|Abstract:||The great progress of information technology brings about different traps in the area of privacy to which it is necessary to pay attention and respond appropriately. For this reason, in 2016 the general regulation on the protection of personal data, which has taken effect 25.05.2018, has been adopted and published by the European Union. People spend a lot of time at work, so data protection at work is important. For each processing of personal data, the employer must have a legal basis. The new regulation 2016/679 sets out six legal bases, from which the consent is the most widespread. However, due to the specificity of the employment relationship, the employer can rarely refer to the consent therefore this is only exceptionally appropriate. Employers must have a different legal basis, and they are always obliged to comply with the principle of proportionality and process only the information strictly necessary. Regulation 2016/679 contains preventive measures to help reduce the risks of personal data protection breach. One of the measures is a data protection impact assessment, where employers are required to recognize and assess risks in advance. Employers should not, in practice, see this as an additional burden because this is determined in their favor to avoid breaches and penalties. The great novelty is also the appointment of an authorized data protection officer. Their function is to help, advise, supervise and care for the company to operate in accordance with laws and regulations in the field of personal data protection. As we have found the authorized person is not personally responsible for the company to operate in accordance with the data protection provisions, but the burden of proof is on the employer. The employer must provide the officer with adequate resources (time, money, premises) to carry out the tasks smoothly.
Regulation 2016/679 is not a typical regulation because it leaves the Member States with a wide space to be filled with their own solutions in the field of personal data protection. For this reason, the countries had two years of time to adapt their legislation to the European framework, but Slovenia has not yet done so. The characteristic of the regulations is that they should be applied directly, meaning that the provisions of regulation 2016/679 are also applied to us, so companies are obliged to take account of them. In cases where the provisions of regulation 2016/679 are contrary to ZVOP-1, this means that in these cases ZVOP-1 may not be used, but the regulation should apply. In cases where provisions are not contrary to regulation 2016/679, the ZVOP-1 shall continue to apply until its repeal and the adoption of ZVOP-2. This creates legal uncertainty, as it is necessary in an individual case to compare the two legal acts in a concrete way and to apply regulation 2016/679 in the event of a conflict. This is particularly difficult in cases where the opposites are not quite clear and in cases where the individual provisions of regulation 2016/679 are written in general. Two draft law on personal data Protection (ZVOP-2) have been addressed to this date. Many errors and inconsistencies have been observed in the drafts, and certain areas are merely overwritten by regulation 2016/679. The first country to update its national legislation was Germany. It has done so within the prescribed time limit but has not been edited in a comprehensive manner due to lack of time for certain areas. We hope that Slovenia will adapt its legislation as soon as possible and that the new ZVOP-2 will comprehensively regulate this area, as is expected for the field of personal data protection.|