of data, and unauthorised processing of such data:

1. by protecting premises, equipment and systems software, including input-output units;


2. by protecting software applications used to process personal data;
3. by preventing unauthorised access to personal data during transmission thereof, including transmission via telecommunications means and networks;
4. by ensuring effective methods of blocking, destruction, deletion or anonymisation of personal data;
5. by enabling subsequent determination of when individual personal data were entered into a filing system, used or otherwise processed, and who did so, for the period covered by statutory protection of the rights of an individual due to unauthorised supply or processing of personal data.
(2) In cases of processing of personal data accessible over telecommunications means or network, the hardware, systems software and software applications must ensure that the processing of personal data in filing systems is within the limits of authorisations of the data recipient.
(3) The procedures and measures to protect personal data must be adequate in view of the risk posed by processing and the nature of the specific personal data being processed.
(4) Functionaries, employees and other individuals performing work or tasks at persons that process personal data shall be bound to protect the secrecy of personal data with which they become familiar in performing their functions, work and tasks. The duty to protect the secrecy of personal data shall also be binding on them after termination of their function, work or tasks, or the performance of contractual processing services.

Duty to secure
Article 25
(1) Data controllers and data processors shall be bound to ensure the protection of personal data in the manner set out in Article 24 of this Act.
(2) Data controllers shall prescribe in their internal acts the procedures and measures for security of personal data and shall define the persons responsible for individual filing systems and the persons who, due to the nature of their work, shall process individual personal data.
Chapter 4
Notification of filing systems
Filing system catalogue
Article 26
(1) Data controller shall establish for each filing system a filing system catalogue containing:

1. title of the filing system;


