company contact information,
the purposes, bases and types of processing of various categories of personal data of natural persons,
storage period for specific categories of personal data,
rights of natural persons in regard to personal data processing,
right to lodge a complaint in regard to personal data processing,
2) Personal data processed by the company
If you are only visiting the website, we collect your data only with cookies. If you are a user or customer, using services provided by the company, we also collect other personal data that we need to provide the services that you have ordered or are using. These personal data include:
name and surname,
contact e-mail address,
contact telephone number,
information for issuing an offer according to your enquiry (your address, tax number).
3) Personal data controller
4) Categories of natural persons whose data is processed
5) Purposes and bases for data processing
5.1. Processing on the basis of contract:
As part of exercising contractual rights and performance of contractual obligations, the company processes your personal data for the following purposes: identification of the individual, preparation of an offer, conclusion of a contract, provision of services ordered, notification of possible changes, additional details and instructions for using services, resolving potential technical issues, objections or complaints, invoicing for services and for other purposes necessary for the performance or conclusion of a contractual relationship between the company and the individual. When invoicing for services, on the basis of tax regulations, we obtain and process your address in order to correctly issue the invoice.
5.2. Processing on the basis of law:
On the basis of a legitimate interest, we use your personal data to identify and prevent fraudulent use and misuse of services, to ensure stable and secure operation of our system and services, as well as to implement information security measures, meet service quality requirements and identify technical system and service failures.
On the basis of a legitimate interest, we also use your personal data for the purposes of possible enforcement, judicial and extrajudicial recovery.
In accordance with the General Data Protection Regulation, in the event of suspected misuse, the company may process data on individuals to an appropriate and proportionate extent for the purpose of identifying and preventing possible fraud or misuse and may, if appropriate, pass this information on to other service providers, business partners and the police, public prosecutor's office or other competent authorities. For the purpose of preventing future misuses or frauds, historical data on identified misuses or frauds in connection with an individual, which includes data on the subscription relationship and, for example, IP address, may be kept for five years after the termination of the business relationship.
5.3. Processing on the basis of consent for personal data processing:
Data processing may also be based on your consent given to the company.
Withdrawal or change of consent affects only data processed on the basis of your consent. Your last consent given to us shall be considered effective. The option to revoke the consent does not constitute a right of withdrawal in the business relationship of the individual with the company.
The data for which your consent has been given are in the absence of revocation of consent processed up to two years after the termination of the business relationship with the company.
6) Limitation of transmission of personal data
If necessary, we will authorise other companies and individuals to perform certain activities that contribute to our services. In such a case, the company may also provide personal data to such carefully selected external processors that will conclude a contract with the company for the processing of personal data or substantively identical agreement or other binding document (hereinafter: Processing Contract). We will provide or make available such data to external processors only to the extent required for a specific purpose. The data may not be used by the external processor for any other purpose, provided that it meets the minimum standards for the personal data processing stipulated by applicable legislation. External processors are contractually obliged by the company to respect the confidentiality of your personal data.
On the basis of a reasoned request, companies also provide personal data to the competent state authorities, which have a legal basis for such actions. The company will, for example, respond to requests from courts, law enforcement bodies and other national authorities, which may include national authorities from another EU member state.
7) Personal data retention period
The data retention period is determined by the category of data. The data is kept for a maximum period necessary to achieve the purpose for which they were collected or further processed, or until the expiry of the statute of limitations for the fulfilment of obligations or the statutory retention period.
Accounting data and related contact data of individuals may be kept for the purpose of fulfilling contractual obligations until full payment of the service or until the expiry of the statute of limitations in relation to an individual claim, which, according to law, may amount to one to five years. Invoices shall be kept for 10 years after the end of the year to which the invoice refers, in accordance with the law governing value added tax.
Other data obtained on the basis of your consent are kept for the duration of the business relationship and for 2 years after the termination thereof, unless the law stipulates a longer retention period. If the individual who gave consent for the processing of personal data has not entered into a business relationship with the company, their consent is valid for 2 years from its submission or until its revocation.
