(ZEPEP-UPB1) (Official consolidated text)

On basis of article 153 of the National Assembly of Slovenia Rules of Procedure the National Assembly of the Republic of Slovenia approved on its session on the 21. of May the Official consolidated text of the Act on electronic commerce and electronic signature comprising the:

• Act on electronic commerce and electronic signature – ZEPEP (Official Journal of RS, no. 57/2000 from 23. 6. 2000),
• Organization and Competence of Ministries Act -ZODPM-C (Official Journal of RS, no. 30/2001 from 26. 4. 2001) and
• Act Amending the Electronic Commerce and Electronic Signature Act – ZEPEP-A (Official Journal of RS, no. 25/2004 from 19. 3. 2004).

No. 043-03/00-2/3

Ljubljana, the 21. of May 2004

ZEPEP

First chapter

GENERAL PROVISIONS

Article 1

(1) This Act governs electronic commerce, which covers commerce in electronic form with the use of information and communications technology and the use of electronic signatures in legal transactions, which also includes electronic commerce in judicial, administrative and other similar procedures, unless otherwise stipulated by law.

(2) Unless otherwise agreed, the provisions of this Act, with the exception of the provisions of Articles 4 and 14, shall not apply to closed systems fully arranged by contracts among a known number of contracting parties.

Article 2

Individual terms used in this Act shall have the following meanings:

1. data in electronic form are data designed, stored, sent, received or exchangeable electronically;

2. electronic message is a series of data sent or received electronically and in particular includes electronic data exchange and electronic mail;

3. electronic signature is a series of data in electronic form that is contained in, added to or logically connected to other data and that is intended for verification of the presence of such data and identification of the signatory;

4. a secure electronic signature is an electronic signature that meets the following requirements:

- that it is linked exclusively to the signatory;

- that it is possible reliably to determine the signatory from it;

- that it is created using means of secure electronic signing under the exclusive control of the signatory;

- that it is linked to the data to which it refers such that all subsequent changes to such data or links thereto are evident;

5. time stamp is an electronically signed declaration by the certification authority confirming the contents of the data to which it refers at the time stated, while a secure time stamp is an electronically signed declaration by the certification authority that meets the conditions from the previous point of this Article;

6. the sender of an electronic message is the person who sent the electronic message or on whose behalf and in accordance with whose wishes the message was sent; the mediator of an electronic message shall not be considered as the sender of such electronic message;

7. the addressee of an electronic message is the person for whom the sender intended the electronic message;

8. the recipient of an electronic message is the person who received the electronic message; the mediator of an electronic message shall not be considered as the recipient of such electronic message;

9. the mediator of an electronic message is a person who sends, receives or stores an electronic message for another person or provides other services relating to an electronic message;

10. signatory is a person who creates an electronic signature, or on whose behalf and in accordance with whose wishes an electronic signature is created;

11. information system is software, hardware, and communications and other equipment that operates independently or in a network and that is intended for the collection, processing, distribution, use and other processing of data in electronic form;

12. data for electronic signing are unique data, such as codes or private encryption keys that a signatory uses to form an electronic signature;

13. means of electronic signing is software or hardware that a signatory uses to form an electronic signature;

14. means of secure electronic signing is means of electronic signing that meets the requirements from Article 37 of this Act;

15. electronic signature verification data are unique data, such as codes or public encryption keys, used for verification of an electronic signature;

16. means of electronic signature verification is software or hardware used to verify an electronic signature;

17. equipment for electronic signing is hardware or software, or specific components thereof, used by a certification authority for services relating to electronic signing or used for the formation or verification of electronic signatures;

18. certificate is a certificate in electronic form that links electronic signature verification data to a specific person (holder of the certificate) and that confirms his or her identity;

19. qualified certificate is a certificate from the previous point that meets the requirements from Article 28 of this Act and that is issued by a certification authority operating in accordance with the requirements from Articles 29 to 36 of this Act;

20. certification authority is a natural person or legal entity that issues certificates or provides other services relating to verification or electronic signatures;

21. Information society service is a service usually provided for remuneration remotely using electronic means at the individual request of the recipient of the service, where:

­ remotely means that the service is provided without the parties being present simultaneously;

­ using electronic means means that the service is initially sent to and received at the destination using electronic equipment for the processing (including digital compression) and storage of data, and is sent, transferred and received in full by wire, radio, optical means or other electromagnetic means;

­ at the individual request of the recipient of the service means that the service is provided by the transfer of data at an individual request.

