Personal data protection policy - K&Z, svetovanje za razvoj d.o.o.

PERSONAL DATA PROTECTION POLICY

We handle your personal data in accordance with applicable legislation, fairly, securely, and in a transparent manner. We process personal data in line with European legislation (Regulation (EU) 2016/697 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter: the “General Regulation”)), applicable Slovenian legislation on personal data protection and privacy in electronic communications, and other regulations governing the protection of personal data.

We are aware of our responsibility because you have entrusted us with your personal data. Therefore, all key information regarding data processing, our obligations, and your rights is set out below.

The purpose of this Personal Data Protection Policy is to inform service users, individuals, associates, business partners, employees, and other persons (hereinafter: the “individual”) who cooperate with the company K&Z, Svetovanje za razvoj d.o.o. (hereinafter: the “company”) about the purposes and legal bases, data security measures, and the rights of individuals regarding the processing of personal data carried out by our company.

When processing personal data, we rely on the legal bases for lawful processing under Article 6(1) of the General Regulation, namely: consent (a), performance of a contract (b), compliance with a legal obligation (c), performance of a task carried out in the public interest (e), and legitimate interest (f).

This policy describes for which purposes and in what way we process personal data that we receive from you on the basis of the legal grounds described below.

Data Controller

The data controller is the company K&Z, Svetovanje za razvoj d.o.o.

Company address: Kranjska cesta 4, 4240 Radovljica, Slovenia
Telephone: +386 41 366 312
E-mail: info@kz-consult.si

Data Protection Officer

Pursuant to Article 37 of the General Regulation, we have not appointed a Data Protection Officer. If you have any questions regarding the processing of your personal data, you may contact us at: info@kz-consult.si

Personal Data

Personal data means any information relating to an identified or identifiable individual. This means that personal data are not only a person’s first and last name, date of birth, address, national identification number (EMŠO) and tax number, but any information that enables a link to a specific individual.

An individual is an identified or identifiable natural person to whom the personal data relate; a natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that person.

Purposes of Processing and Legal Bases for Processing

The company collects and processes your personal data on the following legal bases:

processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary for the performance of a contract to which the individual is a party, or in order to take steps at the request of the individual prior to entering into a contract;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
the individual has given consent to the processing of their personal data for one or more specific purposes;
processing is necessary in order to protect the vital interests of the individual or of another natural person.

4.1 Compliance with a Legal Obligation

On the basis of legal obligations, the company primarily processes data about its employees, as enabled by labour and social security legislation, as evident from the register of personal data filing systems for controllers.

For employment purposes, the company processes the following types of personal data on the basis of legal obligations:

first and last name
address
place and country of birth
telephone number
e-mail address
gender
date of birth
EMŠO
tax number

In limited cases, the processing of personal data based on the public interest is also permissible within the company.

For the purpose of monitoring monthly payments, the company processes data on the amount of payments for services. We rely on a contractual legal basis for these data, and we are obliged to collect them under the Value Added Tax Act (Zakon o DDV). In order to comply with our legal obligations, we will process your personal data in accordance with tax regulations, which means that for financial transactions we will retain your data, such as payer details (bank account number, first name, last name), for ten years after the end of the calendar year in which we issued you an invoice. The legal basis for this processing purpose is compliance with a legal obligation.

4.2 Performance of a Contract

Where an individual enters into a contract with the company, such contract constitutes the legal basis for processing personal data. We may process personal data for entering into and performing the contract. Upon conclusion of a contract, we obtain the following data about the individual or the company:

first and last name
company name
address
contact details
e-mail address
telephone number
tax number

If the individual does not provide personal data, the company cannot conclude the contract, nor can it provide the service or deliver goods or other products in accordance with the contract, as it does not have the necessary data for performance.

On the basis of conducting its lawful activity, the company may inform individuals and users of its services via their e-mail address about its services, events, training courses, offers, and other content. The individual may at any time request termination of such communication and personal data processing and unsubscribe via the link in the received message, or by sending a request by e-mail to info@kz-consult.si or by regular mail to the company’s address.

4.3 Legitimate Interest

The use of the legal basis of legitimate interest is limited for processing by public authorities when performing their tasks. Nevertheless, the company may also process personal data on the basis of legitimate interest pursued by the company, to a limited extent.

This is not permitted where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal data. In cases where legitimate interest is used, the company always carries out an assessment in accordance with the General Regulation.

Thus, we may occasionally inform individuals about services, events, training courses, offers, and other content via e-mail, telephone calls, and regular mail.

The individual may at any time request termination of such communication and personal data processing and unsubscribe via the link in the received message, or by submitting a request by e-mail to info@kz-consult.si or by regular mail to the company’s address.

