We handle your personal data in accordance with the law, fairly, securely and transparently for you. We process personal data in accordance with European legislation (Regulation (EU) 2016/697 on the protection of individuals in the processing of personal data and on the flow of such data (hereinafter: “General Regulation”), valid Slovenian legislation in the field of personal data protection and other legislation, which gives us a legal basis for processing personal data.
We are aware of our responsibility because you entrusted us with your personal data. Therefore, all key information regarding data processing, our obligations and your rights is listed below.
The purpose of the personal data protection policy is to inform users of the service, individuals, colleagues, business partners, employees and other persons (hereinafter: individual) who work with the company Gostilna Repanšek Andrej Repanšek s.p. (hereinafter: the company) about the purposes and legal bases, measures for data security and the rights of individuals regarding the processing of personal data carried out by our company.
We process personal data in accordance with Regulation (EU) 2016/697 on the protection of individuals in the processing of personal data and on the free flow of such data (hereinafter: “General Regulation”), valid Slovenian legislation in the field of personal data protection and privacy in electronic communications and other regulations governing the protection of personal data. When processing personal data, we rely on the legal basis for the legality of processing from Article 6(1) of the General Regulation, namely: consent (a), execution of a contract (b), fulfillment of a legal obligation (c), performance of a task in the public interest (e) and legitimate interest (f).
This policy describes for what purposes and in what manner we process the personal data we receive from you based on the legal bases described below.
Personal data controller
The controller of personal data is the company: Gostilna Repanšek Andrej Repanšek s.p.
Address: Bolkova ulica 42, 1235 Radomlje
phone: 041 356 710
Authorized person for the protection of personal data
In accordance with Article 37 of the General Regulation, we have not appointed an authorized person. If you have any questions regarding the processing of your personal data, you can write to us at the e-mail address: firstname.lastname@example.org
Personal data means any information relating to a specific or identifiable individual. This means that personal data is not only the first and last name, date of birth, address, EMŠO and tax number of an individual, but also any data that enables a connection with a specific individual.
Individual – is a specified or identifiable natural person to whom the personal data refers; a natural person is identifiable if he can be directly or indirectly identified, primarily by reference to an identification number or to one or more factors that characterize his physical, physiological, mental, economic, cultural or social individuality.
Purposes of processing and basis for data processing
The company collects and processes your personal data on the following legal bases:
• processing is necessary to fulfill a legal obligation applicable to the controller;
• processing is necessary for the implementation of a contract, the contractual party of which is the individual to whom the personal data relates, or for the implementation of measures at the request of such an individual before the conclusion of the contract;
• processing is necessary due to legitimate interests pursued by the controller or a third party;
• the individual to whom the personal data relates has consented to the processing of his personal data for one or more specific purposes;
• processing is necessary to protect the life interests of the individual to whom the personal data relates or another natural person.
4.1. Fulfillment of legal obligations
Based on legal obligations, companies mainly process data about their employees, which is allowed by labor law and social welfare legislation.
Based on the legal obligation, the company mainly processes the following types of personal data for employment purposes: first and last name, gender, date of birth, EMŠO, tax number, address, place and country of birth, telephone number, email address, etc. In limited cases, the processing of personal data is permissible in the company also on the basis of public interest.
In order to monitor monthly payments, the company processes data on the amount of service payments. We rely on this data on a contractual legal basis, and we are bound by the VAT Act to collect it. Due to our obligation to fulfill our legal obligations, we will process your personal data in accordance with the regulations in the field of taxes, which means that in the case of financial transactions, we will keep your data, such as payer data (TRR, name, surname), for ten years after the end of the calendar year in which we issued you the invoice. The legal basis for this purpose of processing is the fulfillment of a legal obligation.
4.2. Execution of the contract
In the event that an individual enters into a specific contract with a company, this constitutes the legal basis for the processing of personal data. We may process personal data in this way for the conclusion and implementation of the contract. When concluding a contract with an individual or company, we obtain the following information: name, surname, company name, address and contact information, e-mail address, telephone and tax number.
If the individual does not provide personal data, the company cannot conclude a contract, nor can the company provide you with a service or deliver goods or other products in accordance with the concluded contract, as it does not have the necessary information for implementation. Based on the performance of a legal activity, the company can inform individuals and users of its services to their email address about its services, events, trainings, offers and other content. The individual can at any time request the termination of this type of communication and processing of personal data and cancel receiving messages via the unsubscribe link in the received message, or as a request by e-mail to: email@example.com or by regular mail to the company’s address.
