Useful insights from the Slovenian Supervisory Authority
Data protection in Slovenia has been in the news recently. Despite it being three years since the GDPR came into force in 2018, Slovenia remains the only EU country that has still not passed national implementing legislation. Italy has the ‘Data Protection Code’, Austria has the ‘Datenschutzgesetz’ and even Liechtenstein has its so called ‘Privacy Regulation’. Yet, the Slovenian government’s ‘Data Protection Act’ remains stuck in the legislative pipeline. The main reason for the delay is the fact that the Slovenian legal system does not accommodate the levying of administrative fines for noncompliance. Therefore, there is no competent body to impose the financial penalties that are clearly detailed within the GDPR, which can be as large as 4% of annual turnover or €20m.
However, it is important to remember that regulations like the GDPR have binding legal force through every Member State in the EU and is one of the key differentiators when compared to directives. So, whilst there is no current enforcement practice in relation to the GDPR in Slovenia, the Slovenian Supervisory Authority (responsible for overseeing the application of data protection law in the country) has been very active in providing insight and commentary on cases affecting Slovenian businesses and organisations processing personal data. This blog post seeks to summarise a few of the opinions offered by the Slovenian Supervisory Authority over the past few years and whilst it is unlikely that they are binding in your particular jurisdiction, they provide an interesting perspective and some useful guidance nonetheless.
- The definition of personal data
In two separate opinions, the Slovenian Supervisory Authority confirmed that vehicle license plates and handwritten signatures are personal data. In the first case, a data controller had installed a system that permitted access to a garage by identifying specific license plates on a whitelist. Since the license plates can be linked with other personal data (such as addresses), the information can relate to and identify an individual and therefore should be considered as falling within the scope of the GDPR. In the second case, the Slovenian Supervisory Authority confirmed that if an individual is identified or identifiable by their signature, it is their personal data.
- Making sure consent is valid
In various cases, the Slovenian Supervisory Authority emphasises the importance of obtaining valid consent. This means that consent for processing someone’s personal data must be freely given, unambiguous, specific and informed. Guidance issued during the COVID-19 pandemic for example, stressed that schools should only create lists containing the names of students who refused to wear a facemask if the consent to data processing was collected voluntarily. In the context of an employer and an employee, it was found that mandating employees to disclose their personal data in the form of a video greeting card that would be sent to third parties violated the ‘freely given’ condition for valid consent, particularly due to the inherent imbalance of power between the data controller (the employer) and the data subject (the employee).
The consent that is given can be in electronic or handwritten form, as was confirmed in a case involving students accessing classrooms online. As well as this, depending on the type of personal data, consent may be the preferred option rather than an alternative lawful basis to processing, as was demonstrated in a case involving a stranger taking a photograph of an employee in an office space.
- Always thinking about data minimisation
A consistent feature of the opinions provided by the Slovenian Supervisory Authority, is the need to think about the principle of data minimisation. In other words, considering proportionality (i.e. the quantity of personal data processed and whether less privacy-intrusive means can be pursued) and necessity (i.e. identifying whether any personal data can be anonymised during the processing). These points were reiterated in several cases. In one example, a teacher of dance classes asked their students to record their performances and submit them to an online classroom. The Slovenian Supervisory Authority emphasised that the processing of personal data in this situation should be relevant and limited to what is necessary for the purposes for which they are being processed. Similar advice was issued in the case of an employer deciding to monitor employees working from home. It was stated that the employer should only collect personal data that is proportionate and necessary for the purpose of monitoring the employee’s performance when working remotely. To this end, any automated and systematic collection of the employee’s personal data would not meet these criteria (e.g. taking periodic screenshots of the employee’s computer screen to examine what they are doing). Likewise, a case involving employees being asked to provide their health records in order to confirm whether they belong to an ‘at risk’ group was deemed disproportionate as the employer would only be entitled to obtain and process general health information for employment purposes rather than the full health record.
- The role of the Data Protection Officer
Lastly, it was found that the CEO of an organisation cannot fulfil the role of the DPO as they would be determining the purposes and means of the processing of personal data and this would undermine the DPO’s independence and impartiality. Other senior management positions were also considered as causing a conflict of interest such as Managing Director, Chief Operating Officer, Finance Director, Head of Marketing, Head of Human Resources and Head of Information Technology.
If you require advice and support on how to comply with the principles for processing personal data under the GDPR, please contact our Data Protection Team at Xcina Consulting. We provide our clients with support and advice to ensure they achieve a robust and defensible position. For more information contact us at firstname.lastname@example.org.