At the end of the retention period, the data shall be deleted, destroyed, blocked or anonymised, unless otherwise required by law for each category of data.
8) Rights of individuals in regard to personal data processing
We shall ensure that you can exercise your rights in relation to the personal data processing without undue delay. We shall decide on your request within one month of receiving your request. In case of complexity and a large number of requests, the deadline can be extended by a maximum of two additional months. If we extend the deadline, we will notify you of any such extension within one month of receiving the request, together with the reasons for the delay.
Requests regarding the exercise of your rights can be sent by e-mail to firstname.lastname@example.org or by mail to Ekspekta d.o.o., Dunajska cesta 63, 1000 Ljubljana.
When you submit a request by electronic means, we will provide you with the information by electronic means whenever possible, unless you request otherwise.
Where there is reasonable doubt as to the identity of an individual making the request in relation to any of their rights, we may request additional information necessary to confirm the identity of the data subject.
If the data subject's requests are manifestly unfounded or excessive, in particular because they are repetitive, the company may:
charge a reasonable fee, considering the administrative costs for submitting information or message or carrying out the requested measure; or
reject the measure regarding the request.
We shall ensure that you can exercise the following rights in relation to the personal data processing: (i) data access (ii) right to rectification (iii) right of erasure ("right to be forgotten") (iv) right to restriction of processing (v) right to data portability (vi) right to object
(i) Data access You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where they are, access to the personal data and the following information:
the purposes of processing
the categories of processed personal data
the recipients or categories of recipient to whom the personal data have been or will be disclosed
the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of your personal data or to object to such processing
the right to lodge a complaint with a supervisory authority
where the personal data are not collected from you, any available information as to their source
(ii) Right to rectification
You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you, and, taking into account the purposes of the processing, the right to have incomplete personal data completed, including by means of providing a supplementary statement.
(iii) Right of erasure ("right to be forgotten")
You have the right to obtain from the controller the erasure of your personal data without undue delay where one of the following grounds applies:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
you withdraw your consent on which the processing is based, and where there is no other legal ground for the processing
you object to the processing and there are no overriding legitimate grounds for the processing
the personal data have been unlawfully processed
the personal data have to be erased for compliance with a legal obligation in Union or Slovenian law
(iv) Right to restriction of processing
You have the right to obtain restriction of processing where one of the following applies:
you contest the accuracy of the personal data, specifically for a period enabling us to verify the accuracy of the personal data
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead
we no longer need the personal data for the purposes of the processing, but you require the personal data to establish, exercise or defend legal claims
you have objected to processing pursuant legitimate interests of the company, pending the verification whether our legitimate grounds override yours
Where processing has been restricted under the previous paragraph, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.
We are obliged to inform you before the restriction of processing of your personal data is lifted.
(v) Right to data portability
You have the right to receive the your personal data, which you have provided to us, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the our company, when the processing is based on your consent and the processing is carried out by automated means. At your request, where technically feasible, the personal data can be transferred directly to another controller.
(vi) Right to object
When we process your data on the basis of a legitimate interest for marketing purposes, you may object to such processing at any time.
We no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
9) Right to lodge a complaint in regard to personal data processing
Any complains in regard to the processing of your personal data can be sent by e-mail to email@example.com or by mail to Ekspekta d.o.o., Dunajska cesta 63, 1000 Ljubljana.
In the event that we do not come to a decision regarding your request by the legal deadline or reject your request, you have the option of filing a complaint with the Information Commissioner.
You also have the right to lodge a complaint directly with the Information Commissioner if you believe that the processing of your personal data violates Slovenian or EU regulation on the protection of personal data.
If you have exercised your right of access to data and, after receiving the decision, you believe that the personal data you received is not the personal data you requested, or that you have not received all the requested personal data, you can file a reasoned complaint with company within 15 days before filing a complaint with the Information Commissioner. We are obliged to decide on your complaint as a new request within five business days.
10) Final provisions