Personal Data Protection Policy - Iskratel

1. Introduction

Iskratel, d. o. o., Kranj, Ljubljanska cesta 24a, 4000 Kranj (hereinafter: “Iskratel” or “controller”), is dedicated to responsibly handling the personal data of our clients, potential clients, Iskratel website visitors and any natural persons who reveal their personal information when contacting us (hereinafter: “users”), so we are implementing this Personal Data Protection Policy (hereinafter: “Policy”) to inform our users in a transparent, easy to understand way using plain language about the purpose, the legal ground for the processing of their personal data and their rights regarding the processing, as they are afforded to them under the Personal Data Protection Act (ZVOP-1, Official Gazette of the Republic of Slovenia no. 94/2007) and the Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “General Data Protection Regulation”).

Terms, such as “controller”, “processing”, “restriction of processing”, “processor”, “profiling”, “pseudonymisation”, “third party” and “company”, used in this Policy have the meaning as stipulated in the General Data Protection Regulation.In accordance with the General Data Protection Regulation, the Policy covers the following areas:
  • Contact details of the controller and of the data protection officer,
  • Purposes and legal basis for processing various types of users’ personal data, including profiling the users’ personal data,
  • Recipients of the personal data, contractual data processing and the transfer of personal data to third countries,
  • Storage period for different categories of personal data,
  • Security of the personal data,
  • Users’ rights regarding the processing of their personal data,
  • Procedure to exercise users’ rights regarding personal data processing,
  • The right to submit a complaint about personal data processing.

2. Contact details of the controller and of the data protection officer

The controller of the users’ personal data is Iskratel, d. o. o., Kranj, Ljubljanska cesta 24a, 4000 Kranj.

3. Personal data

Personal data constitutes any information that identifies you as an identified or identifiable natural person. The user is identifiable when they can be directly or indirectly determined, especially using an identifier, such as the name, identification number, location data, an online identifier or by stating one or more factors specific to the user’s physical, physiological, genetic, mental, economic, cultural or social identity. In accordance with the purposes stated in the following chapters of the Policy, the controller collects the following personal data:
  • Basic information on the user (full name, title, occupation and other information about the employer),
  • Contact information and information about the user’s communication with the controller (e-mail, telephone number, date, time and contents of the postal or e-mail communication, date, time and duration of phone calls),
  • Data about attendance at events organised by Iskratel (information on the event you attended, date and place of the event),
  • Channel and campaign – manner of gaining the user’s consent or the source through which the user came into contact with the controller (website and advertising campaign or promotion),
  • Data on the user’s use of the controller’s website (dates and hours of visits to the site, visited pages or URLs, duration of time spent on a website, number of visited pages, total time spent on the website, performed settings on the webpage) and usage data on received messages (e-mail, SMS) from the controller,
  • Data from voluntarily filled in forms on the controller’s website, e.g. for prize contests,
  • Other data the user voluntarily submits to the controller when requesting certain services that demand such data.
The controller does not collect or process the user’s personal data without their expressed consent, i.e. when ordering products or services, subscribing to e-newsletters, participating in a prize contest etc., when there is a legal basis for the collection of the personal data, the processing is necessary to execute contractual obligations or when the processing is necessary for legitimate interested pursued by the controller (hereinafter: “legitimate interest”).

4. Basis for processing and purpose of processing

Iskratel will process your personal data for one of the purposes listed below based on the following legal basis:
  • Your consent or agreement,
  • For compliance with the legal obligations of the controller,
  • Legitimate interest,For compliance with the contractual obligation of the controller
Iskratel will process your personal data solely for the purposes, for which they were collected and will not process them for purposes that are not compatible with the purposes, for which they were collected. Iskratel collects only that personal data from the user that is vital for achieving a set purpose.

Processing based on consent or agreement

Based on your written consent, Iskratel will process your personal data for the following purposes:
  • Sending e-mails for the purpose of informing about new whitepapers and case studies, additions to Iskratel portfolio, and invitations to industry events Iskratel is attending,
  • for monitoring the user’s reading of sent e-mails, including which e-mail you opened or did not open, which links you clicked (which contents you read), how long you were reading them or surveyed certain contents,
  • for segmenting users based on the factors from the previous paragraph and for further sending adapted (individualised) e-mails, which means different users can receive e-mails with different contents for the purpose of a better (more relevant) informing and achieving a higher level of response to the received e-mails,
  • for the purposes of analysing the user’s pattern-of-life on the website: from where the user came to the website (source of the traffic), for monitoring their activities on the website, which websites they visited, which contents they downloaded or viewed,
  • for segmenting users based on the facts from the previous paragraph and further sending adapted (individualised) messages through multichannel communication, which means different users can receive messages with different contents for the purpose of a better (more relevant) informing of individuals and reaching a higher level of user enthusiasm,
  • for all other purposes for which you expressly agree in cooperating with the controller.
Any time you give consent for the processing of your personal data, the consent can be withdrawn at marketing@iskratel.si.

