SMA protects personal data according to Personal Data Protection Act (ZVOP-1) and GDPR.
Measures that ensure the protection of personal data under GDPR are also included in AA, enabling Data Subject to:
(1) identify all personal data it has transferred to another authority pursuant to this arrangement,
(2) provide general information, including on an authority’s website, about safeguards applicable to transfers to other authorities, and
(3) provide access to the personal data and confirm that the personal data are complete, accurate and, if applicable, up to date.
SMA and non-EEA Authority will allow a Data Subject who believes that his or her personal data are incomplete, inaccurate, outdated or processed in a manner that is not in accordance with applicable legal requirements or consistent with the safeguards set out in the AA, to make a request directly to such authority for any rectification, erasure, restriction of processing, or blocking of the data. SMA will decide on the request within one month of receiving the request. That time limit may, in exceptional cases, be extended by SMA to additional two months; about the extension of the deadline and the reasons for it, Data Subject will be notified within one month of receipt of the request.
SMA does not use automated means to take a legal decision concerning a Data Subject, including profiling.
Generally SMA retains personal data for 5 years, unless specific law or regulation determines different, or for as long as it is necessary for the purpose of supervising, enforcing or other procedure that SMA is conducting according to its responsibilities.
Data Subject who believes that an authority has failed to comply with the safeguards as set forth in the GDPR or AA, may submit a dispute or claim at SMA or may seek redress against SMA before a competent court in the Republic of Slovenia.
According to Article 77 GDPR every data subject also has the right to lodge a complaint with the supervisory authority in Slovenia, Informational Commissioner, if the Data Subject considers that the SMA’s processing of personal data regarding him infringes GDPR.