Purposes, Legal Basis and Retention Period

Visiting the website www.kz-consult.si

Purpose of processing personal data: Each time you visit www.kz-consult.si, the web server of the hosting provider automatically stores web server log files. The web server where www.kz-consult.si is hosted records data about visits to the website, namely: visitors’ IP address, browser version, date and time, and information about repeated connection.

K&Z, Svetovanje za razvoj d.o.o. does not separately process the collected data and does not link them with other data. The contractual processor (the web hosting provider) processes personal data solely for the purpose of providing website maintenance services for www.kz-consult.si.

The purpose of these procedures is to ensure network and information security, i.e., to enable the detection and prevention of unauthorized access that could compromise the availability, integrity, and confidentiality of stored or transmitted personal data and the security of related services accessible through such networks and systems. Such processing is necessary for the legitimate interests pursued by the company.

Legal basis for processing personal data:
Point (e) of Article 6(1) of the General Data Protection Regulation and Article 6(4) of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 136/22; hereinafter: ZVOP-2).

Users or categories of users of personal data:
The contractual processor maintaining the website, for purposes of website security and maintenance.

Information on transfers to a third country or international organisation:
Data are not transferred to third countries or international organisations.

Retention period:
Web server log files are retained for up to 30 days.

Responding to enquiries (via contact form)

Purpose of processing personal data: With each enquiry submitted via the contact form, the visitor’s message is sent to the company’s e-mail address. The following personal data are processed for the purpose of responding to the enquiry:

first and last name
address
e-mail address

K&Z, Svetovanje za razvoj d.o.o. collects and processes personal data of senders or potential customers (first and last name, address, e-mail and telephone number) for the purpose of responding to the enquiry, preparing an offer based on the customer’s enquiry, or possible coordination of the offer.

Legal basis: The processing is necessary for the legitimate interests pursued by the company.

K&Z, Svetovanje za razvoj d.o.o. does not collect personal data of individuals for the purpose of sending unnecessary advertising messages, but solely for the purpose of mandatory information.

Retention period: Customer personal data will be stored only for our own use and will be deleted at the customer’s request.

Cookies and Other Data

When using services on www.kz-consult.si, other data or information may also be recorded systemically and processed automatically for internal analyses to improve our services, for statistical processing, and for security reasons.

The data processed for these purposes include:

cookies,
usage data (web browser and current IP address of the device, time and duration of access to these websites, websites from which the user clicks to these websites).

In the case under point 1, your personal data are processed on the basis of the Electronic Communications Act (Official Gazette of the Republic of Slovenia, No. 130/22 with amendments). Except for cookies that are necessary for the operation of the websites, other cookies are installed only with the individual’s prior consent (legal basis under point (a) of Article 6(1) GDPR).

In the case under point 2, we rely on point (f) of Article 6(1) GDPR (legitimate interests of the controller to provide user-friendly services tailored to users’ needs, reduce the risk of misuse, detect misuse, and ensure the security of its network and information). Where the intended purpose can be achieved, anonymised data are used in statistical processing. Anonymised data can no longer be linked to the user who provided such personal data; therefore, this Privacy and Personal Data Protection Policy does not apply to their processing.

Age Restriction for Information Society Services

The services of www.kz-consult.si are intended for persons over 16 years of age. When submitting an enquiry or signing up for educational content or a web analysis, the user must confirm that they are over 16 and that the provided information is true and credible, and that they have read the consent explanations for personal data processing.

Age information is not a condition for using www.kz-consult.si and we are not obliged to verify which data relate to persons under 16. We advise parents and legal guardians of children under 16 to educate children on safe internet use and the appropriate sharing of personal data. Any risks arising from a minor’s inability to assume valid obligations rest with their parents and guardians.

4.4 Processing Based on Consent

Where the company does not have a legal basis grounded in law, contractual obligations, or legitimate interest, it may request the individual’s consent. It may then process certain personal data for the following purposes, where the individual gives consent:

residential address and e-mail address for notification and communication purposes;
photographs, video recordings and other content relating to the individual (e.g., publishing photographs of individuals on the company’s website) for the purpose of documenting activities and informing the public about the company’s work and events;
other purposes to which the individual agrees by giving consent.

4.5 Processing Necessary to Protect Vital Interests

The company may process personal data of an individual where this is necessary to protect their vital interests. In urgent cases, the company may locate the individual’s identity document, verify whether that person exists in its database, review their medical history, or contact their relatives, without the individual’s consent. This applies when it is strictly necessary to protect the individual’s vital interests.

Retention and Deletion of Personal Data

The company will retain personal data only for as long as necessary to fulfil the purpose for which the data were collected and processed. Where the company processes data on the basis of law, it will retain them for the period prescribed by law.