Processing is necessary for completing Iskratel’s legal obligations

Your personal data is also processed when required of us by the law. One example of such processing is processing your personal data for the purposes of judicial or administrative processes.

Processing based on legitimate interest for which Iskratel strives

The controller can also process data based on legitimate interest, except when this interest is overruled by interests or basic rights and freedoms of the user to whom the personal data requiring data protection applies. In the case of using legitimate interest, the controller’s judgement always complies with the General Data Protection Regulation.

In certain cases, Iskratel can, for further processing of your personal data based on legitimate interest that was collected based on one of the aforementioned legal basis (consent, contract), implement certain safeguards for the protection of your personal data, such as pseudonymisation, encryption, processing in an aggregated form and/or deleting certain categories of personal data.

Iskratel will process your personal data based on a legitimate interest for the following purposes: 
  • marketing, business and other technical analyses, such as analysing and determining which organisations the event attendees are coming from and what functions they perform in these organisations, for keeping records of how many and which events a user attended, for keeping records of awarded receipts, certificates and licences of event attendees.
  • Preventing fraud, ensuring safety, submitting claims or defence of legal claims in court proceeding or administrative procedures. This allows the controller to process your personal data in cases of suspicion of fraud in an appropriate and proportional scope for the purpose of identifying and stopping potential fraud and deceit and can, if appropriate, forward the data to the police, the Prosecutor’s Office or other competent authority.
  • Direct marketing, including creating user profiles, based on legally acquired personal data. The stated processing can be objected to in accordance with the chapter Right to Object in this Policy.

Processing to fulfil contractual obligations of Iskratel

In certain cases, processing personal data is vital for the execution of the controller’s contractual obligations. If the user does not provide the necessary personal data, the controller is unable to finalise a contract with the user or perform services.

The controller will process your personal data to perform contractual obligations for the following purposes:
  • Business Cooperation Agreement,
  • Carrying out activities stated in the cooperation agreement (consulting, preparing marketing and sales strategies, implementing marketing and sales campaigns, process informatisation),
  • Communicating with contracting parties and other contact persons for the purposes of executing an activity stated in the cooperation agreement,
  • To sign up a user to an event organised by Iskratel, including for awarding certificates, receipts and licences to event attendees.

5. Recipients of personal data, contractual data processing and transfer of personal data to third countries (countries that are not members of the European Union or the European Economic Area)

Your personal data can be accessed solely by Iskratel employees and authorised processers of personal data.

Iskratel will never forward your personal data to unauthorised third persons.

By using Iskratel websites and other services, you agree that Iskratel may entrust individual tasks about your personal data to the processers listed below. The listed processers can process your personal data exclusively in the name and in accordance with Iskratel’s written instructions, within the limits of the authorisation, as stated in the agreement between Iskratel and the processor, and in accordance with the purposes as stated in the Policy. The processors of your personal data may under no circumstances use your personal data to pursue any kind of personal interest.

Iskratel collaborates with the following processors:
  • FrodX next d.o.o., Celovška cesta 280, 1000 Ljubljana has contracts with Iskratel for the purposes of integration of the Net-Results system and support with the system management and content: Business Cooperation Agreement and Data Protection Agreement.
  • AV studio d.o.o., Koroška cesta 55, 3320 Velenje as contract with Iskratel for the purposes of support for managing the CMS system: Business Cooperation Agreement.

6. Personal data storage period

The controller will not process personal data longer than necessary to achieve the purposes for which the personal data was collected and further processed.

The personal data processed by Iskratel is processed in compliance with the agreement and is stored by Iskratel for the period that is necessary to complete the contract and for 5 years after its completion, except in cases when a disagreement arises about the contract between you and the controller. In that case, Iskratel keeps that data for 5 years after the finalised court judgements or arbitration decisions or settlement, or in the case of no litigation, for 5 years after the dispute has been resolved peacefully.

The personal data processed by Iskratel based on the law is stored by Iskratel for the legally determined duration of time.

The personal data processed by the controller based on your personal consent or legitimate interest are kept by Iskratel permanently until you withdraw your consent or submit a request that the processing be terminated. Iskratel will delete such data before they are withdrawn only if the purpose of the processing of the personal data has been achieved or if it is determined by the law.

After the storage duration period has elapsed, Iskratel will effectively and permanently delete or anonymise your personal data so that it can no longer be traced back to you.

7. Personal data protection

Iskratel is dedicated to protecting your personal data. They prevent any unauthorised access to it, their use and their revelation with the following measures:

  • The data is protected with the workspace, equipment and system software, including input-output units,
  • The data is protected by application software that is used for processing personal data,
  • Iskratel prevents unauthorised access to personal data during their transfer, including forwarding using telecommunication means and networks,
  • Iskratel enables an effective way of blocking, destroying, deleting or anonymising personal data after the purpose, for which they were collected, ceases,
  • Iskratel enables later detection of when individual data that had been entered into the personal data database were used, forwarded or otherwise processed and by whom.

