The security of personal data is an extremely important area for the institution (hereinafter referred to as the controller). The use of the website is possible without the use of personal data, but insofar as the data subject wishes to use the services on the web site for which personal data is required, the processing of personal data may occur in order to ensure the smooth functioning of the web site. In case the processing of personal data is necessary and there is no legal basis for such processing, the individual’s consent to the processing of personal data is required.
In order to protect personal data, the data controller will use organizational, technical, and other appropriate procedures and measures to prevent the unauthorized destruction of data, their alteration or loss, and unauthorized processing. Since there are certain links on other web sites that are not in any way connected with the controller, the operator does not assume any responsibility for data protection on these web sites. Similarly, the operator is not liable for any errors arising from the transmission of incorrect information when using the portal’s web site.
In this Statement of Privacy, we use, among others, the following terms:
- a) Personal data
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- b) Data subject
“Data subject” is any identified or identifiable natural person whose personal data is processed by the operator responsible for the processing.
- c) Processing
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise providing access, alignment or combination, restriction, erasure or destruction;
- d) Restriction of processing
“Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future.
- e) Profiling
“Profiling” means any form of automated processing of personal data involving the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- f) Pseudonymisation
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
- g) Controller
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (the owner of the website);
- h) Processor
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- i) User
“User” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as users; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- j) Third party
“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- k) Consent of the data subject
“Consent of the data subject” means means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
The site stores the so-called “cookies” in the browser of the visitor’s or user’s computer. Cookies are text files stored on a user’s computer, allowing the analysis of the user’s visit, the number of visits, and what they are interested in in these visits. The cookie contains basic information about the user’s visit of a specific web site, such as the name of a visited web site the contents of the cookie are stored on the user’s computer in a special directory. By double-clicking on the file, we get more detailed information about the visited web site, the date and time of the visit. All this information is also stored by the controller of the site that the user has visited.
The data subject may at any time prevent a cookie from being set up via a web site by properly setting up the used Internet browser and in that way, permanently reject the setting of cookies. In addition, pre-configured cookies may be deleted at any time in the Internet browser settings. This is possible in all popular Internet browsers. If the person to whom the data relates turns off the storage of cookies in the Internet browser used, the web site may be malfunctioning or incomplete.
3. Collection of general data and information
The website collects a series of general data and information when a data subject or automated system calls up the website. This general data and information are stored in the server log files. Collected may be: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called reference systems), (4) sub-domains and nesting websites, (5) the date and time of access to the website, (6) the Internet protocol address (IP address), (7) provider of Internet access services, and (8) any other similar data and information that may be used in the event of attacks on information technology systems hosting the site.
When using general data and information, data are not processed with the aim of identifying the data subject. This information is needed to (1) deliver the content of the website correctly, (2) optimize the content of the website (3) ensure the long-term viability of information technology systems and website technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Data and information are collected statistically, with the aim of increasing the data protection and data security, and to ensure an optimal level of protection for the personal data we process.
The data subject has the ability to provide data (including personal data) on the operator’s web site in the manner of an electronic form. Which personal data are sent to the operator is defined by the input mask used in the individual form. The personal data entered by the data subject shall be collected and stored exclusively within the scope defined on the input mask of each form.
By using an e-form on the operator’s website, an IP address, which is determined by the Internet Service Provider (ISP), the date and time of the e-form submission, is also stored. E-form data is transmitted via secured encrypted communication channels to users authorized to process personal data insofar as such an e-form contains personal data. Data processed under e-forms is not transmitted to third parties. The data will be disclosed by the controller only for purposes which have been obtained by the consent of the individual, or will be handed over at the request of the official bodies of the Republic of Slovenia, insofar as they have a legal basis for such a request.
At any time, the data controller shall provide information upon request to any data subject, about what personal data are stored about the data subject. In addition, the data controller must correct or delete personal data upon a request of the individual to whom the data relates in the event that such a measure is not legally restricted in relation to the prescribed retention periods.