Information society services include in particular the services of the sale of goods or services, access to data or advertising on the World Wide Web, and services providing access to communications networks, data transfer or storage of the recipient’s data on a communications network. Radio and television broadcasting services are not information society services under this Act;

22. information society service provider is a natural person or legal entity that provides services from the previous point of this Act.

Article 3

Persons may arrange their relations in the creation, sending, receipt, storage or other processing or electronic messages otherwise than as stipulated in this Act if not otherwise specified by individual provisions of this Act or the sense thereof.

Ministry of Justice of the Republic of Slovenia

2004

MINISTRY OF JUSTICE OF SLOVENIA LEGISLATION SERIES, NO. 8

Disclaimer: The English language translation of the text of the Personal Data Protection Act (of the Republic of Slovenia) below is provided just for information only and confers no rights nor imposes any obligations on anyone. Only the official publication of the Personal Data Protection Act in Slovene language, as published and promulgated in the Official Gazette of the Republic of Slovenia, is authentic. The status of the translated text of the Personal Data Protection Act is as of 17 October 2005 and the status of statutes and other information in footnotes and in Appendixes is also as of 17 October 2005. The explanatory footnotes and appendices have also been inserted just for information only, and previous text of this Disclaimer also applies to them. While the Government Translation Service prepared the original translation, Ministry of Justice of the Republic of Slovenia performed the substantially corrected translation, terminology decisions and annotations. This translation may not be published in any way, without the prior permission of the Ministry of Justice of the Republic of Slovenia, but may be used for information purposes only. Further editorial revisions of this translation are possible.

On the basis of the second indent, first paragraph of Article 107 and the first paragraph of Article 91 of the Constitution of the Republic of Slovenia, I hereby issue the

DECREE

on the promulgation of the Personal Data Protection Act (ZVOP-1)

I hereby promulgate the Personal Data Protection Act (ZVOP-1), which was adopted by the National Assembly of the Republic of Slovenia at its session of 15 July 2004.

No. 001-22-148/04

Ljubljana, 23 July 2004

Dr. Janez Drnovšek

President

of the Republic of Slovenia

PERSONAL DATA PROTECTION ACT (ZVOP-1)[1]

PART I

GENERAL PROVISIONS

Contents of the Act

Article 1

This Act determines the rights, responsibilities, principles and measures to prevent unconstitutional, unlawful[2] and unjustified encroachments on the privacy and dignity of an individual[3] (hereinafter: individual) in the processing of personal data.

Principle of lawfulness and fairness

Article 2

Personal data shall be processed lawfully[4] and fairly.

Principle of proportionality

Article 3

Personal data that are being processed must be adequate and in their extent appropriate in relation to the purposes for which they are collected and further processed.

Prohibition of discrimination

Article 4

Protection of personal data shall be guaranteed to every individual irrespective of nationality[5], race, colour, religious belief, ethnicity, sex, language, political or other belief, sexual orientation, material standing, birth, education, social position, citizenship, place or type of residence or any other personal circumstance.

Territorial application of this Act

Article 5

(1) This Act shall apply to the processing of personal data if the data controller is established, has its seat or is registered in the Republic of Slovenia, or if a subsidiary of the data controller is registered in the Republic of Slovenia.

(2) This Act shall also apply if the data controller is not established, does not have its seat or is not registered in a Member State of the European Union or is not a part of the European Economic Area and for the processing of personal data the data controller uses automated or other equipment located in the Republic of Slovenia, except where such equipment is used solely for the transfer of personal data across the territory of the Republic of Slovenia.

(3) The data controller from the previous paragraph must appoint a natural person or legal person that has its seat or is registered in the Republic of Slovenia to represent it in respect of the processing of personal data in accordance with this Act.

(4) This Act shall also apply to diplomatic-consular offices and other official representative offices of the Republic of Slovenia abroad.

Meaning of terms

Article 6

Terms used in this Act shall have the following meanings:

1. Personal data – is any data relating to an individual, irrespective of the form in which it is expressed.

2. Individual – is an identified or identifiable natural person to whom personal data relates; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, where the method of identification does not incur large costs or disproportionate effort or require a large amount of time.

