Penal provisions of the ZVOP-1 remain applicable only insofar as they relate to the provisions of the ZVOP-1 that have not been superseded by the GDPR. They are especially relevant with regard to specific processing situations which continue to be extensively regulated by the ZVOP-1. Fines under the ZVOP-1 amount up to EUR 12,510.
While the Slovenian Information Commissioner has the authority to impose fines according to the ZVOP-1, it does not have the authority to impose administrative fines and other sanctions for breaches of the GDPR. This is due to a very narrowly construed legal basis in the Information Commissioner Act. Therefore, at the time of writing, even for violations of the core GDPR provisions, such as Art. 6 and 15-20 GDPR, only warnings and no fines can be imposed by the Information Commissioner. However, such conduct is still considered a violation of the law, and legal proceedings may be initiated after the law is amended, provided that the statute of limitations has not yet been reached.