Some data are retained for the duration of cooperation with the company, while some data must be retained permanently. Personal data required for the performance of a contract will be retained for as long as necessary to perform the contract and for five years after the end of the calendar year in which the contract terminated, except where a longer retention period is required due to a dispute relating to the contract. In such a case, your personal data will be retained for 10 years after the end of the calendar year of the final court decision, arbitration award, or court settlement, or (if there was no court dispute) five years after the end of the calendar year from the date of amicable resolution of the dispute.

Personal data processed on the basis of the individual’s consent or legitimate interest will be retained until consent is withdrawn or until a request for deletion is made. After receiving a withdrawal or deletion request, data will be deleted no later than within 15 days. The company may also delete such data earlier if the processing purpose has been achieved or if required by law.

Exceptionally, the company may refuse a request for deletion for reasons set out in the General Regulation, such as exercising the right to freedom of expression and information, compliance with a legal obligation, reasons of public interest in the area of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or the establishment, exercise or defence of legal claims.

After the retention period expires, the company must effectively and permanently delete or anonymise personal data so that they can no longer be linked to a specific individual.

Processing by Contractual Processors and Data Export

The company may entrust certain personal data processing activities to a contractual processor under a data processing agreement. Contractual processors may process entrusted data exclusively on behalf of the controller, within the scope of the controller’s authorisation set out in a written contract or other legal act and in accordance with the purposes defined in this policy.

Contractual processors cooperating with the company include:

accounting services and other providers of legal and business consulting,
web server hosting providers,
IT system maintainers,
e-mail service providers and software providers / cloud service providers,
social media and online advertising providers (Google, Facebook, Instagram, LinkedIn, etc.).

For better oversight and control of contractual processors and to properly regulate contractual relationships, the company also maintains a list of contractual processors specifying all specific processors with whom it cooperates.

For certain services, we may also disclose your personal data to potential project partners, supervisory authorities, or upon request of the judiciary. Under no circumstances will the company disclose personal data to unauthorised third parties. Contractual processors may process personal data only in accordance with the company’s instructions and may not use personal data for any other purposes.

The company as controller and its employees do not transfer personal data to third countries (outside the European Economic Area – EU Member States plus Iceland, Norway and Liechtenstein) and to international organisations, except to the USA, in which case relationships with U.S. processors are regulated by standard contractual clauses (model clauses adopted by the European Commission) and/or binding corporate rules (adopted by the company and approved by supervisory authorities in the EU).

Disclosure of Personal Data to Third Parties

We inform you that your personal data may also be accessible to:

our verified contractual processors who enable us to develop and maintain the website, store databases, provide electronic notifications, prepare web analyses and educational content (based on a service contract and an agreement under Article 28 GDPR),
authorised persons and competent state authorities that have an appropriate legal basis for obtaining and processing data under their statutory regulations (based on point (c) of Article 6(1) GDPR – compliance with a legal obligation).

With every disclosure of your personal data, we ensure appropriate technical and organisational measures to guarantee the security of your personal data, and all recipients of your data are also bound by the same measures.

Transfer of Personal Data to Third Countries

We transfer data to third countries (outside the EU and EEA) only where we have your explicit consent for such transfer and where it is strictly necessary to fulfil our contractual and legal obligations. When exporting your personal data, we do so only to the minimum extent necessary to provide services on www.kz-consult.si.

Your data may be transferred:

to the USA where you consent to the display of personalised ads on these websites (e.g., Google, Inc.), for sending e-notifications (Elasticmail), for entering your personal data via various forms through which www.kz-consult.si communicates with users (Ninja Form), and for communication with social networks.

When transferring personal data to third countries, in addition to an appropriate legal basis, we also ensure additional measures to maintain an adequate level of data security during the transfer, relying on the principles of Chapter V of the General Data Protection Regulation.

Social Networks

For communication and sharing interesting content with users of www.kz-consult.si, we also use business profiles on the following social networks:

Meta Platforms, Inc., operating Facebook and Instagram;
LinkedIn Ireland Unltd. Co., operating LinkedIn;
Google, Inc., operating YouTube.

In these cases, we may obtain and process your data, but we do not transfer them to our internal databases at www.kz-consult.si. Authorised persons of the controller have access to your private messages and public posts when using these business profiles. We receive statistical reports from the social networks about visits to our profiles, general interests of visitors, and demographic data. These reports do not contain personal data and only help us provide interesting content to users.

When using the services of these social networks and interacting with these websites, data are transferred to the USA; the companies operating each network also independently act as controllers of the received personal data, meaning they determine which personal data they process and for what purposes and on which legal bases. They also independently manage cookies on their websites and determine their purpose of use.

