Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Slovenia Republika Slovenija

WEB ANALYTICS · COOKIE COMPLIANCE · SOUTHERN EUROPE · SI

Slovenia — analytics & cookie compliance reference

What you can run on a Slovenian-targeted website without a fine — GA4, cookies, vendor stack, and the rules behind them. Single national DPA (IP) · pragmatic but Schrems II-aware · Slovenian-language privacy notices required.

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Slovenia. Sectoral rules (healthcare, banking, employment) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

ZVOP-2
Zakon o varstvu osebnih podatkov
National implementation of GDPR opening clauses + special-category data + employee data + DPO-related provisions + biometric and video-surveillance regimes + child-consent age (lowered to 15). Replaces ZVOP-1 (2004) which had remained in force in parallel with GDPR for nearly five years.
  • Art 6 Child consent age — lowered to 15 (below GDPR default of 16)
  • Art 22 Special-category data — Slovenia-specific permissions for employment, social security, public health
  • Art 47 Mandatory DPO designation — public bodies + large-scale processing per GDPR Art 37
  • Art 76–79 Video-surveillance regime — signage, retention caps, employee notification
  • Art 90+ Biometric processing — additional procedural safeguards over GDPR baseline
Uradni list RS, št. 163/22 — entered into force 26 January 2023. Slovenia was the last EU member state to formally implement GDPR via national legislation.
ZEKom-2 § 225  Stricter
Zakon o elektronskih komunikacijah
Cookies + terminal-equipment access + electronic communications privacy. Section 225 transposes ePrivacy Art 5(3) — opt-in consent required for any non-strictly-necessary storage or access on user devices.
  • § 225(1) Storage / read access on terminal equipment requires prior, informed consent
  • § 225(2) Strictly-necessary exception — narrowly construed; analytics/marketing do not qualify
  • § 226 Direct marketing — opt-in for unsolicited electronic communications
Uradni list RS, št. 130/22 — Electronic Communications Act, in force 10 November 2022.
ZVPot-1
Zakon o varstvu potrošnikov
Consumer protection — distance contracts, unfair commercial practices, transparency for online traders. Direct marketing opt-in baseline reinforces ZEKom-2 § 226. Double-opt-in is the de facto standard for email/SMS marketing in IP guidance.
  • Art 50 Distance contracts — pre-contractual information duties
  • Art 95 Unfair commercial practices — dark patterns in consent UI flagged
Uradni list RS, št. 130/22 — Consumer Protection Act, in force 26 January 2023.

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
IP · Informacijski pooblaščenec (Information Commissioner)
Single national supervisory authority for data protection + access to public information. No state/regional sub-DPAs.
https://www.ip-rs.si/

Coordination body

EDPB participation · European Data Protection Board
Slovenia represented at EDPB by IP. No domestic federal-state coordination body needed (single-DPA jurisdiction).
  • 2023-01-26 · ZVOP-2 entry into force — IP welcomed ZVOP-2 after a five-year gap during which GDPR applied directly without national implementing legislation. IP issued transitional guidance on DPO appointments, video surveillance, and biometric processing.
  • 2024-09 · Cookie banners — IP guidance reaffirms ZEKom-2 § 225 opt-in requirement; reject button must be at least as prominent as accept; pre-ticked boxes invalid (aligned with EDPB Cookie Banner Taskforce report).
  • 2023-07-10 · EU-US Data Privacy Framework — IP accepted DPF adequacy for DPF-certified US importers; controllers still expected to document the assessment in their records of processing.
https://edpb.europa.eu/

Notable enforcement

IP enforcement style is moderate and educational rather than headline-driven — Slovenia rarely appears in EU GDPR fine league tables. Most IP actions are warnings, compliance orders, and modest fines aimed at remediation. Notable targets in 2023–2025 include the public broadcaster RTV Slovenija, Pošta Slovenije, and several municipal authorities. The small market size and IP's resource constraints mean that systemic non-compliance (especially cookie banners and Slovenian-language notices) is the typical enforcement focus rather than spectacular single-company fines.

GA4 status

GA4 is usable in Slovenia only with prior, informed, opt-in consent under ZEKom-2 § 225. After EU-US DPF (Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. IP's posture is pragmatic — no Slovenia-specific GA4 ban — but consent and Slovenian-language notices are mandatory.

DPAStance
IPPragmatic post-DPF — transfers lawful with DPF certification + ZEKom-2 § 225 opt-in consent. No Slovenia-specific GA4 ban; controllers expected to document TIA defensively for non-DPF recipients.