2. data on the data controller (for natural person: personal name, address where activities are performed or address of permanent or temporary residence, and for sole trader his official name, registered office, seat and registration number; for legal person: title or registered office and address or seat of the data controller and registration number);
3. legal basis for processing personal data;
4. the category of individuals to whom the personal data relate;
5. the type of personal data in the filing system;
6. purpose of processing;
7. duration of storage of personal data;
8. restrictions on the rights of individuals with regard to personal data in the filing system and the legal basis for such restrictions;
9. data recipients or categories of data recipients of personal data contained in the filing system;
10. whether the personal data are transferred to a third country, to where, to whom and the legal grounds for such transfer;
11. a general description of security of personal data;
12. data on connected filing systems from official records and public books.
13. data on the representative from the third paragraph of Article 5 of this Act (for natural person: personal name, address where activities are performed or address of permanent or temporary residence, and for sole trader his official name, registered office, seat and registration number; for legal person: title or registered office and address or seat of the data controller and registration number).
(2) Data controller must ensure that the contents of the catalogue are accurate and up to date.
Notification of the supervisory body
Article 27
(1) Data controller shall supply data from subparagraphs 1, 2, 4, 5, 6, 9, 10, 11, 12 and 13 of the first paragraph of Article 26 of this Act to the National Supervisory Body for Personal Data Protection at least 15 days prior to the establishing of a filing system or prior to the entry of a new type of personal data.
(2) Data controller shall supply to the National Supervisory Body for Personal Data Protection modifications to the data from the previous paragraph no later than eight days from the date of modification.
(3) Data from the first paragraph of this Article shall not need to be supplied by that data controller that do not have more than 20 persons employed for an indefinite period and relating to those filing systems they maintain on their employees in accordance with the statute governing filing systems in the area of labour. In this case each person must be provided with information from Article 26 of this Act.
[Repealed by the Act on Changes and Amendments to the Personal Data Protection Act (ZVOP-1A), Official Gazette of the RS, No. 67/2007.]
Register
Article 28
(1) The National Supervisory Body for Personal Data Protection shall manage and maintain a Register of Filing Systems containing data from Article 27 of this Act, in the manner defined by the methodology of its management.
(2) The Register shall be managed using information technology and shall be published on the website of the National Supervisory Body for Personal Data Protection (hereinafter: the website).
(3) The rules on the methodology16 from the first paragraph of this Article shall be defined by the Minister responsible for justice, on the proposal of the Chief National Supervisor for Personal Data Protection17 (hereinafter: the Chief National Supervisor).
PART III
RIGHTS OF THE INDIVIDUAL
Examination of the Register
Article 29
(1) The National Supervisory Body for Personal Data Protection shall be obliged to permit anyone to consult the Register of Filing Systems and to transcribe the data.
(2) The consultation and transcription of data must as a rule be permitted and enabled on the same day, and no later than within eight days, otherwise the request shall be deemed to have been refused.
Right of the individual to information
Article 30
(1) Data controller shall on request of the individual be obliged:
1. to enable consultation of the filing system catalogue;
2. to certify whether data relating to him are being processed or not, and to enable him to consult personal data contained in filing system that relate to him, and to transcribe or copy them;
3. to supply him an extract of personal data contained in filing system that relate to him;
4. to provide a list of data recipients to whom personal data were supplied, when, on what basis and for what purpose;
5. to provide information on the sources on which records contained about the individual in a filing system are based, and on the method of processing.
6. to provide information on the purpose of processing and the type of personal data being processed, and all necessary explanations in this connection;
7. to explain technical and logical-technical procedures of decision-making, if the controller is performing automated decision-making through the processing of personal data of an individual.
(2) The extract from subparagraph 3 of the previous paragraph may not replace the document or certificate under the regulations on administrative or other procedures, and this shall be indicated on the extract.
Procedure for information
Article 31
(1) The request from Article 30 of this Act shall be lodged in writing or orally in a record with the data controller. Such request may be lodged once every three months, and in respect of sensitive personal data and personal data under the provisions of Chapter 2, Part VI of this Act, once a month. When required to ensure fair, lawful or proportionate processing of personal data, particularly when an individual's personal data in a filing system are frequently updated or sent or could be frequently updated or sent to data recipients, the data controller must permit the individual to lodge the request within an appropriately shorter period, which is not less than five days from the day of acquainting with personal data that relate to him or [from the] refusal of this acquaintance.
(2) The data controller must enable the individual to consult, transcribe, copy and obtain a certificate pursuant to subparagraphs 1 and 2 of the first paragraph of Article 30 of this Act as a rule on the same day that the request is received, and no later than within 15 days, or within 15 days to inform the individual in writing of the reasons why he will not enable consultation, transcription, copying or the issuing of a certificate.
(3) The data controller shall be obliged to supply the extract from subparagraph 3, the list from subparagraph 4, information from subparagraphs 5 and 6 and the explanation from subparagraph 7 of the first paragraph of Article 30 of this Act to the individual within 30 days from the date he received the request, or within the same interval to inform him in writing of the reasons why he will not supply the extract, list, information or explanation.
(4) If the data controller fails to act in accordance with the second and third paragraphs of this Article, the request shall be deemed to have been refused.
(5) Costs relating to the request and consultation from this Article shall be borne by the data controller.
(6) For the transcription, copying and written certificate pursuant to Item 2, and the extract pursuant to Item 3, the list from Item 4, the information from Items 5 and 6 and the explanation from Item 7 of the first paragraph of Article 30 of this Act, the data controller may charge the individual only material costs according to a pre-specified tariff, while an oral confirmation pursuant to Item 2, oral provision of information pursuant to Item 5, oral provision of information pursuant to Item 6, and oral explanation pursuant to Item 7 shall be free-of-charge. If despite having received an oral confirmation, information or explanation pursuant to Items 2, 5, 6 and 7 of the first paragraph of Article 30, an individual requests confirmation, information or an explanation in written form, the data controller must provide it.
(7) The Minister responsible for justice, at the proposal of the Information Commissioner, shall issue rules18 prescribing a tariff for the material costs referred to in the preceding paragraph and shall publish them in the Official Gazette of the Republic of Slovenia.
Right to supplement, correct, block, erase and to object
Article 32
(1) On the request of an individual to whom personal data relate, the data controller must supplement, correct, block or erase personal data which the individual proves as being incomplete, inaccurate or not up to date, or that they were collected or processed contrary to statute.
(2) On the request of the individual the data controller must inform all data recipients and data processors to whom the controller has supplied the personal data of the individual, before the measures from the previous paragraph have been carried out, of their supplementation, correction, blocking or erasure pursuant to the previous paragraph. Exceptionally the data controller shall not need to do this if it would incur large costs, disproportionate efforts or would require a large amount of time.
(3) Individuals whose personal data are processed in accordance with the fourth paragraph of Article 9 or the third paragraph of Article 10 of this Act shall have the right through objection at any time to demand the cessation of their processing. The data controller shall grant the objection if the individual demonstrates that the conditions for processing have not been fulfilled pursuant to the fourth paragraph of Article 9 or the third paragraph of Article 10 of this Act. In this case the personal data of the individual may no longer be processed.
(4) If the data controller does not grant the objection from the previous paragraph, the individual that lodged the objection may request that the National Supervisory Body for Personal Data Protection decides on whether the processing is in accordance with the fourth paragraph of Article 9 or the third paragraph of Article 10 of this Act. The individual may lodge such request within seven days of delivery of the decision regarding on objection.
(5) The National Supervisory Body for Personal Data Protection shall decide on the request from the previous paragraph within two months of receipt of the request. The lodging of a request shall withhold the processing of personal data of the individual in respect of which the request was lodged.
(6) The costs of all actions of the data controller from the previous paragraphs shall be borne by the data controller.
Procedure of supplementing, correction, blocking, deletion and objection
Article 33
(1) The request or objection from Article 32 of this Act shall be lodged in writing or orally in an annotation with the data controller.
(2) The data controller shall be obliged to perform the supplementing, correction, blocking or deletion of personal data within 15 days of the date of receipt of the request, and to inform the person who lodged the request thereof, or within the same interval to inform him of the reasons why he will not do so. The controller must decide on an objection within the same deadline.
(3) If the data controller fails to act pursuant to the previous paragraph, the request shall be deemed to have been refused.
(4) If the data controller concludes on his own that the personal data are incomplete, inaccurate or not up to date, he shall supplement or correct them and inform the individual thereof, unless otherwise provided by statute.
(5) Costs relating to the supplementing, correction and erasure of personal data, and of the notification and decision on the objection, shall be borne by the data controller.
Judicial protection of the rights of the individual
Article 34
(1) Individual who finds that his rights provided by this Act have been violated may request judicial protection for as long as such violation lasts.
(2) If the violation from the previous paragraph ceases, the individual may file a suit to rule that the violation existed if he is not provided with other judicial protection in relation to the violation.
(3) The competent court shall decide in the procedure under the provisions of the statute regulating administrative disputes unless otherwise provided by this Act.
(4) The procedure shall not be public unless the court decides otherwise at the suggestion of the individual for well-founded reasons.
(5) The procedure shall be urgent and a priority.

