Personal Data Protection Policy

Content:

1. Introduction
2. Contact details of the controller and of the data protection officer
3. Personal data
4. Basis for processing and purpose of processing
5. Recipients of personal data, contractual data processing and transfer of personal data to third countries (countries that are not members of the European Union or the European Economic Area)
6. Personal data storage period
7. Personal data protection
8. Users’ rights in personal data protection
9. Procedure to exercise rights
10. Right to lodge a complaint regarding personal data processing
11. Policy validity

1. Introduction

Tosla d.o.o., Železna cesta 18, 1000 Ljubljana (hereinafter: “Tosla” or “controller”), is dedicated to responsibly handling the personal data of our clients, potential clients, Tosla website visitors and any natural persons who reveal their personal information when contacting us (hereinafter: “users”), so we are implementing this Personal Data Protection Policy (hereinafter: “Policy”) to inform our users in a transparent, easy to understand way using plain language about the purpose, the legal ground for the processing of their personal data and their rights regarding the processing, as they are afforded to them under the Personal Data Protection Act (ZVOP-1, Official Gazette of the Republic of Slovenia no. 94/2007) and the Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “General Data Protection Regulation”).
Terms, such as “controller”, “processing”, “restriction of processing”, “processor”, “profiling”, “pseudonymisation”, “third party” and “company”, used in this Policy have the meaning as stipulated in the General Data Protection Regulation.
In accordance with the General Data Protection Regulation, the Policy covers the following areas:

• Contact details of the controller and of the data protection officer,
• purposes and legal basis for processing various types of users’ personal data, including profiling the users’ personal data,
• recipients of the personal data, contractual data processing and the transfer of personal data to third countries,
• storage period for different categories of personal data,
• security of the personal data,
• users’ rights regarding the processing of their personal data,
• procedure to exercise users’ rights regarding personal data processing,
• the right to submit a complaint about personal data processing.

2. Contact details of the controller and of the data protection officer

The controller of the users’ personal data is Tosla d.o.o., Železna cesta 18, 1000 Ljubljana. Tosla has designated a data protection officer, who can be reached by e-mail at dataprotection@tosla.si.

3. Personal data

Personal data constitutes any information that identifies you as an identified or identifiable natural person. The user is identifiable when they can be directly or indirectly determined, especially using an identifier, such as the name, identification number, location data, an online identifier or by stating one or more factors specific to the user’s physical, physiological, genetic, mental, economic, cultural or social identity. In accordance with the purposes stated in the following chapters of the Policy, the controller collects the following personal data:

• basic information on the user (full name, title, occupation and other information about the employer),
• contact information and information about the user’s communication with the controller (e-mail, telephone number, date, time and contents of the postal or e-mail communication, date, time and duration of phone calls),
• data about attendance at events organized by Tosla (information on the event you attended, date and place of the event),
• channel and campaign – manner of gaining the user’s consent or the source through which the user came into contact with the controller (website and advertising campaign or promotion),
• data on the user’s use of the controller’s website (dates and hours of visits to the site, visited pages or URLs, duration of time spent on a website, number of visited pages, total time spent on the website, performed settings on the webpage) and usage data on received messages (e-mail, SMS) from the controller,
• data from voluntarily filled in forms on the controller’s website, e.g. for prize contests,
• other data the user voluntarily submits to the controller when requesting certain services that demand such data.

The controller does not collect or process the user’s personal data without their expressed consent, i.e. when ordering products or services, subscribing to e-newsletters, participating in a prize contest etc., when there is a legal basis for the collection of the personal data, the processing is necessary to execute contractual obligations or when the processing is necessary for legitimate interested pursued by the controller (hereinafter: “legitimate interest”).

4. Basis for processing and purpose of processing

Tosla will process your personal data for one of the purposes listed below based on the following legal basis:

• your agreement or consent,
• for compliance with the legal obligations of the controller,
• based on legitimate interest,
• for compliance with their contractual obligation.

Tosla will process your personal data solely for the purposes, for which they were collected and will not process them for purposes that are not compatible with the purposes, for which they were collected. Tosla collects only that personal data from the user that is vital for achieving a set purpose.

Processing to fulfil contractual obligations

In certain cases, processing personal data is vital for the execution of the controller’s contractual obligations. If the user does not provide the necessary personal data, the controller is unable to finalize a contract with the user or perform services.

The controller will process your personal data to perform contractual obligations for the following purposes:

• business Cooperation Agreement,
• carrying out activities stated in the cooperation agreement (consulting, preparing marketing and sales strategies, implementing marketing and sales campaigns, process informatization),
• communicating with contracting parties and other contact persons for the purposes of executing an activity stated in the cooperation agreement,
• to sign up a user to an event organized by Tosla, including for awarding certificates, receipts and licences to event attendees.

