All questions

Data protection

i Requirements for registration

Within the Slovenian legal system, personal data protection is still regulated by the Personal Data Protection Act, passed in 2004. The ERA and the Labour and Social Security Registers Act apply to the personal data of employees along with the Personal Data Protection Act. Because it is deemed that employment relationships entail a marked inequality of power among the parties, the legislation in this area disallows the complete autonomy of parties; the collection and processing of an employee's personal data, with his or her consent, is only permissible exceptionally. An employer or employee who is specifically authorised by the employer for this purpose may only collect, process, use and provide to third parties the personal data of an employee or job applicant if this is provided by the law, and is necessary to exercise the rights and obligations arising from the employment relationship. Once the legal basis no longer exists, the employer must immediately stop using and delete the employee's personal data. Article 13 of the Labour and Social Security Registers Act stipulates the contents of the records of employees, while other data may only be collected if it is necessary in order to exercise the rights and obligations arising from or related to the employment relationship. The personal data of employees may only be accessed by persons specifically authorised by the employer, while the latter is obligated to provide adequate technical protection of collected personal data under the provisions of the Personal Data Protection Act.

The employer must inform the Information Commissioner of Slovenia about the existence of all records of personal data they are processing. Employers (administrators) with fewer than 50 employees are not obligated to provide entry in the personal data collection register, though this exception does not apply to certain activities and professions.

ii Cross-border data transfer

If an employer wishes to transfer legally obtained personal data to an EU Member State or to a country that can ensure an adequate level of protection for personal data, it does not need authorisation to do so. However, before transferring data to a third country, it must obtain a decision from a national supervisory body stating that the country in question ensures an adequate level of protection of personal data, except in cases specified in Article 70 of the Personal Data Protection Act.

iii Sensitive data

The Employment Relationship Act stipulates that, when concluding an employment contract, the employer may not demand that the applicant provides information on family or marital status, pregnancy, family planning or other information, unless it is directly related to the employment relationship.

An employer may only process sensitive data if it is necessary as part of the obligations and special rights bestowed on it by the law, which also specifies appropriate safeguards for individuals' rights. Pursuant to Article 14 of the Personal Data Protection Act, this data must be specially marked and protected by the employer to prevent unauthorised persons from accessing it.

iv Background checks

The assessment of whether the personal data on job applicants and employees is verified should be made case by case, taking into account the principle of proportionality. Depending on the employment conditions, an employer may in some cases justly require an employee to submit a certificate of no conviction, a certificate of medical suitability or similar. If an employee does not comply with this requirement, it could amount to a violation of the obligations arising from the employment relationship, which could result in a written warning or ordinary termination of the employment contract (see Section XII.i). If this and similar data is not necessary to exercise the rights and obligations arising from an employment relationship, an employer may not request it from an employee. In no case may an employer require an employee to provide information on his or her family or marital status, pregnancy, family planning or other information unless it is directly related to the employment relationship.