I. Personal data protection policy
At the same time, this policy explains in more detail the consent to data processing.
The Policy is in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/ EC (hereinafter: General Data Protection Regulation) and includes the following information:
Company contact information and contact of the authorized person for data protection, purposes, bases and types of processing of various types of personal data of users, including profiling of personal data of users, transfer of data to third parties and to third countries, storage period of individual types of personal data, the rights of users in relation to the processing of personal data, the right to lodge a complaint about the processing of personal data.
Where applicable, the provisions on users shall also apply to issues of secrecy and confidentiality of communications of users who are legal entities.
II. Person responsible and data protection officer
III. Purposes of processing and basis of data processing
Processing on the basis of a contract:
The Company processes users’ personal data for the purpose of informing them about new entries on the website and for direct marketing purposes (subscription to electronic newsletters).
In connection with the exercise of rights and the performance of contractual obligations, the Company processes users’ personal data for the following purposes:
- Email address and name (for notification purposes, sending email newsletters, advertising on Facebook).
- Telephone number (for notification purposes in case of urgent transmission of information).
- Home address (for fulfillment of obligations under the purchase contract – preparation and sending of invoices).
- Information about the company (for the purpose of fulfilling the obligations under the purchase contract – creating and sending invoices).
- Dates of birth (for the purpose of taking out insurance, booking airline tickets and hotels).
- Number and validity date of the ID card – identity card and/or passport (for the purpose of booking hotels and airline tickets).
- Scan of passport and personal photo (for the purpose of applying for an entry visa and checking the validity of the document to avoid inconveniences with airlines and other transport companies).
Processing based on the law:
The Company processes the personal data of the users for the purposes of concluding, implementing, monitoring and terminating the contractual relationship.
Processing based on consent to the processing of personal data:
Data processing may be carried out on the basis of consent given by the person to the Company. The consent may relate to information about the offer and services, the creation of an offer adapted to the user habits of the person or the provision of value-added services. The notification will be made through the channels that the user has chosen in his consent. In the case of e-mail notification, an e-mail address is provided to an external processor so that the company’s advertising messages can be displayed while browsing the Internet.
The data subject may revoke or modify his/her consent at any time in the same manner in which it was given or in another manner determined by the Company, which reserves the right to identify the customer. The revocation or modification of consent applies only to data processed on the basis of consent. The last consent given by the person who received the Company is valid. The possibility of revoking consent does not constitute a right of withdrawal in the individual’s business relationship with the Company.
Consent may be given by a parent, foster parent or guardian for a minor child who, under applicable legislation, cannot give consent himself or herself. Such consent shall be valid until revoked or modified by a parent, foster parent or guardian, or by the child himself/herself if he/she acquires such right under applicable legislation.
V. Retention period for personal data
Billing data and related contact information of individuals may be retained for the purpose of fulfilling contractual obligations until the service has been paid in full or, at the latest, until the expiration of the statute of limitations with respect to an individual claim, which by law may range from one to five years.
Invoices are kept for 10 years after the end of the year to which the invoice relates, in accordance with the VAT Act.
If traffic data is processed on the basis of the individual’s consent for the purpose of marketing services, selling goods or providing value-added services, such data may be processed to the extent necessary for as long as it is required for such marketing or services.
All other data collected for the purpose of information and direct marketing will be kept until deleted.
VI. The rights of individuals with regard to the processing of personal data
The Company shall ensure that individuals exercise their rights without undue delay and in any case within one month of receipt of the request.
The Company accepts requests regarding the rights of individuals to the e-mail address email@example.com.
If a data subject makes a request electronically, the information will be provided electronically whenever possible, unless the data subject requests otherwise.
In the event of reasonable doubt as to the identity of an individual making a request relating to one of his/her rights, the Company may require the provision of additional information necessary to confirm the identity of the individual to whom the personal data relates.
If the data subject’s requests are manifestly unfounded or excessive, in particular because they are made repeatedly, the Company may:
- charge a reasonable fee, taking into account the administrative costs of providing the information or notification or carrying out the requested action, or refuse to process the request.
The Company grants individuals the following rights in relation to the processing of personal data:
- The right to access the data,the right to rectification,the right to erasure (“right to be forgotten”),
- the right to restriction of processing, the right to data portability.