Processing based on consent or agreement

Based on your written consent, Tosla will process your personal data for the following purposes:

• sending e-mails for the purpose of informing about updates, new features (in standards and in publications), services as well as events at the controller or third person,
• for monitoring the user’s reading of sent e-mails, including which e-mail you opened or did not open, which links you clicked (which contents you read), how long you were reading them or surveyed certain contents,
• for segmenting users based on the factors from the previous paragraph and for further sending adapted (individualized) e-mails, which means different users can receive e-mails with different contents for the purpose of a better (more relevant) informing and achieving a higher level of response to the received e-mails,
• for the purposes of analysing the user’s pattern-of-life on the website: from where the user came to the website (source of the traffic), for monitoring their activities on the website, which websites they visited, which contents they downloaded or viewed,
• for segmenting users based on the facts from the previous paragraph and further sending adapted (individualized) messages through multichannel communication, which means different users can receive messages with different contents for the purpose of a better (more relevant) informing of individuals and reaching a higher level of user enthusiasm,
• for all other purposes for which you expressly agree in cooperating with the controller.

Any time you give consent for the processing of your personal data, the consent can be withdrawn at dataprotection@tosla.si.

Processing is necessary for completing Tosla’ legal obligations

Your personal data is also processed when required of us by the law. One example of such processing is processing your personal data for the purposes of judicial or administrative processes.

Processing based on legitimate interest for which Tosla strives

The controller can also process data based on legitimate interest, except when this interest is overruled by interests or basic rights and freedoms of the user to whom the personal data requiring data protection applies. In the case of using legitimate interest, the controller’s judgement always complies with the General Data Protection Regulation.

In certain cases, Tosla can, for further processing of your personal data based on legitimate interest that was collected based on one of the aforementioned legal basis (consent, contract), implement certain safeguards for the protection of your personal data, such as pseudonymisation, encryption, processing in an aggregated form and/or deleting certain categories of personal data.

Tosla will process your personal data based on a legitimate interest for the following purposes:

• Marketing, business and other technical analyses, such as analysing and determining which organizations the event attendees are coming from and what functions they perform in these organizations, for keeping records of how many and which events a user attended, for keeping records of awarded receipts, certificates and licences of event attendees.
• Preventing fraud, ensuring safety, submitting claims or defence of legal claims in court proceeding or administrative procedures. This allows the controller to process your personal data in cases of suspicion of fraud in an appropriate and proportional scope for the purpose of identifying and stopping potential fraud and deceit and can, if appropriate, forward the data to the police, the Prosecutor’s Office or other competent authority.
• Direct marketing, including creating user profiles, based on legally acquired personal data. The stated processing can be objected to in accordance with the chapter Right to Object in this Policy.

5. Recipients of personal data, contractual data processing and transfer of personal data to third countries (countries that are not members of the European Union or the European Economic Area)

Your personal data can be accessed solely by Tosla employees and authorized processers of personal data.

Tosla will never forward your personal data to unauthorized third persons.

By using Tosla websites and other services, you agree that Tosla may entrust individual tasks about your personal data to the processers listed below. The listed processers can process your personal data exclusively in the name and in accordance with Tosla’ written instructions, within the limits of the authorization, as stated in the agreement between Tosla and the processor, and in accordance with the purposes as stated in the Policy. The processors of your personal data may under no circumstances use your personal data to pursue any kind of personal interest.

Tosla collaborates with the following processors:

• The Mautic company with its seat in the USA, has contracts with Tosla for the purposes of storing personal data in digital form: Business Cooperation Agreement, Data Processing Agreement and standard contractual clauses (Commission Decision C(2010)593 – Standard Contractual Clauses). Mautic and the services they provide are in accordance with the agreement of the European Commission and the United States of America on the new legal Framework for Transatlantic Data Flow: Privacy Shield between the EU and the USA (EU-US Privacy Shield).
• The FrodXo.o., Celovška cesta 280, 1000 Ljubljana, business consulting company has contracts with Tosla for the purposes of personal data storage in digital form: Business Cooperation Agreement and Data Processing Agreement.

6. Personal data storage period

The controller will not process personal data longer than necessary to achieve the purposes for which the personal data was collected and further processed.

The personal data processed by Tosla is processed in compliance with the agreement and is stored by Tosla for the period that is necessary to complete the contract and for 5 years after its completion, except in cases when a disagreement arises about the contract between you and the controller. In that case, Tosla keeps that data for 5 years after the finalized court judgements or arbitration decisions or settlement, or in the case of no litigation, for 5 years after the dispute has been resolved peacefully.

The personal data processed by Tosla based on the law is stored by Tosla for the legally determined duration of time.

The personal data processed by the controller based on your personal consent or legitimate interest are kept by Tosla permanently until you withdraw your consent or submit a request that the processing be terminated. Tosla will delete such data before they are withdrawn only if the purpose of the processing of the personal data has been achieved or if it is determined by the law.

After the storage duration period has elapsed, Tosla will effectively and permanently delete or anonymize your personal data so that it can no longer be traced back to you.

