Personal data protection policy
The purpose of the Personal Data Protection Policy is to inform individuals, service users, colleagues, employees and other persons (hereinafter referred to as “the individual”) who interact with Turizm Bohinj (hereinafter referred to as “the organisation”) about the purposes, legal bases, safeguards and rights of individuals with regard to the processing of personal data carried out by our organisation.
We value your privacy, so we always protect your data carefully.
We process personal data in accordance with European legislation (Regulation (EU) 2016/697 on the protection of individuals with regard to the processing of personal data and on the movement of such data (the “General Regulation”), applicable Slovenian legislation in the field of personal data protection and other legislation that provides us with a legal basis for processing personal data.
The Personal Data Protection Policy contains information on how our organisation, as the controller, processes the personal data it receives from individuals on the basis of legal grounds.
Personal data means any information relating to an identified or identifiable individual.
An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or by reference to one or more factors specific to that individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
The organisation collects and processes your personal data on the following legal bases:
- the processing is necessary for compliance with a legal obligation, to which the controller is subject;
- the processing is necessary for the performance of a contractto which the data subject is a party or for the performance of measures at the request of such data subject prior to the conclusion of the contract;
- the processing is necessary for the legitimate interestspursued by the controller or by a third party;
- the data subject has consented to the processing of his or her personal data for one or more specified purposes;
- processing is necessary for the protection of the vital interestsof the data subject or of another natural person.
If the organisation does not have a legal basis based on the law, a contractual obligation or a legitimate interest, it may ask the individual for consent or approval. It may also process certain personal data of the data subject for the following purposes where the data subject gives his or her consent:
- your home address and email address for information and communication purposes;
- photographs, videos and other content relating to an individual (e.g. posting images of individuals on the organisation’s website) for the purposes of documenting activities and informing the public about the organisation’s work and events;
- other purposes for which the individual consents.
If the data subject has given his or her consent to the processing of personal data and at some point no longer wishes to do so, he or she may request that the processing of personal data be discontinued by sending a request by e-mail to email@example.com or by regular mail to TIC Bohinj, Stara Fužina 38, 4265 Bohinjsko jezero.
Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.
The organisation may process the personal data of the data subject insofar as this is necessary for the protection of his or her vital interests.
In urgent cases, the organisation may search for an individual’s identity document, check whether that person exists in its database, examine the individual’s medical history or contact the individual’s relatives, without the need for the individual’s consent.
This applies where it is strictly necessary for the protection of the vital interests of the individual.
The organisation will keep personal data only for as long as necessary to fulfil the purpose for which the personal data were collected and processed.
If the organisation processes the data on the basis of the law, it will keep the data for the period prescribed by the law. In this case, some data is retained for the duration of the engagement with the organisation, while some data must be retained permanently.
Personal data processed by the organisation on the basis of a contractual relationship with an individual shall be retained by the organisation for the period necessary for the performance of the contract and for a period of 6 years after termination of the contract, except in cases where there is a dispute between the individual and the organisation in relation to the contract. In such a case, the organisation shall keep the data for 10 years after the final decision of the court, arbitration or court settlement or, in the absence of litigation, for 5 years from the date of amicable settlement of the dispute.
Those personal data processed by the organisation on the basis of the individual’s personal consent or legitimate interest will be retained by the organisation until the consent is withdrawn or until a request for deletion of the data is made. Upon receipt of a revocation or a request for deletion, the data shall be deleted within 15 days at the latest.
The organisation may also delete this data before revocation where the purpose of the processing of the personal data has been achieved or where required by law.
Exceptionally, an organisation may refuse a request for erasure on the grounds set out in the General Regulation, such as the following: the exercise of the right to freedom of expression and information, compliance with a legal obligation to process, grounds of public interest in the field of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the exercise or defence of legal claims. Translated with www.DeepL.com/Translator (free version)
After the retention period, the personal data must be effectively and permanently erased or anonymised by the organisation so that it can no longer be linked to a specific individual.
The Organisation may entrust a contractual processor with the processing of personal data on the basis of a contractual processing agreement.
The contractual processors with which the organisation cooperates are mainly:
- accounting services and other providers of legal and business advice;
- infrastructure maintenance (video surveillance, security services);
- information systems maintainers;
- email service providers and software providers, cloud services (e.g. Arnes, Microsoft, Google);
- social network operators and online advertising and web analytics (Google, Facebook, Instagram, etc.).
