PROTECTION OF PERSONAL INFORMATION
Full name of the company: Premiki zavod za svetovanje, promocijo in razvoj dostopnega turizma Ljubljana
Address of the company’s headquarters: Vojkova cesta 58, 1000 Ljubljana
General Manager / Director / Official Representative: David Ivanetič
Premiki pays special attention to the security of personal information. All personal information provided by our customers is used only for the purposes intended. Your personal information is handled with utmost care, according to the relevant legislation and the highest standards of processing. Your personal information is secured by appropriate organisational measures, work procedures, advanced technological procedures and if necessary, external accredited expertise. In order to achieve the highest possible level of protection of information gathered, we also use reasonable physical, electronic and administrative measures to prevent an unintentional or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access to personal data which have been transferred, stored or otherwise processed.
- information of the controller and the contact information,
- the purposes, legal bases and means of personal data processing with respect to the types of data,
- time limitations for storing personal data with respect to the types of data,
- the rights of natural persons regarding the processing of their personal data (also referred to as data subject)
- the right to file a complaint concerning the processing of the personal data,
2. Personal data gathered by the company
If you are a browser of the website, the data is gathered solely by using cookies. If you are a user or a subscriber of the services provided by the company, your personal data is gathered to the extent which enables the company to perform the services which have been required. These data are the following: first name, family name, address, telephone number, e-mail.
3. The Controller
4. Natural persons whose personal data are processed
5. Purposes of data processing and the legal bases for data processing
5.1 Data processing based on contract
In the process of performing the contractual obligations, the company processes your personal information to: identify the natural person, prepare the offer, prepare the contract for the services requested, notify the costumer of changes, details or instructions, also, to solve any technical difficulties, customer’s complaints, to charge for the services and to perform business activities to establish a contractual relationship with the customer.
We also use your personal information, including address, when an invoice, based on tax regulation, is issued.
5.2 Lawfulness of data processing
Based on a legitimate interest, we can use your personal data to detect and prevent fraudulent uses and misuses of services, furthermore, to apply data security measures to ensure a steady and secure functioning of our systems to meet quality requirements and detect failures of technical systems and services.
Based on a legitimate interest, we can also use your personal information to collect overdue payments (your outstanding obligations to us) and recoveries with or without invoking court proceedings.
According to General Data Protection Regulation the company, also acting as a controller, can process personal data to a reasonable and proportional extent for the purpose of identifying and preventing possible fraud or abuse. In case of suspected misuse, the company may, if appropriate, forward the information to other providers of such services, business partners, the police, the public prosecutor’s office and the relevant authorities. To prevent abuses or frauds in the future, especially when related to certain natural persons, also acting as data subjects, all their data, for example an IP address, are retained up to five years after the termination of the business relationship.
5.3 Data processing based on the consent of data subject
Withdrawal or modification of consent apply to data for which the consent was given. If there are more than one consent forms available, it is the latest that is valid and possibly a subject to withdrawal or modification. Nevertheless, withdrawal of consent has no bearing on persons’s business relationship with the company.
Data processing based on natural person’s consent is no longer possible when the cosent is revoked. Consequently, personal data are deleted in a manner, time period and under conditions as stated in section 8.
6. Limitations for transferring personal data
Occasionally, related to our business activities, we may have to authorise other companies to perform certain tasks or activities on our behalf. We carefully select external partners. In case of data processig, the partner is a processor, a company with which we enter into an agreement or another binding arrangement on personal data processing (referred to as contract on data processing). We transfer information to the extent which is needed to process data for a specific purpose. The external processor will not use data for any other purposes. In the least, the processor will comply with all the standards of personal data processing under the relevant legal provisions and regulations. Moreover, the contract on data processing compels the external processor to respect the confidentiality of information of data subject.
On lawful and justified request the companies are obliged to provide personal information to government authorities. Zavod Premiki, for example, will respond to requests from courts, public prosecutor’s office and other government authorities, which may include the authorities of another member state.
7. Time limitations for storing personal data
The retention period is determined by the category of data. The data are kept for the period needed to accomplish the task for which they were gathered. The data can be kept as long as it is provided by the statutory limitations for the fulfillment of a contract or until the statutory time limitation for storing data is met.
The invoce and billing specification with all related information of data subject, for example contact information, may be kept until the contract-based obligations are fulfilled i.e. full payment of the service, or until the statutory limitation periods, which may extend from one to five years. For taxation purposes and according to the value-added-tax regulation, the invoices will be kept for 10 years after the end of the year to which the invoice relates.
Other information obtained by your consent are kept for another two years after our business relationship has been concluded, unless the retention period is longer by the law. If the data subject has never entered into a business relationship with us, although the consent has been submitted, such a consent is valid for two years after the submission or until the consent has been cancelled.
