PRIVACY STATEMENT
Personal data controller:
SMM proizvodni sistemi, d.o.o.
Jaskova 18, 2000 Maribor
T: +386 (0)2 450 23 00
E: info@smm.si
The purpose of this Privacy Statement is to inform individuals, customers, users of products or services, colleagues, employees, and other persons (hereinafter referred to as “the individual”) who interact with SMM proizvodni sistemi, d.o.o. (hereinafter referred to as “the company”) about the purposes, legal bases, safeguards, and rights of individuals with regard to the processing of personal data carried out by the company.
We process personal data in accordance with the applicable data protection legislation and other legislation that provides us with a legal basis for processing personal data.
Any changes to this document will be published on our website. By using the website, you acknowledge that you have read and understood the entire content of this Privacy Statement.
The company's data protection contact person is available for all questions relating to the processing of personal data and the rights arising therefrom at: info@smm.si
PURPOSES AND LEGAL BASES FOR PROCESSING
The company collects and processes personal data for the following purposes and on the following legal bases, as defined in the General Data Protection Regulation and applicable data protection legislation.
Processing based on a contractual relationship with the company When the individual enters into a contract with the company, this constitutes the legal basis for the processing of personal data. Personal data may be processed by the company for the purpose of concluding and performing a contract, such as selling goods and services, preparing an offer, participating in various programmes and benefits, etc. If the data subject does not provide personal data, the company cannot conclude the contract, nor can the company perform the service or deliver the goods or other products in accordance with the contract, as it does not have the necessary data to perform the contract. On this basis, the company shall process only and exclusively those personal data necessary for the conclusion and proper performance of the contractual obligations.
The legal basis for processing the data is the contract. The retention period is until the purpose of the contract has been fulfilled or until 6 years after the termination of the contract, except in cases where there is a dispute between the individual and the company in relation to the contract. In such a case, the company shall keep the data for 10 years after the final decision of the court, arbitration, or court settlement or, if there was no court dispute, for 5 years from the date of amicable settlement of the dispute.
Processing based on legitimate business interest
The company may also process personal data on the basis of a legitimate interest, pursued by the company. The latter shall not be admissible where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. Where legitimate interest is invoked, the company will carry out an assessment in accordance with the law. The processing of personal data of individuals for direct marketing purposes is considered to be carried out in the legitimate interest.
The company may process personal data of individuals collected from publicly available sources or in the course of the legitimate exercise of its activities, including for the purposes of offering goods, services, employment, information about benefits, events, etc. To achieve these purposes, the company may use ordinary mail, telephone calls, e-mail, and other means of telecommunication. For direct marketing purposes, the company may process the following personal data of individuals: name and surname of the individual, address of permanent or temporary residence, telephone number, and e-mail address. For direct marketing purposes, the company may also process the personal data referred to above without the explicit consent of the data subject. The individual may at any time request the cessation of such communication and processing of personal data and may cancel the receipt of communications by using the unsubscribe link in the communication received or by sending a request by e-mail or regular mail to the company's address.
The legal basis for processing the data is legitimate interest. The data will be processed until the cancellation of the receipt of communications or until the purpose of the processing is fulfilled. The withdrawal shall not affect the lawfulness of processing based on consent prior to its withdrawal.
Processing on the basis of consent or agreement
If the company does not have a legal basis based on the law, a contractual obligation, a legitimate interest or the protection of the life of the individual, it may ask for the individual's consent or agreement. Thus, it can process certain personal data of an individual also for the following purposes, when the individual consents to this. In this case, the company processes in particular personal data such as residential address and e-mail address (for information and communication purposes); photographs, videos and other content relating to the individual (e.g. publication of images of individuals on the website for the purposes of documenting activities and informing the public about the company's work and events; and other purposes for which the individual has consented.
If the data subject has given his or her consent to the processing of personal data and at some point no longer wishes to do so, he or she may request the termination of the processing of personal data by sending a request by e-mail or by regular mail to the company's address. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Upon receipt of a revocation or a request for deletion, the data shall be deleted within 15 days at the latest. The company may also delete this data before cancellation if the purpose of the processing of personal data has been achieved or where required by law.
Exceptionally, the company may refuse a request for erasure on the grounds set out in the GDPR in cases of exercising the right to freedom of expression and information, compliance with a legal obligation to process, reasons of public interest in the field of public health, archiving purposes in the public interest, scientific or historical research purposes, statistical purposes, the exercise or defence of legal claims.
The legal basis for the processing of data is consent. The data will be processed until the consent is withdrawn or until the purpose of the processing is fulfilled. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Processing for compliance with the company's legal obligations
Based on the provisions of the law, the company processes data on its employees, as allowed by labour and social security legislation. The company is legally obliged to process the following types of personal data for recruitment purposes: first and last name, gender, date of birth, registration number, tax number, place, municipality and country of birth, nationality, place of residence, etc.
Processing for the protection of the vital interests of individuals
The company may process the personal data of the data subject insofar as this is necessary to protect his or her vital interests. In urgent cases, the company may search for the individual's identity document, check whether that person exists in its database, examine the individual's medical history, or contact the individual's relatives, without the need for the individual's consent. This applies where it is strictly necessary for the protection of the vital interests of the individual.
