The purpose of this privacy policy is to inform individuals, customers, product or service users, colleagues, employees and other persons (hereinafter: individuals), who cooperate with the company Tenzor, d. o. o. (hereinafter: company), about the purposes, legal bases, security measures and rights of individuals regarding the processing of personal data carried out by the company.
We value your privacy, so we always carefully protect your data.
We process personal data in accordance with the applicable legislation on personal data protection and other legislation that provides us with a legal basis for personal data processing.
Any change to this document will be published on our website. By
using the website, you confirm that you are familiar with the entire content of
the privacy policy.
Personal data controller:
TENZOR, d. o. o.
Mariborska cesta 13
SI-2250 PTUJ
email: gdpr@tenzor.si
phone: +386 (0)2 788 01 10
Website: https://www.tenzor.si
1)
Personal data
Personal data means any information relating to an identified or
identifiable individual; an identifiable individual is one who can be
identified, directly or indirectly, in particular by reference to an identifier
such as: name, identification number, location data, online identifier or to
one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that individual.
2)
Purposes of and bases for data processing
The company collects and processes personal data on the
following legal bases:
·
processing is necessary for
compliance with a legal obligation to which the controller is subject;
·
processing is necessary for the performance
of a contract to which the data subject is party or in order to take steps
at the request of the data subject prior to entering into a contract;
·
processing is necessary for the
purposes of the legitimate interests pursued by the controller or by a
third party;
·
the data subject has given consent
to the processing of their personal data for one or more specific purposes;
·
processing is necessary in order
to protect the vital interests of the data subject or of another natural
person.
The company may, based on the pursuit of its legitimate
activities, inform its customers and service users about its services, events,
training, offers and other content via email. An individual may at any time
request that such communication and processing of personal data be stopped, and
unsubscribe from the messages via the unsubscribe link in the received message
or submit a request by email or mail to the company’s address.
The legal bases for data processing are legitimate interest and
consent. The data will be processed until the data subject unsubscribes or
withdraws the consent or until the purpose of processing is fulfilled. The
withdrawal of consent does not affect the lawfulness of processing based on
consent prior to the withdrawal.
Video surveillance
Tenzor, d. o. o., carries out video surveillance. We use video
surveillance (cameras are located near the entrances to the organization) to
monitor entries into and exits from the premises (based on Article 77 of the
ZVOP-2). We also carry out video surveillance for the purpose of protecting
individuals (users, employees and visitors) and the property of the
organization (based on a legitimate interest, as defined in point (f) of
paragraph 1 of Article 6 of the General Regulation). Recordings are stored for
90 days. We do not carry out video surveillance in a way that would have a
special impact on processing. Video surveillance also does not enable unusual
further processing, such as transfers to entities in third countries or the
possibility of audio interventions when monitoring the events live. Video
surveillance allows for live monitoring of events. All information regarding
video surveillance can be obtained at the organization’s telephone number or
email address. The rights of individuals are described in this Privacy
Policy.
Performance
of a concluded contract
When an individual concludes a contract with the company, this
represents a legal basis for processing the personal data. The company may
process personal data to conclude and perform contracts such as the sale of
goods and services, preparation of offers, participation in various programs,
etc. If an individual does not provide personal data, the company cannot
conclude a contract, nor can the company perform the service or deliver goods
or other products in accordance with the concluded contract, as it does not
have the data necessary for its performance. On this basis, the company
processes only and exclusively the personal data necessary to conclude the
contract and properly fulfil contractual obligations.
The legal basis for data processing is a contract. The data is
stored until the purpose of the contract is fulfilled or up to 6 years after
the termination of the contract, except in cases where a dispute arises between
the individual and the company in relation to the contract. In this case, the
company shall keep the data for another 10 years after the court decision,
arbitration or court settlement becomes final or, if the dispute is not taken
to court, 5 years from the day of amicable dispute resolution.
Legitimate interest
The company may also process personal data on the basis of a
legitimate interest it pursues. Such processing is not permitted when such
interests are overridden by the interests or fundamental rights and freedoms of
the data subject which require the protection of personal data. When applying
legitimate interest, the company carries out an assessment in accordance with
the law. The processing of data subject’s personal data for direct marketing
purposes is considered to be carried out for a legitimate interest.
