As of May 25, 2018, the relevant provisions of the ZVOP-1 ceased to apply.
The Information Commissioner issued guidelines on data processing on behalf of a controller, which are available here (in Slovenian). The guidelines summarise the legal requirements of the GDPR regarding the processing on behalf of a controller and provide answers on some of the most common practical questions.