Temporary injunction
Article 35
In a suit filed due to violations of rights from Article 32 of this Act, an individual may request the court to bind the data controller, until a final decision is issued in the administrative dispute, to prevent any kind of processing of the disputed personal data, if their processing could cause with difficulty reparable damage to the individual, to whom the personal data relate, while the postponement of processing should not be contrary to the public interests and neither is there any danger of greater irredeemable damage being done to the opposing party.
Restriction of the rights of an individual
Article 36
(1) The rights of an individual from the third and fourth paragraphs of Article 19, Articles 30 and 32 of this Act may exceptionally be restricted by statute for reasons of protection of national sovereignty and national defence, protection of national security and the constitutional order of the state, security, political and economic interests of the state, the exercise of the responsibilities of the police, the prevention, discovery, detection, proving and prosecution of criminal offences and minor offences, the discovery and punishment of violations of ethical norms for certain professions, for monetary, budgetary or tax reasons, supervision of the police, and protection of the individual to whom the personal data relate, or the rights and freedoms of others.
(2) Restrictions from the previous paragraph may only be provided in the extent necessary to achieve the purpose for which the restriction was provided.
PART IV
INSTITUTIONAL PERSONAL DATA PROTECTION
Chapter 1
Supervisory body for personal data protection
Supervisory body
Article 37
(1) The National Supervisory Body for Personal Data Protection (hereinafter: the National Supervisory Body) shall have the status of supervisory body for the protection of personal data.
(2) The National Supervisory Body shall undertake inspection supervision on the implementation of the provisions of this Act and other tasks under this Act and other regulations regulating the protection or processing of personal data or the transfer of personal data from the Republic of Slovenia. The National Supervisory Body shall also undertake other tasks in accordance with statute.
(3) The National Supervisory Body shall ensure uniform realisation of measures in the area of protection of personal data.
Status and organisation of the National Supervisory Body
Article 38
(1) The National Supervisory Body shall be a self-dependent19 state body.
(2) The National Supervisory Body shall be headed by a Chief National Supervisor, who shall be a state functionary. His salary shall be regulated by the decision of the National Assembly laying down the ranking of official functions into salary brackets.
(3) The National Supervisory Body shall employ at least four National Supervisors for Personal Data Protection20 (hereinafter: the Supervisor). At least one of them must be a university graduate in law.
(4) The Chief National Supervisor shall head and represent the National Supervisory Body, organise and coordinate the work of Supervisors and carry out inspection supervision pursuant to this Act.
(5) Administrative and technical tasks for the National Supervisory Body shall be performed by the Ministry responsible for justice.
[Repealed by the Information Commissioner Act, Official Gazette of the RS, No. 113/05; see Articles 1, 2, 8 and 9 of this Act in Appendix 2]
Funds for the work of the National Supervisory Body
Article 39
Funds for the work of the National Supervisory Body shall be provided in the Budget of the Republic of Slovenia. The level of funds shall be determined by the National Assembly of the Republic of Slovenia (hereinafter: National Assembly) on the proposal of the Chief National Supervisor.
[Repealed by the Information Commissioner Act, Official Gazette of the RS, No. 113/05; see Article 5 of this Act in Appendix 2]