VIDEO SURVEILLANCE
We use video surveillance. Video surveillance (cameras installed around the entrances to the organisation) is used to monitor entrances and exits to and from the premises (based on Article 77 of ZVOP-2). We also carry out video surveillance for the purpose of protecting individuals (customers, employees, and visitors) and company property (on the basis of legitimate interest as defined in Article 6(1)(f) of the GDPR, in conjunction with Articles 76 et seq. of ZVOP-2). Video surveillance is carried out in certain work areas where it is strictly necessary for the security of people or property or to protect classified information or business secrets. Video surveillance will help us to detect, deal with or resolve incidents, crimes, claims for damages or other claims. Recordings are stored (max. 6 months). We do not carry out video surveillance in a way that would have a particular processing impact. Video surveillance also does not allow for unusual further processing, such as transfers to third-country entities, live monitoring of events. Video surveillance allows an authorised person to monitor live events. For information on video surveillance, please contact the company by phone or email. The rights of individuals are described in this Privacy Policy. RIGHTS OF INDIVIDUALS REGARDING PERSONAL DATA The data subject shall have the right to request access to and rectification or erasure of personal data concerning him or her, or the restriction of processing relating to him or her, as well as the right to object to processing and the right to data portability. The request of the data subject shall be treated in accordance with the provisions of the General Regulation and the applicable data protection legislation.
You can exercise all of these rights and raise any questions by sending a request to the company. The company will respond to the individual's request without undue delay, no later than one month after receiving the request. This time limit may be extended by up to two additional months, taking into account the complexity and number of requests, and the individual will be informed of this, together with the reasons for the delay. Exercising rights is free of charge for the individual, but the company may charge a reasonable fee if the request is manifestly unfounded or excessive, in particular if it is repetitive. In such a case, the company may also refuse the request. If there is any doubt about the identity of the individual, additional information may be requested that the company needs to establish the identity. In the decision on the request, the company will also inform the individual of the reasons for the decision and of his or her right to lodge an appeal with the supervisory authority within 15 days of being informed of the decision.
The right to lodge a complaint with the supervisory authority may be exercised by: To the Information Commissioner of the Republic of Slovenia at: Dunajska 22, 1000 Ljubljana (e-mail: gp.ip@ip-rs.si, website: www.ip-rs.si).
USERS AND EXPORT OF PERSONAL DATA
The company may entrust individual processing of personal data to a contractual processor on the basis of a contractual processing agreement. Contractual processors may process the entrusted data solely on behalf of the controller, within the limits of the controller's authorisation, as set out in a written contract or other legal instrument, and in accordance with the purposes set out in this Privacy Policy. The contractual processors with which the company cooperates are mainly maintainers of the company's infrastructure and assets; accounting services and other providers of legal and business advice; maintainers of the information systems used by the company; providers of email services and software, cloud services; providers of social networks and online advertising.
In order to improve the overview and control of the contractual processors and the regularity of the contractual relationship between them, the company also maintains a list of contractual processors, which lists all the specific contractual processors with which the company cooperates.
Under no circumstances will the company disclose the personal data of the individual to unauthorised third parties. Contractual processors may only process personal data within the scope of the company's instructions and may not use personal data for any other purpose.
The company as the controller and its employees do not export personal data to third countries (outside the Member States of the European Economic Area – EU Member States plus Iceland, Norway, and Liechtenstein) and to international organisations, except to the USA, where the relationship with US contract processors is governed by standard contractual clauses (standard contracts adopted by the European Commission) and/or binding corporate rules (adopted by the company and approved by the supervisory authorities in the EU).
PERSONAL DATA RETENTION PERIOD
The company will only keep personal data for as long as necessary to fulfil the purpose for which the personal data was collected and processed. If the company processes the data on the basis of the law, it will keep the data for the period prescribed by the law. In this case, some data is retained for the duration of your relationship with the company, while other data must be retained permanently. Personal data processed by the company on the basis of a contractual relationship with the individual shall be kept by the company for the period necessary for the performance of the contract and for a period of 6 years after its termination, except in cases where there is a dispute between the individual and the company in relation to the contract. In such a case, the company shall keep the data for 10 years after the final decision of the court, arbitration, or court settlement or, if there was no court dispute, for 5 years from the date of amicable settlement of the dispute. Personal data, processed by the company on the basis of the individual's personal consent or legitimate interest will be kept by the company until the consent is withdrawn or until a request for deletion of the data is made. Upon receipt of a revocation or a request for deletion, the data shall be deleted without undue delay. The company may also delete this data before cancellation if the purpose of the processing of personal data has been achieved or where required by law. In the event that the rights of the individual are enforced, the company shall keep the personal data of that individual until the case has been finally decided, and after the final decision has been made, in accordance with the final decision in the case. Exceptionally, the company may refuse a request for erasure on grounds such as: the exercise of the right to freedom of expression and information, compliance with a legal obligation to process, grounds of public interest in the field of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the exercise or defence of legal claims. After the retention period, the company must effectively and permanently erase or anonymise the personal data so that it can no longer be linked to a specific individual.
Maribor, 01/10/2023