Informacijski pooblaščenec Republika Slovenija
   
dekorativna slika

Competencies of the Information Commissioner under the Personal Data Protection Act and GDPR

+ -

Competencies of the Information Commissioner under the Personal Data Protection Act, are:

1. carrying out controls on the implementation of the provisions of the ZVOP-2, the General Regulation and other legislation on the protection of personal data;

2. deciding on appeals and on applications from applicants with special status and carrying out inspections under the ZVOP-2;

3. ordering the supervisory measures referred to in Article 29 of the ZVOP-2, namely: rectification of irregularities or deficiencies, restrictions on processing (such as anonymisation, blocking and archiving), prohibition of transfer to a third country or transfer to foreign users, erasure or destruction of personal data, or other measures which constitute a prohibition on the processing of personal data;

4. ordering other supervisory measures in accordance with the law governing the general administrative procedure and the Act on the Protection of Personal Data in the Area of Treatment of Criminal Offences (ZVOPOKD) and taking preventive measures and issuing warnings in accordance with the law governing inspection;

5. Information Commissioner may bring criminal charges or carry out proceedings in accordance with the law governing offences if, in the course of an inspection, it finds that there is a suspicion that a crime or offence has been committed;

6. cooperating with controllers and processors in carrying out controls in accordance with ZVOP-2;

7. issuing and publishing preliminary opinions to ministries, the National Assembly, self-governing local authorities, other state bodies and holders of public powers on the compliance of provisions of draft regulations with laws and other regulations governing personal data;

8. carrying out prior consultation in accordance with the General Regulation and ZVOP-2;

9. conducting proceedings for offences relating to the protection of personal data (fast-track procedure);

10. conducting administrative proceedings for the issuance of decisions on whether the intended implementation of biometric measures in the private sector complies with the provisions of the ZVOP-2;

11. promoting public awareness and understanding of the risks, rules, safeguards and rights in relation to processing and providing free education and training to that end;

12. promoting awareness among controllers and processors of their obligations under the ZVOP-2;

13. cooperating with supervisory authorities of other countries or international organisations;

14. participating in the Working Parties on the protection of personal data set up within the EU, which bring together the independent data protection institutions of the Member States (in the functioning of the European Data Protection Board and in the supervisory bodies dealing with the supervision of the processing of personal data in the Schengen Information System, in the Customs Information System, in the Visa Information System, in the framework of Europol and in the Eurodac system);

15. cooperating with the supervisory authorities of other Member States of the European Union in carrying out cross-border supervisory procedures, in sanctioning procedures and in other matters of cross-border processing of personal data in accordance with Chapter VII of the General Regulation;

16. acting as lead supervisory authority in carrying out cross-border supervisory procedures in accordance with the General Regulation;

17. informing the competent court of the breaches of the law and providing the court with an opinion on the breaches found in the judicial proceedings;

18. performing the other tasks referred to in Article 57 of the General Regulation and exercising the powers referred to in Article 58 of the General Regulation;

19. issuing opinions on the compliance of the general terms and conditions or proposals thereof with the rules on the protection of personal data;

20. issuing and publish non-binding opinions, explanations and positions to the competent authorities and individuals on personal data protection issues in a specific area;

21. drawing up and issuing non-binding guidelines and recommendations on the protection of personal data in a specific area;

22. publishing an internal newsletter and professional literature and publishing on its website and by other appropriate means (for example: decisions or opinions of the Information Commissioner, pseudonymised decisions and rulings of courts relating to the protection of personal data, pseudonymised major decisions in supervisory and appeal proceedings of the Information Commissioner);

23. making public statements on the controls carried out and preparing annual reports on the implementation of the ZVOP-2;

24. facilitating the process of lodging complaints and requests from individuals by preparing forms that can also be submitted electronically (e.g. regarding the enforcement of individuals' rights or inspection applications);

25. deciding on a complaint from an individual where the controller of personal data does not comply with the individual's request concerning the individual's right to be informed of the requested data, to extracts, lists, access, certificates, information, explanations, copies or reproductions under the provisions of the law regulating the protection of personal data (the competence is laid down in the Information Commissioner Act).

Competencies of the Information Commissioner as supervisory authority under the General Data Protection Regulation, are (Art. 57 of GDPR):

(a) monitor and enforce the application of this Regulation;

(b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;

(c) advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;

(d) promote the awareness of controllers and processors of their obligations under this Regulation;

(e) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;

(f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;

(g) cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;

(h) conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority;

(i) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;

(j) adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2);

(k) establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4);

(l) give advice on the processing operations referred to in Article 36(2);

(m) encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5);

(n) encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5);

(o) where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7);

(p) draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

(q) conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

(r) authorise contractual clauses and provisions referred to in Article 46(3);

(s) approve binding corporate rules pursuant to Article 47;

(t) contribute to the activities of the Board;

(u) keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and

(v) fulfil any other tasks related to the protection of personal data.

According to Article 55(3) the Information Commissioner shall not be competent to supervise processing operations of courts acting in their judicial capacity.