We encourage you, when interacting with the social networks referred to above, to familiarise yourself with their privacy policies available via the following links:
Facebook
Instagram
LinkedIn
Youtube
Twitter

Cookies

The company’s website works with so-called cookies. A cookie is a file that stores website settings. Websites store cookies on users’ devices used to access the internet in order to recognise individual devices and the settings used when accessing the site. Cookies allow websites to recognise whether a user has previously visited the website. In advanced applications, cookies may be used to adapt individual settings accordingly. The storage of cookies is under the full control of the user’s browser—the user can restrict or disable cookie storage entirely.

Cookies are essential for providing user-friendly online services. They are used to store data about the status of a given website, help gather statistics on users and website traffic, etc. Cookies help us assess the effectiveness of the design of our website.

Necessary cookies are required for the website to function and cannot be disabled. In addition, with your prior consent, we may use cookies for website usage analytics, connection with social networks, or to provide additional functionalities. With the help of these cookies we assess the effectiveness of our solutions and provide you with the best possible user experience. To improve your user experience, we strive to understand how you use our websites, services, or tools. For this purpose, we use internal and/or external tools to analyse application usage and user experience.

We use the Cookieyes plugin to manage cookies; it enables users to be informed about loaded cookies and to manage consents for installing individual cookies on the user’s device. More information about cookies used by www.kz-consult.si can be viewed by clicking the cookie symbol at the bottom of the page, where you can find information on the type, duration, and use of cookies. On your first visit, you may set your preferred cookies or accept or reject all cookies.

For internal tools, we rely on the legal basis of legitimate interest (point (f) of Article 6(1) GDPR), while for third-party analytical tools we will request your consent before use. The legal basis for cookie notices is the amended Electronic Communications Act (Official Gazette No. 109/2012; hereinafter: ZEKom-1), which entered into force on 15 January 2013.

Data Security and Accuracy

The company ensures information security and infrastructure security (premises and application/system software). Our information systems are protected, among other things, by antivirus programs and a firewall. The company has implemented appropriate organisational and technical security measures intended to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, and against other unlawful and unauthorised forms of processing.

Where special categories of personal data are provided, we transmit them in encrypted form and protected by a password. As an individual, you are responsible for ensuring that you transmit your personal data securely and that the provided data are accurate and credible. The company (controllers) will endeavour to ensure that the personal data it processes are accurate and, where necessary, kept up to date, and may occasionally contact the individual to confirm the accuracy of personal data.

Your Rights Regarding Data Processing

In accordance with the General Regulation (EU), an individual has the following personal data protection rights:

to request information on whether we hold their personal data and, if so, which data, on what basis, and why we use them;
to request access to their personal data, enabling them to receive a copy of the personal data held by the company and to verify that the company is processing them lawfully;
to request correction of personal data, such as correcting incomplete or inaccurate personal data;
to request deletion of personal data where there is no reason for continued processing or where the individual exercises their right to object to further processing;
to object to further processing of personal data where the company relies on a legitimate business interest (including where a third party has a legitimate interest), where there are grounds relating to the individual’s particular situation; the individual has the right to object at any time if the company processes personal data for direct marketing purposes;
to request restriction of processing of personal data, meaning suspension of processing, e.g., if the individual wishes the company to verify accuracy or to check reasons for further processing;
to request portability of personal data in a structured electronic format to another controller where possible and feasible;
to withdraw consent given for the collection, processing, and transfer of personal data for a specific purpose; upon receiving notice that consent has been withdrawn, the company will stop processing personal data for the purposes originally accepted, unless the company has another lawful legal basis to continue processing.

If you wish to exercise any of the above rights, you may submit a request by e-mail to info@kz-consult.si.

We will respond to a request relating to an individual’s rights without undue delay and in any event within one month of receipt of the request. If this period is extended due to the complexity and number of requests (by up to two additional months), you will be informed accordingly.

Access to personal data and the exercise of these rights are free of charge for the individual; however, we may charge a reasonable fee if your request is excessive, manifestly unfounded, or repetitive.

In such a case, we may also refuse your request. When exercising these rights, we may need to request certain information from you to help confirm your identity, as a security measure to ensure that your personal data are not disclosed to unauthorised persons.

At any time, especially if you feel that our exercise of your personal data protection rights is not adequate, you may contact us at: info@kz-consult.si.

When exercising these rights, or if you believe your rights have been violated, you may contact the supervisory authority in Slovenia: the Information Commissioner, Dunajska 22, 1000 Ljubljana, https://www.ip-rs.si

If you have any additional questions regarding the processing of your personal data, you may contact us at any time via e-mail at info@kz-consult.si or by regular mail at our address.

Publication of Changes

Any changes to our Personal Data Protection Policy will be published on the company website: www.kz-consult.si. We strive to keep this policy always in line with legislation and our actual practices regarding personal data processing. Therefore, we will amend this policy from time to time and publish it on this website.

By using the website, the individual confirms that they accept and agree to the entire content of this Personal Data Protection Policy.