PRIVACY TERMS
Privacy Terms of the company GASTROFUZIJA D.O.O.
DEFINITION OF TERMS
Privacy Terms
The Privacy Terms are an internal act of the company GASTROFUZIJA D.O.O. (hereinafter: the Processor) and apply to all legal relationships between it and the clients of its services (hereinafter: the Controller). The act defines the rights and obligations of the Processor and the Controller in the management and processing of individuals’ personal data.
Personal Data
Personal data means any information relating to an identified or identifiable individual who is a natural person. An identified individual is one whose personal data is defined and processed in accordance with the purposes set by the Controller. An identifiable individual is one who can be identified directly or indirectly, and whose personal data can be processed in accordance with the purposes set by the Controller.
Individual
An individual is any natural person whose personal data is processed on a legal or contractual basis between the Controller and that individual, or based on the express consent given by the individual to the Controller.
Controller
The Controller determines the purposes and means of processing within the scope of its registered activity and/or legal powers. The individual is informed in advance of who the controller and the processor of their personal data are.
Processor
The Processor processes the personal data of individuals on behalf of the Controller, according to its instructions, within the framework of lawful purposes and processing methods.
Sub-processor
A sub-processor processes personal data on behalf of and according to the instructions of the Processor, within the framework of lawful purposes and processing methods.
Processing
Processing of personal data means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Restriction of Processing
Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future.
Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyze or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Pseudonymization
Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Consent
Consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal Data Breach
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
PROCESSING OF PERSONAL DATA
Processor Details
COMPANY NAME: GASTROFUZIJA D.O.O.
ADDRESS: Topniška ulica 43, Ljubljana, 1000 Ljubljana
Registration Number: 7238436000
Tax ID: 31360424
The person responsible for providing information regarding this act and personal data protection is: Kreft Primož
Sub-processors
The Processor has contracts in place for the further processing of individuals’ personal data in cases where it uses external processors for the performance of its services, who act as sub-processors to the Controller. The Processor is responsible for the selection of sub-processors and ensures they are bound by the same or higher levels of data protection as required by Slovenian and European Union regulations. The Processor informs the Controller of its existing processors and any replacement or hiring of new processors. This is done by announcing new privacy terms, providing the Controller with thirty days to comment on, confirm, or object to the changes.
Legal Basis for Processing
The Processor has a legal basis for processing personal data based on a previously concluded contract between the Controller and the Processor or based on another agreement for service orders. The Processor is responsible for ensuring the Controller is informed of this act and other acts regulating data processing. The Controller is responsible for ensuring appropriate legal bases (legitimate interest, contractual interest, and/or express consent).
Types of Personal Data
The Processor processes only those personal data provided by the Controller. The Processor never processes other personal data of the Controller’s individuals.
Purposes of Processing
The Processor processes personal data only for the purposes instructed by the Controller. The Processor never processes personal data for other purposes.
Role of the Controller
The Controller is obliged to provide instructions for the processing of personal data they manage. The Controller must clearly and unambiguously inform the Processor about the types of data and the purposes for which they can be processed.
Documented Instructions
Under this act, the Controller must define the content and duration of processing, the nature and purpose of processing, the types of data, and the categories of data subjects. Instructions must be documented (email or mail). In case of verbal instructions, the Processor will request written confirmation.
Confidentiality
The Processor ensures that persons authorized to process data are bound by confidentiality. The Processor has an internal Personal Data Protection Policy and obtains written confidentiality commitments from all employees and external associates.
Individual Rights
The Processor provides technical support to ensure the Controller can fulfill individual rights (rectification, erasure, restriction, portability, and objection) within the legal scope.
Erasure or Return of Data
Based on the Controller’s documented instructions, the Processor deletes or returns all personal data after the completion of services and destroys existing copies, unless storage is required by law.
Access to Information
The Processor provides all information necessary to demonstrate compliance and allows for audits or inspections conducted by the Controller or an authorized auditor.
SECURITY OF PROCESSING
Security Measures
Taking into account the state of the art and costs of implementation, the Controller and Processor implement technical and organizational measures to ensure a level of security appropriate to the risk, including:
* Pseudonymization and encryption of personal data.
* Ability to ensure ongoing confidentiality, integrity, availability, and resilience of systems.
* Ability to restore availability and access to data in a timely manner in the event of an incident.
* Regular testing and evaluation of the effectiveness of measures.
Data Protection Officer
The Processor is not obliged to appoint a Data Protection Officer (DPO) as it is not a public authority, and its core activities do not involve large-scale regular monitoring or processing of special categories of data.
FINAL PROVISIONS
Binding Nature of Legal Terms
These Privacy Terms apply to all Controllers with whom the Processor has a business relationship. They are considered an integral part of the service order. The Controller confirms awareness and agreement before ordering services.
Changes to Privacy Terms
The Processor updates these terms regularly according to legal changes. Controllers will be informed of changes via email in a timely manner.
Dispute Resolution
The Processor and Controller commit to resolving any disagreements peacefully. If an amicable solution is not possible, the court in the Republic of Slovenia at the Processor’s seat shall have jurisdiction.