Unauthorised access to personal data, their use and revelation is prevented by Iskratel with the following safety technologies and procedures:

  • Controlling physical access,
  • Locking rooms, closets, computers,
  • Storing carriers of personal data in secured rooms,
  • Preventing office maintenance workers, clients and other visitors of the controller’s offices from having any consultation with the personal data,
  • Preventing password use to persons who have not been directly assigned to the stated purpose,
  • Limiting data transfer by the employees,
  • Controlling the number of copies and data transfer,
  • Limiting, documenting and securing the transfer of the data through telecommunication networks,
  • Preventing insight into the data to persons whose employment contract has been terminated, 
  • Strictly separating their data from the data of any other possible controllers.

8. Users’ rights in personal data protection

In accordance with the General Data Protection Regulation, Iskratel guarantees you the following rights relating to personal data protection, which are further elaborated in the following chapters of the Policy:
  • Right of access to the data,
  • Right to rectification,
  • Right to erasure (“right to be forgotten”),
  • Right to restriction of processing,
  • Right to data portability,
  • Right to object.

Right of access to the data

You have the right to obtain confirmation from Iskratel as to whether or not they are processing your personal data, and, where that is the case, you have the right to access your personal data and the following information about personal data processing:
  • the purposes of the processing,
  • the categories of personal data,
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations,
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the user or to object to such processing,
  • the right to lodge a complaint with a supervisory authority,
  • where the personal data are not collected from the user, any available information as to their source,
  • the existence of automated decision-making, including profiling, and meaningful information about the reasons for it, as well as the significance and the envisaged consequences of such processing for the user.
Based on your request, Iskratel will provide you with a free copy of your personal data undergoing processing. For any further copies you request, Iskratel will charge a reasonable fee based on administrative costs.

Right to rectification

You have the right to obtain from Iskratel without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (“right to be forgotten”)

You have the right to obtain from Iskratel the erasure of personal data concerning you without undue delay and Iskratel shall have the obligation to erase your personal data without undue delay where one of the following grounds applies:
  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
  • you withdraw consent on which the processing is based, and where there is no other legal ground for the processing,
  • you object to the processing pursuant the controller’s legitimate interest and there are no overriding legitimate grounds for the processing,
  • you object to the processing for the purposes of direct marketing,
  • the personal data have to be erased for compliance with a legal obligation in accordance with EU or Slovenian State law.
Where Iskratel has acted in accordance with the Policy and has made your personal data public, Iskratel shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the user has requested the erasure of any links to, or copy or replication of those personal data.

Right to restriction of processing

You have the right to obtain from Iskratel the restriction of processing of your personal data where one of the following applies:
  • you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of your personal data,
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead,
  • when Iskratel no longer needs the personal data for the purposes of the processing, but you required them for the establishment, exercise or defence of legal claims,
  • you have objected to processing, pending the verification whether the legitimate grounds of the controller override yours.

Right to data portability

You have the right to receive personal data concerning you, provided by Iskratel, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from Iskratel to which the personal data have been provided, when:
  • the processing is based on consent or agreement and
  • the processing is carried out by automated means.

Right to object

On grounds relating to your particular situation, you have the right to object, at any time to processing of your personal data, if your objection is based on legitimate interests pursued by Iskratel or a third party. Iskratel shall no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the direct marketing is based on consent, the right to object can also be achieved by withdrawing the personal consent.

9. Procedure to exercise rights

All the aforementioned claims on exercising rights regarding your personal data can be addressed in written form at the e-mail address marketing@iskratel.si or by post to the address Iskratel, d. o. o., Kranj, Ljubljanska cesta 24a, Kranj.

If you submit your claim, in accordance with the previous paragraph, using electronic means, the information, where possible, will be provided to you in electronic means, unless you request otherwise.

The controller can, for the purposes of reliable identification in cases of claiming rights on personal data, request additional information from you that is necessary to confirm your identity, and may decline acting in accordance with this chapter only in the event that they cannot reliably identify you.

The controller will respond to your request exercising your rights regarding your personal data without undue delay in no more than a month after receiving the claim. Iskratel can extend the deadline to comply with the rights for no more than two additional months, taking into account the complexity and number of claims. If Iskratel extends the deadline, they will inform you about the extension within one month of receiving the claim, including the reasons for the delay.

If your claims regarding this chapter are obviously unfounded or excessive, especially when repetitive, Iskratel can:
  • charge a reasonable fee based on administrative costs of forwarding the information or the claim or of processing the claim,
  • decline to act on the claim.

10. Right to lodge a complaint regarding personal data processing

You can send any potential complaint regarding the processing of your personal data to the e-mail address marketing@iskratel.si or by post to the address Iskratel, d. o. o., Kranj, Ljubljanska cesta 24a, Kranj.

You have the right to lodge your complaint directly to the Information Commissioner, if you believe processing your personal data is infringing on Slovenian State or EU rules on personal data protection.

11. Policy validity

This Policy enters into force on 25 May 2018 and can be changed or amended at any time.