PRIVACY TERMS
Meaning of Terms
Privacy Terms
The Privacy Terms are an internal act of the company MI ZNAMO d.o.o. (hereinafter: the Processor) and apply to all legal relationships between it and the clients of its services (hereinafter: the Controller). The act defines the rights and obligations of the Processor and the Controller in the management and processing of personal data of individuals.
Personal Data
Personal data means any information relating to an identified or identifiable natural person. An identified person is one whose personal data are specified and processed in accordance with the purposes determined by the Controller. An identifiable person is one who can be directly or indirectly identified, and whose personal data may be processed in accordance with the purposes determined by the Controller.
Data Subject
A data subject is any natural person whose personal data are processed on a legal or contractual basis between the Controller and the individual, or on the basis of explicit consent given by the individual to the Controller.
Controller
The Controller determines the purposes and means of processing within the scope of its registered activity and/or legal authorizations. The data subject is informed in advance who the Controller of the personal data is and who the Processor of their personal data is.
Processor
The Processor processes the personal data of individuals on behalf of the Controller, in accordance with the Controller’s instructions, and within the framework of lawful purposes and methods of processing.
Sub-processor
A sub-processor processes the personal data of individuals on behalf of and according to the instructions of the Processor, within the framework of lawful purposes and methods of processing.
Processing
Processing of personal data means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Restriction of Processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.
Pseudonymisation
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Consent of the Data Subject
The consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
Personal Data Breach
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Processing of Personal Data
Processor’s Details
COMPANY NAME: MI ZNAMO d.o.o.
COMPANY ADDRESS: Prebačevo 55A, Prebačevo, 4000 Kranj
Registration Number: 3809811000
VAT Number: 11463490
The responsible person for providing information regarding this act and the protection of personal data is: Knific Andreja
Sub-processors
The Processor has concluded agreements on further processing of personal data of data subjects of a specific Controller in cases where, for the performance of its services, it uses external processors, who are in relation to the Controller its sub-processors. The Processor is responsible for the selection of sub-processors and ensures that they are bound to the same or a higher level of protection of personal data, as required by Slovenian and European Union regulations. The Processor informs the Controller about its existing processors and about any replacement or engagement of new processors by announcing updated Privacy Terms, in which it lists the new processors, giving the Controller thirty (30) days to comment, confirm, or object to the changes.
Legal Basis for Processing Personal Data
The Processor has a legal basis for processing personal data of individuals of a specific Controller in a previously concluded contract between the Controller and the Processor or on the basis of another service agreement.
The Processor is responsible for ensuring that Controllers are acquainted with this act and other acts of the Processor, insofar as they regulate the processing of personal data of individuals and/or the terms of business for the execution of ordered services.
The Controller is responsible for ensuring appropriate legal bases for the processing of personal data (legitimate interest, contractual basis, and/or explicit consent of the individual).
Types of Personal Data
The Processor processes those personal data that are provided to it by the Controller. The Processor never processes other personal data of individuals of a specific Controller.
Purposes of Processing Personal Data
The Processor processes the personal data of individuals of a specific Controller only for the purposes for which the Controller has given instructions. The Processor never processes personal data for other purposes.
Role of the Controller
The Controller must provide the Processor with instructions for processing the personal data of the individuals it manages. The Controller must clearly and unambiguously inform the Processor of the types of personal data and the purposes for which they may be processed.
Documented Instructions of the Controller
Under this act, the Controller must specify to the Processor the content and duration of processing, the nature and purpose of the processing, the types of personal data, and the categories of data subjects whose data are to be processed.
The Controller’s instructions must be documented; they may be given in writing by regular or electronic mail, and in the case of oral instructions, the Processor requires written confirmation by regular or electronic mail.
The Processor is not responsible for the legality of the instructions received from the Controller regarding the processing of personal data.
Confidentiality of Data
The Processor ensures that persons authorized to process personal data are bound by confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor has adopted an internal Personal Data Protection Policy and obtains written commitments of confidentiality, awareness of the policy, and security measures from all employees and external collaborators.
Rights of Data Subjects
The Processor ensures, according to the Controller’s instructions and within the legal scope, the support and technical solutions required to provide the data necessary for the Controller to enable data subjects to exercise their rights as provided by law: the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, and the right to object.
Erasure or Return of Data
Based on prior documented instructions of the Controller, the Processor deletes or returns all personal data to the Controller after the completion of the service and destroys existing copies, except in cases where data retention is required by law.
Access to Information
The Processor provides the Controller with all information necessary to demonstrate compliance with the obligations under this act and legislation, and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor authorized by the Controller.
Security of Personal Data Processing
Security of Processing
Taking into account the latest technological developments, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of individuals, which vary in likelihood and severity, the Controller and the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, among other things:
- Pseudonymisation and encryption of personal data,
- The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services,
- The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident,
- Procedures for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.
When assessing the appropriate level of security, account shall be taken in particular of the risks presented by processing, especially from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
Data Protection Officer
The Processor is not obliged to appoint a Data Protection Officer, as the processing is not carried out by a public authority or body, nor does its core activity consist of processing operations that require regular and systematic large-scale monitoring of data subjects, nor does its core activity consist of large-scale processing of special categories of data.
Security Measures
The Processor ensures appropriate security measures for the processing of personal data to ensure their protection. Security measures are regularly monitored and updated in accordance with technological developments and legal requirements.
The Processor informs the Controller of security measures and appropriate technical solutions in a separate document, which is an integral part of these Privacy Terms regulating the legal relationship between the Controller and the Processor, and the Personal Data Protection Policy regulating the legal relationship between the Processor and employees who process the personal data of the Controller’s data subjects.
Final Provisions
Binding Nature of Legal Terms
The Privacy Terms apply to all Controllers with whom the Processor has established a legal and business relationship by contract or in writing via electronic mail. By confirming via electronic mail, the Controller is deemed to have accepted an annex to the existing legal relationship or a written annex to the contract if requested.
The Privacy Terms are binding for all legal transactions concluded on their basis.
The Privacy Terms form an integral part of the service order by the Controller.
The Controller confirms awareness and acceptance of these Privacy Terms before ordering a service (in the contract or in writing via electronic communication).
Amendments to Privacy Terms
The Processor regularly updates the Privacy Terms with legislative changes.
The Processor informs the Controller of amendments in a timely manner in writing by electronic mail.
The Processor ensures an archive of amendments to the Privacy Terms, accessible to each Controller upon prior written request to the Processor’s contact email address.
Dispute Resolution
The Processor and the Controller undertake to resolve any disagreements and disputes amicably. If an amicable resolution is not possible, the competent court in the Republic of Slovenia at the registered office of the Processor shall have jurisdiction to resolve the dispute.