Cross-border transfers + Schrems II

Slovenia's IP took a pragmatic posture on Schrems II — no public DPA decision banning specific tools (unlike CNIL or Datatilsynet). Post-DPF (10 Jul 2023) IP accepts adequacy for DPF-certified US importers. Controllers are still expected to document their TIA and supplementary measures in records of processing as a defensive measure, especially for non-DPF US recipients.

EU 2021/914 SCCs remain the fallback when DPF certification is absent or revoked. IP scrutinizes Module 2 (controller-processor) onward-transfer clauses but has not published Slovenia-specific addenda.

Topic: International transfers

Employee data

Key thresholds

Child consent age
15 years
Article 27 representative
Required
Marketing consent
Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red
VendorStatusRationale
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Slovenia vs Austria
COMPARE
Slovenia vs Italy
COMPARE
Slovenia vs Hungary
COMPARE
Slovenia vs Croatia

Common questions

Is Google Analytics legal in Slovenia in 2026?
Yes, conditionally. GA4 is usable in Slovenia only with prior, informed, opt-in consent under ZEKom-2 § 225. After EU-US DPF (10 Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. IP's posture is pragmatic — no Slovenia-specific GA4 ban — but without consent IP treats default GA4 deployments as non-compliant.
What is ZVOP-2 and when did it enter into force?
ZVOP-2 (Zakon o varstvu osebnih podatkov) is Slovenia's national implementation of GDPR. It was published in Uradni list RS, št. 163/22 on 15 December 2022 and entered into force on 26 January 2023 — making Slovenia the last EU member state to formally implement GDPR. For nearly five years (May 2018 – January 2023) Slovenia operated under GDPR plus the legacy ZVOP-1 (2004), creating ambiguity that ZVOP-2 finally resolved.
What is the child consent age in Slovenia?
15 years. ZVOP-2 Art 6 lowered the digital-services consent age from the GDPR default of 16 to 15. Information-society services targeting Slovenian children must therefore obtain parental authorization for users under 15, not under 16. This is a national derogation explicitly permitted by GDPR Art 8(1).
Do I need a Slovenian DPO?
Slovenia did not adopt a BDSG-style numerical employee threshold. DPO designation follows GDPR Art 37 directly — mandatory for public bodies, controllers/processors whose core activities require regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special-category data. ZVOP-2 Art 47 reinforces this without lowering the threshold. Most Slovenian SMBs running standard analytics do not require a DPO.
Which DPA is competent for my company?
Slovenia has a single national supervisory authority — the Informacijski pooblaščenec (IP) — with no regional sub-DPAs. All controllers established in Slovenia, or non-EU controllers offering goods/services to people in Slovenia, fall under IP supervision. Cross-border processors with multiple EU establishments use the GDPR One-Stop-Shop lead-DPA mechanism.
What's the difference between ZVOP-2 and GDPR?
GDPR is the EU regulation; ZVOP-2 is Slovenia's national implementation that fills GDPR opening clauses. Key ZVOP-2-only rules: Art 6 (child consent age 15), Art 22 (special-category permissions), Art 47 (DPO), Art 76–79 (video surveillance), and additional procedural safeguards for biometric processing (Art 90+). ZVOP-2 also clarifies Slovenian-specific procedural rules on inspections and remedies.
Is 'legitimate interest' a valid basis for analytics in Slovenia?
No, for non-essential analytics that store or read on terminal equipment. ZEKom-2 § 225 is independent of GDPR Art 6 — it requires opt-in consent for any non-strictly-necessary cookie or device-storage technology, regardless of GDPR lawful basis. § 225 governs the cookie/tracking layer; GDPR (and ZVOP-2) governs subsequent processing of the data collected.
Do I need a Slovenian Article 27 representative?
Yes if you are a non-EU controller offering goods/services to or monitoring behavior of people in Slovenia (or any EEA state), unless the small-business exception in Art 27(2) applies. IP has not been as aggressive as some Nordic or Berlin DPAs on non-designation enforcement, but the legal requirement is unchanged.
What language must my privacy notice be in?
Slovenian. Privacy notices and cookie-banner UI for Slovenian-targeted sites must be in Slovenian language — English-only is insufficient where the site clearly targets Slovenia (.si domain, Slovenian-language content, EUR pricing for the SI market, Slovenian-language marketing). IP guidance and ZVPot-1 transparency duties both reinforce this. Multilingual sites should provide Slovenian as one of the language options.
Does Schrems II still affect transfers post-DPF?
Yes for non-DPF transfers. The DPF restored adequacy for DPF-certified US importers (renewed by EU General Court Sep 2025, T-553/23). For non-DPF US recipients, Schrems II logic still applies — Transfer Impact Assessment + supplementary measures required. IP has not banned specific tools post-Schrems II but expects controllers to document the TIA in their records of processing as a defensive measure.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Slovenia's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.