When the retention period has expired, the data will be erased, destroyed, blocked or pseudonymisated, unless otherwise determined by the law for specific data types.
8. Rights of data subject with regard to the processing of their personal data
Your rights with regard to the processing of your personal data will be exercised without delay. Your request will be resolved within one month after it has been submitted. In case of complex or multiple requests, the deadline might be extended for another two months. Should this happen, you will be notified of the deadline extension and the grounds for such an extension within one month after your request has been submitted.
If you submit your request by electronic means, we will provide information the same way whenever possible, unless you state otherwise in your request.
Where there is reasonable doubt as to the identity of the natural person making the request, we will ask for additional information to confirm the identity of the natural person.
Premiki as the controller will facilitate the exercise of your rights regarding the processing of your personal data and provide you with the relevant or requested information. You as a data subject have the rights as follows:
a) right to access the data
b) right to rectification
c) right to erasure (‘right to be forgotten’)
d) right to restriction of processing
e) right to data portability
f) right to object
a) Right of access by data subject to their data
You as a data subject are always entitled to be informed whether or not your personal data are processed, and, if this should be the case, you as a data subject have the right to access your personal data and the following information:
- the purposes of processing,
- the types of personal data that are being processed,
- the recepients or categories of recepients to whom personal data have been or will be disclosed,
- the period of time for which the data will be stored or, if not possible, the criteria that are used to determine that period,
- the right to request from the controller rectification or erasure of personal data or to restrict the processing of your personal data, and the right to object to such processing,
- the right to place a complaint with the supervisory authority,
- the right to obtain any available information regarding the source of your personal data, when these are not collected from you.
b) Right to rectification
You as a data subject have the right to obtain from the controller the rectification of inaccurate personal data concerning you without undue delay and, taking into account the purposes of processing, the right to have incomplete personal information completed.
c) Right to erasure (‘right to be forgotten’)
You as a data subject have the right to obtain from the controller the erasure of personal data concerning you without undue delay where one of the following grounds applies:
the personal data are no longer needed for the purposes for which they were collected or otherwise processed,
withdrawal of consent, if the consent is the basis for data processing, or if there are no other legal grounds for the processing,
when you as the data subject object to the processing of data and there are no overriding legitimate grounds for data processing,
the personal data have been unlawfully processed,
the personal data have to be erased for compliance with a legal obligation in Union or controller’s member state i.e. Slovenian legal regulation.
d) Right to restriction of processing
You as a data subject have the right to obtain from the controller restriction of processing where one of the following applies:
if the accuracy of the data is disputed by you as a data subject, restriction applies for a period of time that allows the controller to verify the accuracy of the personal data,
the processing is unlawful and you as a data subject oppose to the erasure of data, instead, you request a restriction on their use,
the controller no longer needs your personal data for processing purposes, but you as a data subject may need them to establish, execute or defend legal claims,
if you have raised an objection to the processing based on legitimate grounds of the controller, until it is verified whether or not the grounds of the conroller override the grounds of the data subject.
Where the processing of the personal data has been restricted for any reason stated in the preceding paragraphs, such personal data, with the exception of their storage, will be processed only with data subject’s consent, i.e. your consent, or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.
You as a data subject will be informed by the controller before the restriction on the processing of your personal data is lifted.
e) Right to data portability
You as a data subject have the right to receive your personal data, which you have provided the controller with, in a structured, commonly used and machine-readable format and have the right to transmit the data to another controller without any interference from the first one if the data processing is based on your consent and carried out by automated means. At your request, where technically feasible, personal data may be transmitted directly from one controller to another.
f) Right to object
You as a data subject have the right to object to data processing for marketing purposes at any time.
However, data processing may be necessary to carry out a task in the public interest or to exercise an official authority vested in the controller, in which case the data processing will continue, except where such interests are overridden by the interests or fundamental rights and freedoms of data subject.
Right to lodge a complaint concerning the processing of personal data
Any request regarding the processing of your personal data may be emailed to firstname.lastname@example.org or sent to Zavod Premiki, Vojkova cesta 58, 1000 Ljubljana by regular post.
Should your request not be resolved within a time period set by the law or not be resolved favourably, you are entitled to file a complaint with the Information Commissioner.
You are also entitled to file a complaint directly with the Information Commissioner if you believe that the processing of your personal data is not compliant with Union or Slovenian regulation on protection of personal data, or if you believe that your privacy rights may have been violated.
If you have exercised your right of access to your personal data and you believe that the personal data you have received are not the data you requested, or that the data received are incomplete, you may – prior to appealling to the Information Commissioner – file a complaint with the controller’s office, that is us, within 15 days after having received, what you believe is, an unsatisfactory or incomlete information from us. Your complaint will be dealt with promptly and resolved in five business days.
Entry into force and application
Ljubljana, 25 May 2018