CoE Framework Convention signatory
This content is for informational and educational purposes only and does not constitute legal advice.
On 21 August 2025, the Government of the Republic of Slovenia adopted the Draft Act on the Implementation of Regulation (EU) 2024/1689 of the European Parliament on laying down harmonised rules on artificial intelligence (AI). The Act applies to providers, deployers and other operators of high-risk AI systems. The Act designates ministries and agencies as notifying authorities, and tasks the Agency for Communications Networks and Services with maintaining a public register of high-risk AI systems. The Act introduces fines ranging from EUR 25,000 to EUR 450,000, with severe breaches reaching up to EUR 7,500,000. It will enter into force 15 days after publication in the Official Gazette of Slovenia.
On 24 July 2025, the Slovenian Information Commissioner adopted an opinion clarifying that children under 15 cannot validly consent to the processing of personal data for online prize draws without parental approval. However, it was highlighted that children aged 15 and above may consent independently if the activity does not significantly impact their lives. The opinion applies to organisers of direct marketing and promotional prize games involving children’s data and highlights that consent under the General Data Protection Act and Slovenia’s Personal Data Protection Act must be informed, freely given, and clearly communicated in child-friendly language.
On 23 July 2025, the Information Commissioner of Slovenia issued an opinion on access to personal data by proxy. It was highlighted that individuals may exercise this right directly, through a legal representative, or through an authorised representative. It was also specified that the General Data Protection Regulation (GDPR) and the Slovenian Personal Data Protection Act (ZVOP-2) do not regulate proxy requests in detail, so the General Administrative Procedure Act (ZUP) applies. Under the General Administrative Procedure Act, authorisations may be written or oral, and controllers must verify their validity. If authenticity is doubtful, a certified authorisation may be required. It was also highlighted that the responsibility lies with controllers, while the Information Commissioner may only act in supervisory proceedings.
On 23 July 2025, the Slovenian Information Commissioner issued an opinion on the records of processing activities under the General Data Protection Regulation and Slovenia's personal data protection Act. It was highlighted that companies and organisations with fewer than 250 employees are generally exempt. It was however, emphasised that the companies must still keep records if the processing poses risks to individuals’ rights and freedoms, is not occasional, or involves special categories of personal data or data on criminal convictions and offences. Records must be written or electronic and include the elements in Article 30 of the General Data Protection Regulation. The opinion also highlighted that the duty to assess compliance lies with the controller or processor.
On 22 July 2025, the Information Commissioner (IP) adopted an opinion on the obligations of personal physicians to inform patients about how personal data is recorded in health documentation and whether such patient inquiries must be stored. The opinion clarifies that patients have the right to access and obtain copies of their medical records, including electronic versions, but doctors are not required to explain in advance how data is entered or organised. Patient requests related to their data, including those made through the IRIS system, do not form part of the core medical records and do not need to be stored within the patient file; instead, healthcare providers as data controllers must decide how to manage and store such requests while ensuring traceability.
On 22 July 2025, the Slovenian Information Commissioner adopted an opinion on the transmission of personal data within the Internal Market Information System (IMI) to competent authorities in EU Member States. It was highlighted that any such transfer must be based on an appropriate legal basis provided in EU legislation, including the IMI Regulation, or in national law, and carried out in accordance with sector-specific procedural rules. The opinion reiterated that IMI participants may process personal data only for the purposes set out in the Union acts listed in the Regulation’s Annex, must ensure confidentiality, and must respect the original purpose for which the data was provided. The Commissioner emphasised that it cannot determine the legality of a transfer in a specific case, as this responsibility rests solely with the personal data controller.
Last updated: 21/08/2025