The company may process personal data of individuals that it has
collected from publicly accessible sources or in the course of legitimate
business activities, also for the purposes of offering goods, services,
employment, informing about benefits, events, etc. To achieve these purposes,
the company may use mail, telephone calls, email and other communication means.
For direct marketing purposes, the company may process the following personal
data: individual’s name and surname, address of permanent or temporary
residence, telephone number and email address. The company may also process
these personal data for direct marketing purposes without the individual’s explicit
consent. An individual may at any time request that such communication and
processing of personal data be stopped, and unsubscribe from the messages via
the unsubscribe link in the received message or submit a request by email or
mail to the company’s address.
The legal basis for data processing is legitimate interest. The
data will be processed until the data subject unsubscribes or until the purpose
of processing is fulfilled. The withdrawal does not affect the lawfulness of
processing based on consent prior to the withdrawal.
Processing based on consent or
agreement
If the company does not have a legal basis for processing in the
law, contractual obligation, legitimate interest or protection of individual’s
life, it may ask the individual for consent or agreement. Thus, it can also
process certain personal data for the following purposes, when the individual
has given consent:
·
residential and email address
(for the purpose of informing and communicating);
·
photos, videos and other content
relating to the individual (e.g. posting photos of individuals on the website
for the purposes of documenting activities and informing the public about
company’s work and events);
·
other purposes that the
individual has agreed to with the consent.
If an individual who gave their consent for personal data
processing no longer wants their data to be processed, they may request that
the processing of their personal data is terminated by sending a request via
email or mail to the company’s address. The withdrawal of consent does not
affect the lawfulness of processing based on consent prior to the withdrawal.
Upon receiving the withdrawal or request for erasure, the data shall be deleted
within 15 days. The company may also delete this data before the withdrawal,
when the purpose of personal data processing is achieved or if so determined by
law.
The company may in exceptional cases refuse a request for
erasure for reasons laid down in the General Regulation when exercising the
right to freedom of expression and information, fulfilling a legal obligation
of processing, on the grounds of public interest in the area of public health,
archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes, or when exercising or defending legal
claims.
The legal basis for data processing is consent. The data will be
processed until the data subject revokes or withdraws the consent or until the
purpose of processing is fulfilled. The withdrawal of consent does not affect
the lawfulness of processing based on consent prior to the withdrawal.
Protection of data subject’s
vital interests
The company may process the data subject’s personal data, if
this is necessary to protect their vital interests. In emergencies, the company
may search for an individual’s ID document, check whether they are in its
database, examine their medical history or contact their relatives, for which
the company does not need the individual’s consent. This applies when such
actions are urgently necessary to protect the vital interests of the
individual.
3) Storage and erasure
of personal data
The company will keep personal data only for as long as
necessary to fulfil the purpose for which the personal data were collected and
processed. If the company processes data based on a law, it will keep them for
the period prescribed by the law. In such cases, some data are kept for the
duration of cooperation with the company, while some data must be kept
permanently. The company shall keep the personal data processed based on a contractual
relationship with an individual for the period necessary to perform the
contract and another 6 years after its termination, except in cases where a
dispute arises between the individual and the company in relation to the
contract. In this case, the company shall keep the data for another 10 years
after the court decision, arbitration or court settlement becomes final or, if
the dispute is not taken to court, 5 years from the day of amicable dispute
resolution. The company shall keep the personal data processed based on the
individual’s consent or legitimate interest until the consent is withdrawn or a
request for deletion of data is made. Upon receiving the withdrawal or request
for erasure, the data shall be deleted without undue delay. The company may
also delete this data before the withdrawal, when the purpose of personal data
processing is achieved or if so determined by law. When an individual exercises
their rights, the company shall keep their personal data until the matter is
finally decided, and after the final decision in accordance with the final
decision in the matter.
The company may in exceptional cases refuse a request for
erasure for reasons such as: exercising the right to freedom of expression and
information, fulfilling a legal obligation of processing, reasons of public
interest in the area of public health, archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes,
exercise or defense of legal claims. After the storage period expires, the
company must effectively and permanently delete or anonymize the personal data
so that they can no longer be linked to a specific individual.