7. Personal data protection

Tosla is dedicated to protecting your personal data. They prevent any unauthorized access to it, their use and their revelation with the following measures:

• The data is protected with the workspace, equipment and system software, including input-output units.
• The data is protected by application software that is used for processing personal data.
• Tosla prevents unauthorized access to personal data during their transfer, including forwarding using telecommunication means and networks.
• Tosla enables an effective way of blocking, destroying, deleting or anonimizing personal data after the purpose, for which they were collected, ceases.
• Tosla enables later detection of when individual data that had been entered into the personal data database were used, forwarded or otherwise processed and by whom.

Unauthorized access to personal data, their use and revelation is prevented by Tosla with the following safety technologies and procedures:

• controlling physical access,
• locking rooms, closets, computers,
• storing carriers of personal data in secured rooms,
• preventing office maintenance workers, clients and other visitors of the controller’s offices from having any consultation with the personal data,
• preventing password use to persons who have not been directly assigned to the stated purpose,
• limiting data transfer by the employees,
• controlling the number of copies and data transfer,
• limiting, documenting and securing the transfer of the data through telecommunication networks,
• preventing insight into the data to persons whose employment contract has been terminated,
• strictly separating their data from the data of any other possible controllers.

8. Users’ rights in personal data protection

In accordance with the General Data Protection Regulation, Tosla guarantees you the following rights relating to personal data protection, which are further elaborated in the following chapters of the Policy:

• right of access to the data,
• right to rectification,
• right to erasure (“right to be forgotten”),
• right to restriction of processing,
• right to data portability,
• right to object.

Right of access to the data

You have the right to obtain confirmation from Tosla as to whether or not they are processing your personal data, and, where that is the case, you have the right to access your personal data and the following information about personal data processing:

• the purposes of the processing,
• the categories of personal data,
• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations,
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the user or to object to such processing,
• the right to lodge a complaint with a supervisory authority,
• where the personal data are not collected from the user, any available information as to their source,
• the existence of automated decision-making, including profiling, and meaningful information about the reasons for it, as well as the significance and the envisaged consequences of such processing for the user.

Right to rectification

You have the right to obtain from Tosla without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (“right to be forgotten”)

You have the right to obtain from Tosla the erasure of personal data concerning you without undue delay and Tosla shall have the obligation to erase your personal data without undue delay where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
• you withdraw consent on which the processing is based, and where there is no other legal ground for the processing,
• you object to the processing pursuant the controller’s legitimate interest and there are no overriding legitimate grounds for the processing,
• you object to the processing for the purposes of direct marketing,
• the personal data have to be erased for compliance with a legal obligation in accordance with EU or Slovenian State law.

Where Tosla has acted in accordance with the Policy and has made your personal data public, Tosla shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the user has requested the erasure of any links to, or copy or replication of those personal data.

Right to restriction of processing

You have the right to obtain from Tosla the restriction of processing of your personal data where one of the following applies:

• You contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of your personal data.
• The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead.
• When Tosla no longer needs the personal data for the purposes of the processing, but you required them for the establishment, exercise or defense of legal claims.
• You have objected to processing, pending the verification whether the legitimate grounds of the controller override yours.

Right to data portability: 
You have the right to receive personal data concerning you, provided by Tosla, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from Tosla to which the personal data have been provided, when:

• the processing is based on consent or agreement, and
• the processing is carried out by automated means.

Right to object
On grounds relating to your particular situation, you have the right to object, at any time to processing of your personal data, if your objection is based on legitimate interests pursued by Tosla or a third party. Tosla shall no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the direct marketing is based on consent, the right to object can also be achieved by withdrawing the personal consent.

9. Procedure to exercise rights

All the aforementioned claims on exercising rights regarding your personal data can be addressed to the controller at the e-mail address dataprotection@tosla.si or by post to the address Tosla d.o.o., Železna cesta 18, 1000 Ljubljana, Slovenia.
If you submit your claim, in accordance with the previous paragraph, using electronic means, the information, where possible, will be provided to you in electronic means, unless you request otherwise.

The controller can, for the purposes of reliable identification in cases of claiming rights on personal data, request additional information from you that is necessary to confirm your identity, and may decline acting in accordance with this chapter only in the event that they cannot reliably identify you.

The controller will respond to your request exercising your rights regarding your personal data without undue delay in no more than a month after receiving the claim. Tosla can extend the deadline to comply with the rights for no more than two additional months, taking into account the complexity and number of claims. If Tosla extends the deadline, they will inform you about the extension within one month of receiving the claim, including the reasons for the delay.

If your claims regarding this chapter are obviously unfounded or excessive, especially when repetitive, Tosla can:

• charge a reasonable fee based on administrative costs of forwarding the information or the claim or of processing the claim,
• decline to act on the claim.

10. Right to lodge a complaint regarding personal data processing

You can send any potential complaint regarding the processing of your personal data to the e-mail address dataprotection@tosla.si or by post to the address Tosla d.o.o., Železna cesta 18, 1000 Ljubljana, Slovenia.

You have the right to lodge your complaint directly to the Information Commissioner, if you believe processing your personal data is infringing on Slovenian State or EU rules on personal data protection.

11. Policy validity

This Policy enters into force on 25 May 2018 and can be changed or amended at any time.