3. Processing of personal data – means any operation or set of operations performed in connection with personal data that are subject to automated processing or which in manual processing are part of a filing system or which are intended for inclusion in a filing system, such as in particular collection, acquisition, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, communication, dissemination or otherwise making available, alignment or linking, blocking, anonymising, erasure or destruction; processing may be performed manually or by using automated technology (means of processing).

4. Automated processing – is the processing of personal data using information technology means.

5. Filing system – is any structured set of data containing at least one piece of personal data, which is accessible according to criteria enabling the use or combination of the data, irrespective of whether the set is centralised, decentralised or dispersed on a functional or geographical basis; a structured set of data is a set of data organised in such a manner as to identify or enable identification of an individual.

6. Data controller – is a natural person or legal person or other public or private sector person which alone or jointly with others determines the purposes and means of the processing of personal data or a person provided by statute that also determines the purposes and means of processing.

7. Data processor – is a natural person or legal person that processes personal data on behalf and for the account of the data controller.

8. Data recipient – is a natural or legal person or other private or public sector person to whom personal data are supplied or disclosed.

9. Supply of personal data – is the supply or disclosure of personal data.

10. Foreign recipient and foreign data controller – is a recipient of personal data in a third country and a data controller in a third country.

11. Third country – is a country that is not a Member State of the European Union or a part of the European Economic Area.

12. Filing system catalogue – is a description of a filing system.

13. Register of Filing Systems – is a register containing data from filing system catalogues.

14. Personal consent of an individual – is a voluntary statement of the will of an individual that his personal data may be processed for a specific purpose, and this is given on the basis of information that must be provided to such individual by the data controller pursuant to this Act; personal consent of an individual may be written, oral or some other appropriate consent of the individual.

15. Written consent of the individual – is the signed consent of the individual having the form of a document, the provision of a contract, the provision of an order, an appendix to an application or other form in accordance with statute; a signature shall also mean on the basis of a statute a form equivalent to a signature given by means of telecommunication and a form equivalent by statute to a signature given by an individual who does not know how to write or is unable to write.

16. Oral or other appropriate consent of the individual – is consent given orally or by means of telecommunication or other appropriate means or in some other appropriate manner from which it can be concluded unambiguously that the individual has given his consent.

17. Blocking – is such labelling of personal data that restricts or prevents their further processing.

18. Anonymising – is such alteration to the form of personal data such that they can no longer be linked to the individual or where such link can only be made with disproportionate efforts, expense or use of time.

19. Sensitive personal data – are data on racial, national or ethnic origin, political, religious or philosophical beliefs, trade-union membership, health status, sexual life, the entry in or removal from criminal record or records of minor offences that are kept on the basis of a statute that regulates minor offences (hereinafter: minor offence records); biometric characteristics are also sensitive personal data if their use makes it possible to identify an individual in connection with any of the aforementioned circumstances.

20. Same connecting codes – are the personal identification number and other uniform identification numbers defined by statute relating to an individual that can be used to obtain or retrieve personal data from filing systems in which the same connecting codes are also processed.

21. Biometric characteristics – are such physical, physiological and behavioural characteristics which all individuals have but which are unique and permanent for each individual specifically and which can be used to identify an individual, in particular by the use of fingerprint, recording of papillary ridges of the finger, iris scan, retinal scan, recording of facial characteristics[6], recording of an ear, DNA scan and characteristic gait.

22. Public sector – are state bodies, bodies of self-governing local communities, holders of public powers, public agencies, public funds, public institutes, universities, independent institutions of higher education and self-governing communities of nationalities.

23. Private sector – means legal or natural persons performing an activity in accordance with the statute regulating commercial companies or a commercial public service or craft, and persons of private law; public commercial institutes, public companies and commercial companies, irrespective of the share or influence held by the state, self-governing local communities or self-governing communities of nationalities, are a part of the private sector.

[1] Personal Data Protection Act is in Slovene language: Zakon o varstvu osebnih podatkov. ZVOP-1 is its official acronym in Slovene language. This Act was published in: Official Gazette of the Republic of Slovenia, No. 86/2004, as of 5 August 2004.

[2] A verbatim translation would be: “not in accordance with the statute”.

[3] In original text of this Act in Slovene language the term “individual” is used both in its male and female form (“posameznik oziroma posameznica”).

[4] A verbatim translation would be: “statutorily” – meaning by the statute/following a statute (a general act of Parliament).

[5] Citizenship.

[6] A verbatim translation of the term “obraz” (in Slovene language) would be: “face”.