Right of access to data
The person to whom the personal data relates has the right to obtain confirmation from the Company as to whether personal data is being processed in relation to him or her and, if so, to obtain access to personal data and additional information relating to the processing of personal data, which includes:
- Purposes of the processing;
- Types of personal data;
- Users or categories of users to whom personal data have been or will be disclosed, in particular users in third countries or international organizations;
- Where possible, the retention period envisaged for personal data or, if this is not possible, the criteria by which this period is determined;
the existence of the right to obtain from the controller the rectification or erasure of personal data or the restriction of the processing of personal data relating to the person to whom the personal data relate, or the existence of the right to object to such processing;
- The right to lodge a complaint with a supervisory authority;
if personal data are not collected from an individual, any available information about their origin;
- The existence of automated decision-making, including profiling, and meaningful information about the reasons for it and the significance and intended consequences of such processing.
Upon the request of the individual, the Company shall provide a copy of the personal data processed. For additional copies of data requested by the data subject, the company may charge a reasonable fee subject to administrative costs.
Right of rectification
The person to whom the personal data refers has the right to have the Company rectify inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the person to whom the personal data refers has the right to complete incomplete personal data, including the submission of a supplementary statement.
Right to erasure (“right to be forgotten”)
The person to whom the personal data relates has the right to have the Company erase the personal data concerning him or her without undue delay, and the Company has the obligation to erase the personal data without undue delay:
- if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
- if the individual withdraws the consent that forms the basis for the data processing and there is no other legal basis for the processing;
- if a person objects to processing on the basis of the Company’s legitimate interest and there are no overriding legitimate grounds for processing;
- if a person objects to processing for direct marketing purposes;
when personal data must be erased in order to comply with a legal obligation under EU law or the Slovenian legal order; when it concerns data related to the provision of information society services, unlawfully collected from a child who cannot provide such data in accordance with the applicable legislation.
In the case of named or otherwise published data, the Company shall take reasonable measures, including technical measures, to inform those responsible for processing the personal data that the data subject requests the erasure of all links to or copies of such personal data.
The right to restriction of processing
The Data Subject has the right to have the Company restrict the processing if:
- the data subject contests the accuracy of the data, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of its use;
- the company no longer needs the personal data for the purposes of processing, but the person to whom the personal data relate needs them for the assertion, exercise or defense of legal claims;
- the person has objected to the processing until it has been verified whether the legitimate grounds of the controller override the data subject’s grounds.
The right to data portability
The data subject has the right to receive the personal data concerning him or her that is held by the company in a structured, commonly used and machine-readable format, as well as the right to transfer this data to another controller without being prevented from doing so by the company to which the personal data was provided if:
the processing is based on the consent of the individual or on a contract and the processing is carried out by automated means.
The right to object
The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of personal data where such processing is based on legitimate interests of the company or a third party. The Company shall no longer process the personal data unless compelling grounds for the processing can be demonstrated which override the interests, rights and freedoms of the person to whom the personal data relate, or for the establishment, exercise or defense of legal claims. If personal data are processed for the purposes of direct marketing, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing; this also applies to profiling insofar as it is related to such direct marketing. Insofar as direct marketing is based on consent, the right to object may be exercised by withdrawing the personal consent given.
The right to lodge a complaint about the processing of personal data
A person may submit a possible complaint about the processing of personal data to the e-mail address firstname.lastname@example.org or by mail to the address naTOURa, travel agency, Janja Benedik BrE, Rotarjeva ulica 3, 4000 Kranj.
Likewise, any person to whom personal data refer has the right to lodge a complaint directly with the Information Commissioner if he/she believes that the processing of personal data concerning him/her violates Slovenian or EU regulations in the field of personal data protection.
If a person has asserted the right of access to the data with the company and, after receiving the company’s decision, believes that the personal data he or she has received is not the personal data he or she requested or that he or she has not received all of the personal data he or she requested, he or she must file a substantiated complaint with the company within 15 days before filing a complaint with the Information Commissioner. The company must decide on the complaint as a new request within five working days.
Validity of the policy
This policy will be published on the website https://natoura.si and will become effective on September 11, 2019.