Privacy policy

Meaning of Terms

Privacy Policy

The Privacy Policy is an internal act of the company MIZARSTVO IN MONTAŽNE STORITVE MATJAŽ JERANČIČ S.P. (hereinafter: the processor) and applies to all legal relationships between it and service clients (hereinafter: the controller).

This act defines the rights and obligations of the processor and the controller in the management and processing of individuals’ personal data.

Personal Data

Personal data means any information relating to an identified or identifiable individual who is a natural person. An identified individual is one whose personal data are defined and processed in accordance with the purposes determined by the controller. An identifiable individual is one who can be identified directly or indirectly and whose personal data can be processed in accordance with the purposes determined by the controller.

Individual

An individual is any natural person whose personal data are processed on a lawful or contractual basis between the controller and that individual or on the basis of explicit consent given by the individual to the controller.

Controller

The controller determines the purposes and means of processing within the scope of its registered activity and/or statutory powers. The individual is informed in advance who the controller of personal data is and who the processor of their personal data is.

Processor

The processor processes individuals’ personal data on behalf of the controller, in accordance with the controller’s instructions, within the scope of lawful purposes and methods of processing.

Sub-processor

The sub-processor processes individuals’ personal data on behalf of and in accordance with the instructions of the processor, within the scope of lawful purposes and methods of processing.

Processing

Processing of personal data means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of Processing

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that individual.

Pseudonymisation

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable individual.

Consent of the Individual

Consent of the individual to whom the personal data relate means any freely given, specific, informed and unambiguous indication of the individual’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

Personal Data Breach

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Processing of Personal Data

Processor Information

MIZARSTVO IN MONTAŽNE STORITVE MATJAŽ JERANČIČ S.P.

Tax number: SI41793684
Registration number: 3227804000

E: mizarstvo.jerancic@gmail.com
T: 031 819 626

Sub-processors

The processor has concluded agreements on the further processing of personal data of individuals of a specific controller in cases where, for the performance of its services, it uses external processors who are sub-processors in relation to the controller. The processor is responsible for the selection of sub-processors and ensures that they are bound to the same or a higher level of personal data protection as required by Slovenian regulations and European Union regulations. The processor informs the controller of its existing processors and of any replacement of processors or engagement of new processors. This is done by announcing the publication of new privacy conditions, in which new processors are listed and the controller is given thirty days to comment on, approve or object to the changes.

Legal Basis for the Processing of Personal Data

The processor has a legal basis for processing the personal data of individuals of a specific controller in a previously concluded contract between the controller and the processor or on the basis of another agreement for the provision of services.

The processor is responsible for ensuring that controllers are familiar with this act and other acts of the processor insofar as they regulate the field of processing of individuals’ personal data and/or business conditions for the performance of ordered services.

The controller is responsible for ensuring appropriate legal bases for the processing of personal data (legitimate interest, contractual interest and/or explicit consent of the individual).

Types of Personal Data

The processor processes the personal data provided to it by the controller. The processor never processes other personal data of individuals of a specific controller.

Purposes of Personal Data Processing

The processor processes personal data of individuals of a specific controller solely for the purposes for which it has received instructions from the controller. The processor never processes personal data of individuals of a specific controller for other purposes.

Role of the Controller

The controller is obliged to provide the processor with instructions for the processing of the personal data of individuals under its control. The controller must clearly and unambiguously inform the processor which types of personal data and for which purposes may be processed.

Documented Instructions of the Controller

Under this act, the controller is obliged to determine for the processor the content and duration of the processing of personal data, the nature and purpose of the processing, the types of personal data and the categories of individuals to whom the personal data relate.

The controller’s instructions must be documented and may be provided in written form by regular or electronic mail; in the case of oral instructions, the processor requires written confirmation by regular or electronic mail.

The processor is not responsible for the lawfulness of the instructions received from the controller for the processing of personal data of individuals of a specific controller.

Confidentiality of Data

The processor ensures that persons authorised to process personal data are bound by confidentiality or are subject to an appropriate statutory obligation of confidentiality. The processor has adopted an internal Personal Data Protection Policy and obtains from all employees and external collaborators a written commitment to confidentiality of data, acknowledgement of the policy and of the appropriate security measures implemented by the processor to ensure an adequate level of data security.

Rights of Individuals

The processor technically ensures that, upon the instruction of the controller and within the lawful scope, it provides support, technical solutions and final data required by the controller when individuals exercise one or more of the rights granted to them by law: the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability and the right to object.

Deletion or Transfer of Data

Based on prior documented instructions of the controller, the processor deletes or returns all personal data to the controller after completion of the service performed for the controller and destroys existing copies, except where storage of the data is required by law.

Access to Information

The processor provides the controller with all information necessary to demonstrate compliance with the obligations under this act and applicable legislation, and enables the controller or another auditor authorised by the controller to carry out audits, including inspections, and cooperates in such audits.

Security of Personal Data Processing

Processing Security

Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, as well as the risks to the rights and freedoms of individuals, which vary in likelihood and severity, the controller and the processor ensure an appropriate level of security through the implementation of appropriate technical and organisational measures, including, among others, measures that include:

  • pseudonymisation and encryption of personal data,

  • the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services,

  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,

  • procedures for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

When determining the appropriate level of security, particular account is taken of the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Data Protection Officer

The processor is not obliged to appoint a data protection officer, as it does not carry out processing as a public authority or body, nor does its core activity include processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic large-scale monitoring of individuals, nor does the core activity of the processor include large-scale processing of special categories of personal data.

Security Measures

The processor ensures appropriate security measures in the processing of personal data to ensure the protection of personal data. Security measures are regularly monitored and updated in accordance with technological development and legislative requirements.

The processor informs the controller of security measures and appropriate technical solutions in a separate document, which forms an integral part of these privacy conditions governing the legal relationship between the controller and the processor, and of the Personal Data Protection Policy governing the legal relationship between the processor and employees who process the personal data of individuals of a specific controller.

Final Provisions

Binding Nature of Legal Conditions

  1. The privacy conditions apply to all controllers with whom the processor has a regulated legal-business relationship by contract or in writing via electronic mail and which controllers confirm via electronic mail; it shall be deemed that an annex to the existing legal relationship has been accepted or, if the controller so requires, by a written annex to the existing written contract.

  2. The privacy conditions are binding for all legal transactions concluded on their basis.

  3. The privacy conditions form an integral part of the service order by the controller.

  4. The controller confirms awareness of and agreement with these privacy conditions prior to ordering the service (in the contract or in writing via electronic communication).

Amendments to the Privacy Conditions

  1. The processor regularly updates the privacy conditions in accordance with legislative changes.

  2. The processor informs the controller of changes in a timely manner in writing by electronic message.

  3. The processor maintains an archive of changes to the privacy conditions, which is accessible to any controller upon prior written request to the processor’s contact email address.

Dispute Resolution

The processor and the controller undertake to resolve any disagreements and disputes amicably and by mutual agreement. If an amicable resolution is not possible, the competent court for resolving the dispute shall be the court in the Republic of Slovenia with jurisdiction at the registered office of the processor.