Various companies gather large quantities of personal data in connection with their business, which are analyzed for the purposes of their business. The question arises, what happens with this personal data, or what is the company undertaking to adequately protect the personal data and prevent unauthorized people to access it? Usually the company itself protects the personal data it processes, but ever more often it happens that the company outsources another company, which is registered for such activities and meets the requirements as set out it the Personal Data Protection Act, to protect the personal data. In the Republic of Slovenia the legal framework for the protection of personal data is the Personal Data Protection Act, which entered into force in the year 1999 in it’s basic version (ZVOP) and was later substantially amended in 2007. Historically, the need for the protection of privacy has arisen because of various insults, attacks, eavesdropping and the like. The reason that this right was stipulated and enforced in legal systems so late is that the majority of modern violations of privacy, such as wiretapping, eavesdropping with microphones and electronic amplifiers, data collection, sharing and storing information with video cameras, computers etc., only became possible with the rise of new technologies. Before these were invented, an individual had reason to believe that nobody can eavesdrop on him in a private space.
The provisions of the Personal Data Protection Act (ZVOP-1) establish rights, obligations, principles and measures that prevent unconstitutional, illegal and unjustified intrusions of privacy and dignity of individuals in the processing of personal data in modern times. Point 1 of Article 6 ZVOP-1 defines personal data as any data concerning an individual, irregardless the form, in which it is expressed. Thereby an individual is defined as an identified or identifiable person that the data refers to; a natural person is identifiable, if he or she can be directly or indirectly identified (point 2 of the same Article). In point 3 of the same Article, the processing of personal data is defined as any act or series of acts, performed in relation to personal data that is automatically processed (with means of information technology – point 4 of the same Article) or that are part of a collection of personal data in manual processing or are intended to be included in a collection of personal data, in particular the gathering, acquisition, recording, systematizing, storage, editing or changing, retrieving, access, use, disclosure by transfer, reporting, dissemination or other distribution, classification or linking, blocking, anonymisation, erasing or destroying; the processing can be manual or automated (means of processing). The personal data controller is a natural or legal person or other person of the public or private sector, who by himself or in collaboration with others, determines the purpose and means of processing of personal data, or a person, defined by law, who also defines the purpose and means of processing (point 6 of the same Article), a user of personal data is a natural or legal person, or other person of the public or private sector, to whom the personal data is transmitted or disclosed (point 8 of the same Article). Personal data may be processed only if the law stipulates the personal data being processed and the processing of personal data, or if a personal consent for the processing of certain personal data is given by an individual (Paragraph 1 of Article 8 ZVOP-1). The same also applies for the processing of personal data in the private sector (Paragraph 1 of Article 10 ZVOP-1).