4)
Contractual personal data processing and data transfer
The company may entrust individual processing of personal data
to a contractor based on a contract on contractual processing. The contractor
may process entrusted data exclusively on behalf of the controller, within the
limits of the authorization, laid down in a written contract or other legal
act, and in accordance with the purposes defined in this privacy policy.
The contractual processors with whom the company works are
primarily:
·
providers of auditing, and other
legal and business consultancy services;
·
providers of information system
maintenance;
·
providers of email services,
software, cloud services (Microsoft, Google).
To improve the overview and control over contractors processing
personal data and the administration of mutual contractual relations, the
company also keeps a list of data processing contractors, which contains all
specific contractors with whom the company cooperates.
The company will under no circumstances transfer the
individual’s personal data to third unauthorized persons. Contractual
processors may process the personal data only within the company’s instructions
and may not use the personal data for any other purposes.
The company as a controller and its employees will not transfer
personal data to third countries (countries outside the European Economic Area
– EU member states and Iceland, Norway and Liechtenstein) or to international
organizations.
5)
Cookies
The company’s website uses cookies, which are important for
providing online services, and are used to store data about the status of
individual web pages, to help collect statistics about website users and
visits, etc. Upon entering the website, only those cookies that are necessary
for website functioning (e.g. for the shopping cart) are downloaded to the
device. Other cookies will only be downloaded with the individual’s consent.
The individual may change the settings at any time and delete cookies (instructions
are available on each browser’s website).
Types of cookies we use:
Cookie name |
Cookie type |
Description |
Duration |
ASP.NET_SessionId |
functional
cookie |
Cookie
used by aaa.bisnode.si to display the credit rating. |
Session |
LanguageCookie |
functional
cookie |
Cookie used by aaa.bisnode.si to display the credit rating in the selected language. |
1
day |
_ga,
_ga_XXXXXXXXXX |
analytics
cookies |
Cookie
used by Google Analytics to track statistics |
1
year |
_gat_gtag_UA_XXXXXXXXX_Y |
analytics
cookies |
Cookie
used by Google Analytics to track statistics |
1
day |
_gid |
analytics
cookies |
Cookie
used by Google Analytics to track statistics |
2
days |
mp_currentlang |
system
cookie |
Cookie
necessary for the proper functioning of the website |
1
month |
gdpr_agreements |
system
cookie |
Cookie
used for displaying the cookie disclaimer |
1
year |
PH_HPXY_CHECK |
system
cookie |
Cookie
used by the security system to prevent brute force attacks, which does not
allow the identification of an individual user. |
Session |
6)
Data protection and data accuracy
The company takes care of information and infrastructure
security (premises and application and system software). Among other things,
our information systems are protected with antivirus software and a firewall.
We have implemented appropriate organizational and technical security measures
aimed at protecting personal data from accidental or unlawful destruction,
loss, alteration, unauthorized disclosure or access, and from other unlawful
and unauthorized types of processing. When transferring special categories of
personal data, we send them encrypted and protected with a password. An
individual is responsible for sending their personal data securely and for the
accuracy and credibility of such data.
7)
Individual’s rights regarding data processing
The data subject has the right to request access to personal
data and rectification or deletion of personal data or restriction of
processing concerning them, and the right to object to processing and the right
to data portability. The individual’s request shall be processed in accordance
with the provisions of the General Regulation and the applicable personal data
protection legislation.
Individuals can exercise all these rights and raise any issues
with a request sent to the company’s address. The company will respond to the
individual’s request without undue delay, no later than within one month of
receiving the request. This period may be extended by up to two additional
months, taking into account the complexity and number of requests, which will
be communicated to the individual together with the reasons for the delay.
Individuals may exercise their rights free of charge, however, the company may
charge a reasonable fee if requests are obviously unfounded or excessive,
especially if they are reoccurring. In such cases, the company may also refuse
the request. In case of doubt about the identity of an individual, the company
may request additional information needed to establish the identity.
When informing the individual about the decision regarding their
request, the company will also provide the reasoning and the information about
their right to lodge a complaint with a supervisory authority within 15 days of
being informed of the decision. The right to lodge a complaint with a
supervisory authority can be exercised by the individual at: Information
Commissioner of the Republic of Slovenia at the address: Dunajska 22, SI-1000
Ljubljana (e-mail: gp.ip@ip-rs.si, website: www.ip-rs.si).