Appointment of the Chief National Supervisor
Article 40
(1) The Chief National Supervisor shall be appointed by the National Assembly on the proposal of the Minister responsible for justice.
(2) The Chief National Supervisor shall be appointed from among those individuals that fulfil the conditions for appointment to the title of Supervisor under this Act.
(3) The vacancy for the post of Chief National Supervisor shall be advertised by the Ministry responsible for justice ex officio no later than three months from the expiry of the term of office of the Chief National Supervisor or within one month of early dismissal. The vacancy shall be advertised in the Official Gazette of the Republic of Slovenia, and the deadline for applications may not be shorter than 15 days.
(4) The Chief National Supervisor shall be appointed for a period of eight years and may be re-appointed.
[Repealed by the Information Commissioner Act, Official Gazette of the RS, No. 113/05; see Article 6 of this Act in Appendix 2]
Dismissal of the Chief National Supervisor
Article 41
(1) The Chief National Supervisor may be subject to early dismissal only in the following cases:

- if he tenders a statement of resignation to the National Assembly;

- if he is convicted by a final decision of a criminal offence with a punishment of deprivation of liberty;

- if he cannot perform his function for health or other well-founded reasons for more than six months;

- if he becomes permanently incapable of performing his function.
(2) The Chief National Supervisor shall be dismissed early and his term of office shall cease on the day the National Assembly determines the onset of reasons from the previous paragraph.
[Repealed by the Information Commissioner Act, Official Gazette of the RS, No. 113/05; see Article 7 of this Act in Appendix 2]
Deputising for the Chief National Supervisor
Article 42
The Chief National Supervisor shall from among the Supervisors appoint his Deputy, who shall deputise for him during his absence or temporary incapacity.
[Repealed by the Information Commissioner Act, Official Gazette of the RS, No. 113/05]

