Data & Privacy · Slovenia
Data protection & privacy laws in Slovenia (2026)
Slovenia shaded by its data & privacy status
Slovenia is subject to the GDPR as an EU member state, supplemented since 26 January 2023 by ZVOP-2, the national implementing act that fills GDPR opening clauses on video surveillance, biometrics, traceability logs, and administrative-penalty procedures. Slovenia was the last EU member state to adopt its GDPR-implementing legislation — nearly five years after GDPR became directly applicable in May 2018. The independent Information Commissioner (IP-RS) is the sole national supervisory authority empowered to investigate complaints, conduct inspections, and impose fines.
Key points
ZVOP-2 was published in the Official Gazette on 27 December 2022 and entered into force on 26 January 2023, replacing ZVOP-1. It supplements the GDPR with national rules on areas EU law leaves to member states, including video surveillance, biometric data, processing logs, journalistic/academic processing, and the mechanics of administrative-penalty proceedings.
The Information Commissioner (IP-RS) is an autonomous, independent state body appointed by the National Assembly on the President's recommendation. It holds powers of investigation, corrective orders, and administrative-fine imposition under both the GDPR and ZVOP-2, and reports annually to the National Assembly. Its 2026 budget is EUR 3,635,478.
ZVOP-2 treats GDPR administrative fines as misdemeanours (prekrški) under the Minor Offences Act (ZP-1), with IP-RS acting as the offence authority. Maximum fines mirror the GDPR tiers: up to EUR 10 million / 2 % of global turnover for tier-1 violations and up to EUR 20 million / 4 % for tier-2 violations. The highest recorded fine to date (issued December 2025) was EUR 71,474 against an employer for covert employee-monitoring software.
ZVOP-2 goes beyond GDPR Article 9 by requiring private-sector controllers to obtain prior approval from the Information Commissioner before processing biometric personal data, and explicitly prohibits the collection of biometric data for marketing purposes.
Public-area video surveillance is permitted only where there is a serious and justified danger to life, personal liberty, bodily integrity, or property security. Retention of recordings is limited to six months for public areas and one year for other forms. Automatic Number Plate Recognition (ANPR) in public spaces is prohibited.
ZVOP-2 introduces an obligation for certain data controllers and processors to maintain traceability logs of personal-data processing operations, going beyond the GDPR's Article 30 records-of-processing requirement — a novel national safeguard aimed at enabling effective ex-post supervisory audits.
Slovenia - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →