PRIVACY POLICY
INTRODUCTION
This document contains information about the processing of personal data collected through the website https://www.bsc-kranj.si/. The website is operated by the company BSC, poslovno podporni center, d.o.o., Kranj, Cesta Staneta Žagarja 37, 4000 Kranj, Slovenia, VAT ID: SI 32865597, which is the controller of the collected personal data. The data controller may be reached at: info@bsc-kranj.si.
When collecting personal data, the controller is not obliged to verify the accuracy of personal data or the identity of the individual, but reserves the right to require, at its own discretion, proof of individual’s identity to establish the accuracy of the processed data.
Where we have requested information from you and stated that the provision of information is mandatory, we have done so because we cannot comply with your request without collecting information about you, or because we are required to obtain your personal data by law. In these cases, the provision of the data is a legal or contractual obligation or an obligation necessary to conclude a contract.
PURPOSES AND LEGAL BASIS OF DATA PROCESSING
Sending e-newsletters
In case you subscribe to our e-newsletter, we will ask you for information about your e-mail address. Processing of your personal data shall be based on your consent (Article 6/1/(a) of the GDPR).
Legitimate interest
After a thorough assessment has been made, showing that our legitimate interest may prevail over the rights of data subjects, we may process personal data on the legal basis of our legitimate interest (Article 6/1/(f) of the GDPR).
On this basis, data will be processed for the following purposes:
- to ensure and maintain network and information security (for example, to prevent unauthorised access to electronic communications networks, the spreading of malicious code, attacks causing unavailability of service and damage to computer and electronic communications systems),
- to assert or defend against legal claims,
- to ensure the security of the controller’s premises and property.
We may process personal data also when you communicate with us on behalf your employer, principal, or client. For these purposes, we may process the following personal data: first name, surname, your job title, employer or principal details, professional title, residential address, date of birth, content of correspondence. Please contact your employer or client for more information about how they process your personal data.
Accepting applications for organised events
For the purpose of carrying out events organised by the controller, we will collect your personal data on the basis of your personal (Article 6/1/(a) of the GDPR). The data we will collect and process for the purpose described above are as follows: first name, last name, residential address, telephone number, email address, name of your employer.
Processing and publication of the data collected at events
The controller may process and publicly share photographs and videos from the events organised by the controller in the scope of their business for the purpose of managing its public relations, which may include processing of personal names and titles of individuals. Such processing of personal data will be carried out provided that the individual who can be identified in the photographs and videos in question has not prohibited such processing.
The legal basis for such processing is Article 93/3 of the Personal Dara Protection Act (Official Gazette of the Republic of Slovenia, No. 163/22).
PERSONAL DATA OF THIRD PARTIES
If you happen to disclose personal data of third parties (for example of your employees, contractual associates, family members or your employer) to us, please note that you are only allowed to disclose this data to us if you have obtained the consent of the individual to whom the personal data relates, or have another legal basis for disclosing their personal data to us. By using the website or any other means of data sharing you represent that you made sure there is a valid legal basis to share personal data with us. You also represent that you have made the third parties aware of the information contained in this Privacy Policy.
TRENSFER OF PERSONAL DATA TO THIRD COUNTIRES
If you subscribe to our e-newsletter, the information about your e-mail address will be transferred to a country outside the European Union, namely the United States of America (USA). There is currently no European Commission decision on the adequacy of the protection of personal data in the USA. The data processor to which the personal data will be transferred to has committed itself to the standard contractual clauses adopted by the European Commission and has adopted additional organisational and technical data protection measures. You may find out how your data is protected when transferred to the USA by following this link: https://mailchimp.com/en-gb/legal/data-processing-addendum/
https://mailchimp.com/about/security/
DATA USERS
The controller shall not disclose your personal data to any third parties, unless there is a valid legal basis for such disclosure, for example to the following users of personal data:
- External contractors who process data solely on behalf of, for the account of, under the instructions and under the control of the controller, for example for the organisation and execution of events (e.g. printing office, advertising agencies); for the maintenance of security of information systems, premises and assets; as providers of website hosting; for the purpose of processing legal claims; and for the purpose of sending e-newsletters and other notices.
- Potential clients or partners in the process of transferring or selling a business or participating in a joint venture.
RETENTION PERIOD
The duration of the processing of your personal data depends on the purpose of the processing. The processing typically lasts until the purpose of data processing has been fulfilled.
The data collected for the purpose of sending e-newsletters will be kept until you withdraw your consent.
Publicly shared posts from the events, containing photographs, videos and other personal data will be retained for as long as their processing is reasonable and necessary to inform the public, but no longer than by the time we receive your objection to processing of personal data.
Data collected in the context of the performance of a contract or fulfilment of an order may be processed for a period of 5 years after the termination of the contractual relationship and, in the event of any disputes, for as long as necessary to defend against or assert legal claims.
Personal data may also be retained after the purpose for which they are processed has been fulfilled or until the expiry of the applicable limitation period, if further retention is required to enable us to deal with legal claims, or even for a longer period, if necessary to comply with a legal obligation or a decision of a competent authority.
Personal data collected will be anonymised or deleted after the time periods described above will expire.
RIGHTS OF INDIVIDUALS
Every data subject has the right to demand from the controller their access to personal data, rectification or erasure of personal data, the restriction of relevant processing and the right to data portability, provided that certain legal conditions are met. For the purposes for which personal data are processed based on consent, the data subject shall have the right to withdraw their consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal, nor processing based on other legal grounds. However, for the purposes for which personal data are processed based on the legitimate interests of the controller, the data subject shall have the option to object to such processing.
Right to access
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing,
- the categories of personal data concerned,
- the recipients or categories of recipient to whom the personal data have been or will be disclosed,
- where possible, the time period for which the personal data will be stored, or the criteria used to determine that period,
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing,
- the right to file a complaint with a supervisory authority.
The controller shall provide a copy of the personal data being processed. For any additional copies, a reasonable fee may be charged. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in an electronic format which is commonly used.
Right to rectification
The data subject shall have the right to request the rectification or completion of incomplete or inaccurate personal data, including by submitting a supplementary statement.
Right to be forgotten
The data subject may request the erasure of his or her personal data if the data are no longer necessary for the purposes for which they were collected or processed; if they were unlawfully processed; if he or she objects to processing or withdraws consent; or if provided for by law or regulation. If such request is given, the controller takes reasonable measures, including technical measures, taking into account the available technology and the cost of implementation, to ensure that all processors to whom the controller has disclosed the data are aware of the erasure request and to require them to delete the links to, or copies of, the personal data, unless the processing is necessary for the exercise of the right to freedom of expression and information, compliance with a legal obligation or the establishment and defence of legal claims.
Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing if he or she objects to the accuracy of the verifiable data; if the processing is unlawful and the data subject does not seek erasure but requests the restriction of the processing; if the data subject requires the data for the assertion of or defence against legal claims, despite the fact that the data are no longer necessary for the purposes of the processing; or if the data subject has filed an objection to processing, pending assessment whether the legitimate grounds of the controller prevail over those of the data subject.
The right to inform users
The controller shall communicate to each user to whom personal data have been disclosed, any rectification or erasure of personal data or restriction of processing, unless this proves impossible or involves a disproportionate effort. If the data subject so requests, it shall inform him or her of those users.
Right to data portability
When data processing is carried out by automated means, the data subject shall have the right to receive personal data concerning him or her from the controller in a structured, commonly used, and machine-readable format and to have those data transferred to another controller, not being in any way hindered by the controller. The data subject shall have the right to have personal data directly transferred to another controller whenever this is technically possible.
Right to object
The data subject shall have the right to object, permanently or temporarily, at any time to processing of personal data concerning him or her where the processing is based on the legitimate interest of the controller.
HOW TO EXERCISE THESE RIGHTS
The data subject shall exercise all rights relating to the protection of personal data with the controller. The data subject shall have the right to request access to data concerning him or her and to exercise the right to restriction of processing, rectification, erasure, data portability, objection, and withdrawal of consent, in any of the following ways:
- by letter to the business address of the controller BSC, poslovno podporni center, d.o.o., Kranj, Cesta Staneta Žagarja 37, 4000 Kranj,
- by citation to the meeting minutes at the business address of the controller,
- by e-mail to the following e-mail address: _______.
The controller will process the request within the statutory time limit and inform the individual in writing by post or by e-mail of the measures taken. The controller may refuse to take any action in relation to a request if the request is manifestly unfounded or excessive.
Any data subject shall have the right to submit a complaint to the Information Commissioner if he or she considers that processing of personal data concerning him or her is incompatible with the law.
MISCELLANEOUS
We reserve the right to change this policy. Any changes made will be posted on the website.
BSC Kranj d.o.o.