5. Subscribing to news
On the web site, individuals have the option of subscribing (signing up) to news or other informative announcements (hereinafter referred to as news), or they may directly forward messages to the controller without notification. The entry mask used for this purpose visibly defines which personal data are processed, namely the first and last name, e-mail address and message, the purpose, and the notification of what sort of rights an individual has in relation to the processing of personal data. For a successful application to receive news, an individual must agree to the use of personal data for the purposes defined at the time of submitting the application, just as in the case of instant messages.
News may only be received by data subjects if (1) the person to whom the personal data relates has a valid e-mail address (2), the data subject is recorded for the purpose of sending news. The e-mail address that the individual to whom the personal data relates entered in the application will be redirected to the confirmation e-mail for the verification of the individual’s e-mail address by the verification e-mail for the execution of the process. This confirmation e-mail is used to demonstrate whether the owner of the e-mail address as the data subject is empowered to receive news.
In the process of subscribing to news, the IP address of the computer system, which is assigned by the Internet Service Provider (ISP), used by the user at the registration, and the date and time of subscription, are also stored. The data are collected in order to determine the possible misuse of the individual’s e-mail address to which the data relate and therefore serves the purpose of the legal protection of the controller.
Personal data collected as part of the registration for receiving news will be used exclusively for the purpose of sending news. An individual has the option to revoke consent to the processing of personal data at any time, which he or she provided at the time of submission of the application. In order to withdraw the consent, an appropriate link is available in every news or information notice.
6. Deletion and blocking of personal data
The data controller processes and stores the personal data of the data subject only for the period necessary to achieve the purpose for which the personal data have been acquired or, unless otherwise provided by another law.
If there is no fixed retention period or if the retention period fixed for the storage of personal data expires, personal data is blocked or deleted in accordance with the requirements of the GDPR (General Data Protection Regulation).
7. Rights of the data subject
An individual may at any time request from the data controller:
· Confirmation that personal data are processed and, where appropriate, access to personal data and the following information:
o the purpose of the processing;
o the nature of the personal data concerned;
o users or categories of users to whom personal data have been or will be disclosed, in particular users in third countries or international organizations;
o the deadline for the retention of personal data or, if that is not possible, the criteria used to determine that period;
· The existence of automated decision-making, including shaping of profiles;
· The reasons for processing, as well as the significance and predicted consequences of such processing for an individual;
· One copy of personal data in electronic form (free of charge);
· In the event that an individual requests additional copies, the operator may charge a reasonable fee, taking into account the costs;
· Processing restriction when:
o the data subject disputes the accuracy of the data, for a period allowing the controller to verify the accuracy of personal data;
o the processing is unlawful and the data subject opposes the erasure of personal data and instead requires a restriction on their use;
o the controller no longer needs the data for their original purpose, but the data are still required by the controller to establish, exercise or defend legal rights.
· Correction of inaccurate or incorrect personal data;
· The deletion of all personal data on the basis of the conditions set out in Article 17 of the General Data Protection Regulation, more precisely, if the data subject revokes the consent on the basis of which the processing of personal data takes place;
· The data subject has the right to receive personal information relating to him or her held by the controller in a structured, widely used and machine-readable form, and the right to forward such information to another controller, without the controller for whom the data was provided, hampering the data subject;
· Termination of personal data for direct marketing purposes, including profiling;
· The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her in accordance with Article 22 of the General Data Protection Regulation.
An individual has the right to file an appeal against the controller with the Information Commissioner if he or she considers that the processing of personal data is in breach of the General Data Protection Regulation.
8. Legal basis for processing
The General Data Protection Regulation serves as a legal basis for the processing of personal data for which the data subject has consented to the processing of personal data for one or more specified purposes, or the processing is necessary to fulfill the statutory obligation that applies to the controller.
9. The existence of automatic decision-making
The controller, as a responsible organization, does not use automated decision-making, including profiling.
10. An authorized person for the protection of personal data
An individual may submit questions relating to the processing of personal data by the operator to an authorized person for the protection of personal data:
- E-mail: firstname.lastname@example.org
11. A record of the processing of personal data
The list of personal data collections processed by the operator is accessible through the contact person.