IP (Slovenia) - 0612-91/2025/40

Summary

The Slovenian DPA has ordered a controller, likely a public institution, to take measures to identify which data subjects were affected by a data breach. The controller must also properly respond to access requests, explicitly informing individuals if their personal data was compromised. The DPA found violations of GDPR Articles 13, 15, 17, 32, and 34, citing a failure to implement an appropriate access policy and provide specific, unambiguous responses to data subjects.

Full text

Help IP (Slovenia) - 0612-91/2025/40: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:29, 29 April 2026 view sourceDt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators393 editsm Tag: Visual edit← Older edit Latest revision as of 09:29, 24 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators117 edits Line 10: Line 10: |ECLI=|ECLI= |Original_Source_Name_1=|Original_Source_Name_1= data subject |Original_Source_Link_1=|Original_Source_Link_1= |Original_Source_Language_1=|Original_Source_Language_1=SL |Original_Source_Language__Code_1=|Original_Source_Language__Code_1= Latest revision as of 09:29, 24 June 2026 IP - 0612-91/2025/40 Authority: IP (Slovenia) Jurisdiction: Slovenia Relevant Law: Article 13 GDPR Article 15 GDPR Article 17 GDPR Article 32 GDPR Article 34 GDPR Type: Investigation Outcome: Violation Found Started: Decided: 04.03.2026 Published: Fine: n/a Parties: n/a National Case Number/Name: 0612-91/2025/40 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): SL Original Source: [ data subject (in )] Initial Contributor: dt The DPA ordered a controller to take measures to identify which data subjects were affected by a data breach and to properly respond to their access requests by explicitly informing them whether they were affected by the data breach. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A controller, not named in the original decision but presumed to be a public institution, notified the Slovenian DPA after experiencing a data breach in relation to its website. The DPA carried out an inspection at the controller’s premises. In parallel, the controller shared on its website and with the media a press release with the aim of informing data subjects of the data breach. Subsequently, the controller received several access requests under Article 15 GDPR from individuals requesting information, among other things, on whether the data breach affected their personal data. To these requests the controller generally replied that the matter was under investigation and that the breach affected a unified registry of entities containing data subjects listed in various databases within the scope of the Slovenian Ministry of Agriculture. Holding The DPA found that the controller failed to implement an appropriate access policy in violation of Article 32 GDPR. At the same time, the DPA held that the controller failed to respond appropriately to the data subjects’ access requests under Article 15 in relation to their personal data having been affected by the data breach since the response of the controller was not specific, explicit and unambiguous. In addition, the DPA considered the response provided by the controller as breaching Article 34 GDPR (i.e. communication of a personal data breach to the data subject) and Article 13 GDPR (i.e. information to be provided where personal data are collected from the data subject). Therefore, the DPA held that the controller must implement an appropriate access policy and additional measures in relation to the data subjects who addressed access requests in order to determine if the data breach affected them while documenting these measures in accordance with Article 32 GDPR. Finally, the DPA ordered the controller to respond to erasure requests in accordance with Article 17 GDPR. Comment This is a partial decision in which the DPA issued a decision only on certain parts of the case. The DPA first ordered the controller to take measures to identify the data subjects and then implement technical and organisational measures to obtain information regarding whether the data subjects’ data were affected by the data breach. After implementing these measures and if the controller does not meet the requirements of Article 34 GDPR and Article 15 GDPR, the DPA shall issue a supplementary decision ordering the controller to take measures to comply with Article 15 GDPR and Article 34 GDPR. Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the original. Please refer to the original for more details. Number: 0612-91/2025/40 Date: 4. 3. 2026 The Information Commissioner (hereinafter referred to as the IP) is issued by the State Supervisor for Personal Data Protection on the basis of Articles 2 and 8 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05 and 51/07 - ZustS-A, hereinafter referred to as: ZInfP), Articles 29, 36 and 55 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 163/22 and 40/25-ZInfV-1, hereinafter referred to as: ZVOP-2), the fifth paragraph of Article 29 and the first paragraph of Article 32 of the Inspection Act (Official Gazette of the Republic of Slovenia, No. 43/07 - UPB1 and 40/14, hereinafter referred to as: ZIN) and the second paragraph of Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: the General Regulation), in the matter of inspection of the implementation of the provisions of the General Regulation and ZVOP-2 at the obliged entity: … (hereinafter: the obliged entity), ex officio the following PARTIAL DECISION I. The obliged entity must, in relation to the implementation of the provisions of the General Regulation, establish and adopt a written internal act on the regular review of all access rights to the obliged entity's information systems, which must include: a) a clearly defined procedure for the regular review of the access rights of all individual users, which must include at least the designation of the person responsible for carrying out the reviews, the determination of the minimum frequency of reviews, the method of verifying the eligibility of the granted rights in relation to the user's work tasks (or in relation to the purpose for which the access rights were granted), the method of documenting the review carried out and the procedure for eliminating identified non-compliances and b) a clearly defined procedure for regular review of access rights of all application users, which must include at least the determination of the person responsible for carrying out the reviews, the determination of the minimum frequency of reviews, the method of verifying the eligibility of the rights granted with regard to the purpose of establishing the application user, the method of documenting the review carried out and the procedure for eliminating identified non-compliances. II. The liable party must, with regard to the requests of individuals: …, In relation to the implementation of the provisions of Articles 15 and 34 of the General Regulation and Article 13 of the ZVOP-2, the liable party must implement additional technical and organisational measures in order to establish whether their personal data were actually affected in a security breach in relation to the individuals: …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, …, who have addressed an explicit request to it for confirmation of whether their personal data were affected in a security breach and in respect of whom there is no justified doubt as to their identity, and must also properly document these measures in accordance with the fifth paragraph of Article 33 of the General Regulation, whereby the liable party must implement at least the following measures: a) examine all log records or other technical/application/base records at the disposal of the liable party in connection with

Entities