4.3. Legitimate interest
The enforcement of the legal basis of legitimate interest is limited to processing by public authorities in the performance of their tasks. However, the company may also process personal data on the basis of a legitimate interest, which the company pursues to a limited extent.
The latter is not permissible when such interests prevail over the interests or fundamental rights and freedoms of the individual to whom the personal data relate, which require the protection of personal data. In case of use of legitimate interest, the company always conducts an assessment in accordance with the General Regulation.
Thus, we can periodically inform individuals about services, events, trainings, offers and other content via e-mail, telephone calls and regular mail.
The individual can at any time request the termination of this type of communication and processing of personal data and cancel receiving messages via the unsubscribe link in the received message, or as a request by e-mail to: firstname.lastname@example.org or by regular mail to the company’s address.
4.4. Processing on the basis of consent or consent
Insofar as the company does not have a legal basis demonstrated on the basis of law, contractual obligation or legitimate interest, it may ask the individual for consent or consensus. Thus, it can process certain personal data of an individual also for the following purposes, when the individual gives this consent:
residential address and email address for notification and communication purposes;
• photos, videos and other content relating to individuals (e.g. publication of photos of individuals on the company’s website) for the purpose of documenting activities and informing the public about the company’s work and events:
• other purposes for which the individual agrees with consent.
If an individual gives his consent to the processing of personal data and at some point no longer wishes to do so, he can request the termination of the processing of personal data by sending a request by e-mail to the e-mail address: email@example.com or by regular mail to the address of the company. Revocation of consent does not affect the lawfulness of processing based on consent prior to its revocation.
4.5. Processing is necessary to protect the vital interests of the individual
The company can process the personal data of the individual to whom the personal data relates, insofar as this is necessary to protect his vital interests. In urgent cases, the company can search for an individual’s personal document, check whether this person exists in its database, examine his medical history or establish contact with his relatives, for which the company does not need the individual’s consent. The above applies in cases where this is absolutely necessary to protect the vital interests of the individual.
5. Storage and deletion of personal data
The company will keep personal data only as long as it is necessary to fulfill the purpose for which the personal data was collected and processed. If the company processes data on the basis of the law, it will keep it for the period prescribed by law.
Some data is kept for the duration of cooperation with the company, while some data must be kept permanently. We will keep personal data that the company needs for the execution of the contract for as long as is necessary for the execution of the contract and for five years after the end of the calendar year in which the contract has ended, except in the case where a longer storage period would be necessary due to a dispute related to the contract. In such a case, we will keep your personal data for 10 years after the end of the calendar year of the finality of the court decision, arbitration or court settlement, or – if there was no legal dispute – 5 years after the end of the calendar year from the date of peaceful resolution of the dispute.
Those personal data that the company processes on the basis of the individual’s personal consent or legitimate interest will be kept by the company until the consent is revoked or until the data is deleted. After receiving the cancellation or request for deletion, the data will be deleted within 15 days at the latest. The company can delete this data even before cancellation, when the purpose of personal data processing has been achieved or if it is stipulated by law.
Exceptionally, the company may refuse a request for deletion for reasons from the General Regulation, such as: exercise of the right to freedom of expression and information, fulfillment of the legal obligation of processing, reasons of public interest in the field of public health, purposes of archiving in the public interest, scientific or historical research purposes or statistical purposes, the exercise or defense of legal claims.
After the retention period has expired, the company must effectively and permanently delete or anonymize personal data so that it can no longer be linked to a specific individual.
Contractual processing of personal data and data export
The contractual processors with whom the company cooperates are mainly:
• accounting services and other providers of legal and business advice;
• infrastructure maintainers (video surveillance, security, cleaning services)
• maintainers of information systems;
• e-mail service providers and providers of software, cloud services;
• providers of social networks and online advertising (Google, Facebook, Instagram, Linkedin, etc.).
For the purposes of better inspection and control over contract processors and regulation of the mutual contractual relationship, the company also maintains a list of contract processors, which lists all specific contract processors with which the company cooperates.
For some services, we may also forward your personal data to potential partners in projects, supervisory authorities or based on the request of the judicial branch of government
Under no circumstances will the company provide personal data of an individual to unauthorized third parties. Contract processors may only process personal data within the framework of the company’s instructions and may not use personal data for any other purposes.