Under no circumstances will the Organisation disclose the personal data of an individual to unauthorised third parties.
Contract processors may only process personal data in the context of the organisation’s instructions and may not use personal data for any other purpose.
The Organisation, as controller, and its employees do not export personal data to third countries (outside the Member States of the European Economic Area – EU Member States plus Iceland, Norway and Liechtenstein) and to international organisations, except to the USA, where the relationship with US contract processors is governed by standard contractual clauses (standard contracts adopted by the European Commission) and/or binding corporate rules (adopted by the Organisation and approved by the supervisory authorities in the EU).
In order to improve the overview and control of the contractual processors and the regularity of the contractual relationship between them, the Organisation shall maintain a list of contractual processors, which shall include all the specific contractual processors with which the Organisation cooperates.
A cookie is a file that stores the settings of websites. Websites store cookies on users’ devices used to access the internet in order to identify individual devices and the settings used by users to access the internet.
Cookies allow websites to recognise if a user has already visited a website. For advanced applications, they can be used to adjust individual settings accordingly.
Their storage is under the full control of the browser used by the individual – which can restrict or completely disable the storage of cookies if desired.
The organisation is responsible for information and infrastructure security (premises and application system software).
Our IT systems are protected by, among other things, antivirus and firewall protection. We have put in place appropriate organisational and technical security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access and against other unlawful and unauthorised forms of processing.
In the case of specific types of personal data, we provide them in an encrypted and password-protected form.
It is the individual’s responsibility to ensure that his or her personal data is provided securely and that the data provided is accurate and reliable. The Organisation will endeavour to ensure that the personal data it processes is accurate and, where necessary, kept up to date and may from time to time contact the individual to confirm the accuracy of the personal data.
Under the GDPR, the data subject has the following data protection rights:
- He or she may request information about whether we hold his or her personal data and, if so, what data we hold, on what basis we hold it and why we use it;
- can request access to his/her personal data, which allows him/her to receive a copy of the personal data held by the organisation and to check whether the organisation is processing it lawfully;
- may request rectification of personal data, such as the rectification of incomplete or inaccurate personal data;
- may request the erasure of his/her personal data where there is no longer any reason for further processing or where he/she exercises his/her right to object to further processing;
- to object to further processing of personal data where the organisation relies on legitimate business interest (including in the case of legitimate interest of a third party), where there are grounds relating to the particular situation of the data subject; the data subject has the right to object at any time if the organisation processes personal data for direct marketing purposes;
- may request the restriction of the processing of his or her personal data, which means the interruption of the processing of personal data, for example, if the data subject wishes the organisation to establish its accuracy or to verify the grounds for further processing of personal data;
- may request the transfer of his/her personal data in a structured electronic format to another controller, insofar as this is possible and feasible;
- may withdraw the consent or consent he/she has given to the collection, processing and transfer of his/her personal data for a specific purpose; upon notification that he/she has withdrawn his/her consent, the organisation will cease to process the personal data for the purposes for which he/she originally consented, unless the organisation has no other lawful legal basis to do so lawfully.
If the individual wishes to exercise any of the above rights, he or she may send a request by e-mail to firstname.lastname@example.org to Turizem Bohinj, Stara Fužina 38, 4265 Bohinjsko jezero.
The organisation will respond to a request concerning the rights of an individual without undue delay and in any event within one month of receipt of the request. Should this deadline be extended (by up to two additional months), taking into account the complexity and number of requests, you will be informed.
Access to an individual’s personal data and to the rights exercised is free of charge for the individual. However, the organisation may charge a reasonable fee if the data subject’s request is manifestly unfounded or excessive, in particular, if it is repetitive. In such a case, the organisation may also refuse the request.
In the case of the exercise of rights under this title, the organisation may need to request certain information from the individual to help it confirm the individual’s identity, which is only a precautionary measure to ensure that personal data is not disclosed to unauthorised persons.
In exercising his or her rights under this title, or if the individual considers that his or her rights have been infringed, he or she may, for protection or assistance, contact the supervisory authority, the Information Commissioner, at the following website: www.ip-rs.si.
If the data subject has any questions regarding the processing of personal data, he or she may at any time contact our organisation by e-mail email@example.com Turizem Bohinj, Stara Fužina 38, 4265 Bohinjsko jezero.