The Supervisor
Article 43
(1) Persons that have university education, five years of working experience, of which at least one year has been in work with personal data, and have passed the professional examination21 for the position of inspector pursuant to the statute governing inspection supervision, may be appointed as Supervisor.
(2) Supervisors shall have the status, rights and obligations provided for Inspectors by the statute governing inspection supervision and by the statute governing civil servants, unless otherwise provided by this Act.
(3) Supervisors shall be appointed by the Chief National Supervisor in accordance with the statute governing civil servants.
[Repealed by the Information Commissioner Act, Official Gazette of the RS, No. 113/05; see Article 8 of this Act in Appendix 2]
Self-dependence of Supervisors
Article 44
(1) In the performance of tasks of inspection supervision and other tasks under this Act within the framework of their authorisations, Supervisors shall be independent and shall undertake them within the framework of and on the basis of the Constitution and statutes.
(2) In relation to the performance of tasks not comprising the performance of inspection supervision, they shall be bound by the written instructions of the Chief National Supervisor.
[Repealed by the Information Commissioner Act, Official Gazette of the RS, No. 113/05; see Article 8 of this Act in Appendix 2]
Employment and assignment in the National Supervisory Body
Article 45
(1) The Chief National Supervisor shall define in accordance with the statute governing civil servants in the act on systematisation the internal organisation of the National Supervisory Body and the required number of civil servants of the National Supervisory Body performing legal tasks and the required number of civil servants performing ancillary work.
(2) Civil servants of state bodies may on the basis of a proposal of the Chief National Supervisor and with their written agreement and the consent of the head of their state body be assigned to perform legal tasks or ancillary work from the previous paragraph at the National Supervisory Body for a period of up to three years. Judges, State Prosecutors and Assistant State Prosecutors may be assigned to perform such tasks pursuant to the provisions of statutes regulating the judicial service and the state prosecutor’s office.
(3) Servants and functionaries from the previous paragraph may not perform the tasks of inspection supervision.
[Repealed by the Information Commissioner Act, Official Gazette of the RS, No. 113/05]

Chapter 2
Tasks of the National Supervisory Body
Reports of the National Supervisory Body
Article 46
(1) The National Supervisory Body shall submit an Annual Report on its work to the National Assembly no later than by 31 May for the previous year, and shall publish this Report on its website.
(2) The Annual Report shall contain data on the work of the National Supervisory Body in the previous year and assessments and recommendations in the area of protection of personal data.
[Repealed by the Information Commissioner Act, Official Gazette of the RS, No. 113/05; see Article 14 of this Act in Appendix 2]
Cooperation with other bodies
Article 47
The National Supervisory Body shall in its work cooperate with state bodies, the competent bodies of the European Union for the protection of individuals in the processing of personal data, international organisations, foreign supervisory bodies for the protection of personal data, institutes, societies, nongovernmental organisations in the area of protection of personal data or privacy and other organisations and bodies regarding all issues important for the protection of personal data.
Competences regarding regulations
Article 48
(1) The National Supervisory Body shall issue prior opinions to Ministries, the National Assembly, self-governing local community bodies, other state bodies and holders of public powers regarding the compliance of the provisions of draft statutes and other regulations with the statutes and other regulations regulating personal data.
(2) The National Supervisory Body may file a request to the Constitutional Court of the Republic of Slovenia (hereinafter: the Constitutional Court) to assess the constitutionality of statutes, other regulations and general acts issued to exercise public powers if the question of constitutionality and lawfulness arises in connection with a procedure it conducts.
[Repealed by the Act on Changes and Amendments to the Constitutional Court Act, Official Gazette of the RS, No. 51/2007. This provision on direct access to the Constitutional Court was transferred into Article 23.a, paragraph 1, item 6 of the Constitutional Court Act. See Appendix 3]
Publicity concerning work
Article 49
(1) The National Supervisory Body may:

1. issue an internal journal and professional literature;


2. on the website or in another appropriate manner publish the prior opinion from the first paragraph of Article 48 of this Act, after the statute or other regulation has been adopted and published in the Official Gazette of the Republic of Slovenia, in the journal of a self-governing local community or publish it in another lawful22 manner;
3. on the website or in another appropriate manner publish requests from the second paragraph of Article 48 of this Act, after the Constitutional Court has received them;
4. on the website or in another appropriate manner publish decisions and rulings of the Constitutional Court on requests from the second paragraph of Article 48 of this Act;
5. on its website or in another appropriate manner publish decisions and rulings of courts of general jurisdiction and the Administrative Court relating to the protection of personal data, such that it is not possible to read from them the personal data of parties, injured parties, witnesses or experts;
6. issue non-binding opinions on the compliance of codes of professional ethics, general terms of business or drafts thereof with regulations in the area of the protection of personal data;
7. issue non-binding opinions, clarifications and positions on issues in the area of protection of personal data, and publish them on the website or in another appropriate manner;
8. prepare and issue non-binding instructions and recommendations regarding protection of personal data in individual fields;
9. issue public statements on inspection supervision undertaken in individual cases;
10. hold media conferences relating to the work of the National Supervisory Body and publish transcripts of statements or recordings of statements from media conferences on the website;
11. publish other important announcements on its website.
(2) The National Supervisory Body may for the performance of competences from subparagraphs 6, 7 and 8 of the previous paragraph call for cooperation from representatives of associations and other nongovernmental organisations in the area of protection of personal data, privacy and consumers.

Chapter 3
Inspection supervision
Application of the statute governing inspection supervision
Article 50
For the performance of inspection supervision under this Act, the provisions of the statute governing inspection supervision shall apply, unless otherwise provided by this Act.
Scope of inspection supervision
Article 51
Within the framework of inspection supervision the National Supervisory Body shall:

1. supervise the lawfulness23 of processing of personal data;


2. supervise the suitability of measures for security of personal data and the implementation of procedures and measures for security of personal data pursuant to Articles 24 and 25 of this Act;
3. supervise the implementation of the provisions of the statute regulating the filing system catalogue, the Register of Filing Systems and the recording of the supply of personal data to individual data recipients;
4. supervise the implementation of the statutory provisions regarding the transfer of personal data to third countries and on the supply thereof to foreign data recipients.
Direct performance of inspection supervision
Article 52
(1) Inspection supervision shall be performed directly by Supervisors within the limits of competence of the National Supervisory Body.
(2) Supervisor shall demonstrate his authorisation to perform the tasks of inspection supervision with an official identity card, which shall contain a photograph of the Supervisor, his personal name, professional or scientific title and other necessary data. The Minister responsible for justice shall prescribe the form and content of the official identity card in detail24.
Competences of the Supervisor
Article 53
In performing inspection supervision, the Supervisor shall be entitled:

1. to examine documentation relating to the processing of personal data, irrespective of their confidentiality or secrecy, and the transfer of personal data to third countries and the supply to foreign data recipients;


2. to examine the contents of filing systems, irrespective of their confidentiality or secrecy, and filing system catalogues;
3. to examine documentation and acts regulating the security of personal data;
4. to examine premises in which personal data are processed, computer and other equipment, and technical documentation;
5. to verify measures and procedures to secure personal data, and the implementation thereof;
6. to exercise other competences provided by the statute regulating inspection supervision and the statute regulating the general administrative procedure;
7. to perform other matters provided by statute.





Поделитесь с Вашими друзьями:
  1   2   3   4




База данных защищена авторским правом ©shkola.of.by 2022
звярнуцца да адміністрацыі

    Галоўная старонка