As a controller, the company and its employees do not export personal data to third countries (outside the member states of the European Economic Area – EU members and Iceland, Norway and Liechtenstein) and to international organizations, except in the USA, whereby relations with contract processors from the USA are regulated on on the basis of standard contractual clauses (standard contracts adopted by the European Commission) and/or binding business rules (adopted by the company and approved by supervisory authorities in the EU).
The company’s website works with the help of the so-called cookies. A cookie is a file that stores website settings. Websites store cookies on users’ devices with which they access the Internet in order to identify individual devices and the settings that users used to access the website. Cookies allow websites to recognize if the user has already visited the website. In the case of advanced applications, individual settings can be adjusted accordingly. Their storage is under the full control of the browser used by the individual – this can limit or completely disable the storage of cookies as desired.
When you visit our site, you can set the desired cookies at the bottom of the page or accept or reject them all.
Security and accuracy of data
The company takes care of information security and infrastructure security (premises and application system software). Our information systems are protected by anti-virus programs and a firewall, among other things. The company has implemented appropriate organizational and technical security measures aimed at protecting personal data against accidental or illegal destruction, loss, modification, unauthorized disclosure or access, as well as against other illegal and unauthorized forms of processing.
In the case of transmission of special types of personal data, they are transmitted in an encrypted form and protected by a password. As an individual, you are responsible for providing us with your personal information securely and that the information provided is accurate and authentic. The company (controllers) will make every effort to ensure that the personal data it processes is accurate and, if necessary, updated, from time to time it may contact the individual to confirm the accuracy of the personal data.
Your rights regarding data processing
In accordance with the General Regulation (EU), an individual has the following rights from the protection of personal data:
may request information about whether we have his personal data and, if so, what data we have and on what basis we have it and why we use it;
he can request access to his personal data, which allows him to receive a copy of the personal data held by the company and to check whether the company is processing it legally;
may request corrections of personal data, such as correction of incomplete or inaccurate personal data;
may request the deletion of his personal data when there is no reason for further processing or when he exercises his right to object to further processing;
may object to the further processing of personal data where the company refers to a legitimate business interest (even in the case of a third party’s legitimate interest), when there are reasons related to the individual’s special situation; the individual has the right to object at any time if the company processes personal data for direct marketing purposes;
can request the restriction of the processing of his personal data, which means the interruption of the processing of personal data, for example, if the individual wants the company to establish the accuracy or to check the reasons for the further processing of personal data;
may request the transfer of their personal data in a structured electronic form to another controller, insofar as this is possible and feasible;
can revoke the consent or consent he gave to the collection, processing and transfer of his personal data for a specific purpose; upon receipt of notice that he has withdrawn his consent, the Company will cease to process the personal data for the purposes for which it was originally accepted, unless the Company has no other lawful legal basis for doing so lawfully.
If you wish to exercise any of the aforementioned rights, you can send a request by e-mail to the e-mail address: firstname.lastname@example.org or by regular mail to our address.
We will respond to a request relating to individual rights without undue delay and in any case within one month of receiving the request. In the event that this deadline is extended (by a maximum of two additional months) taking into account the complexity and number of requests, you will be notified.
Access to an individual’s personal data and asserted rights is free of charge to the individual, but we may charge you a reasonable fee to the extent that your request is excessive, manifestly unfounded or excessive, particularly if it is repeated.
In such a case, we may also reject your request. In the case of exercising rights under this title, we may need to request certain information from you to help it confirm your identity, which is a security measure to ensure that your personal information is not disclosed to unauthorized persons.
At any time, and especially if you think that our enforcement of your rights from the protection of personal data is not adequate, you can write to us at the e-mail address: email@example.com
When exercising your rights from this title, or if you believe that your rights have been violated, you can contact the supervisory authority, which is the Information Commissioner in Slovenia, Dunajska 22, 1000 Ljubljana, https://www. ip-rs.si
If you have any additional questions regarding our processing of your personal data, you can contact us at any time by e-mail at firstname.lastname@example.org or by regular mail to our address.
Announcement of changes
Any changes to our Personal Data Protection Policy will be published on the company’s website: www.gostilnarepansek.si; Gostilna Repanšek, Andrej Repanšek s.p.
We try to ensure that this policy is always in accordance with the law and our actual operation in the field of personal data processing. Therefore, we will change this policy from time to time and publish it on this website.
By using the website, the individual confirms that he accepts and agrees with the entire content of this personal data protection policy.
Last confirmation of amended policy: 08/03/2022