DATA PROTECTION POLICY (GDPR)

The right to privacy is one of the most important human rights. On the website . LOVIM d.o.o. ("the Company") is very aware of this and therefore respects the privacy of our customers and handles their personal data responsibly, carefully and in accordance with applicable law. Access to personal data is only permitted to authorised personnel of the Company and to contractual processors to the extent and for the purpose strictly necessary for the smooth exercise, provision and performance of the rights and obligations arising from the contractual relationship entered into.

We take appropriate measures to ensure that unauthorised persons do not have access to personal data, to protect its confidentiality and integrity, and to prevent its loss or accidental destruction at all times during processing. We are not liable for any "hacking" of the computer system!

The Company and its processors fully comply with the General Principles on the processing of personal data, which are:

1. We process users' personal data lawfully, fairly and transparently.
2. We collect personal data for predefined, explicit and legitimate purposes; we do not process personal data for any other purpose, except in the case of processing for scientific or historical research purposes and, under certain conditions, for statistical purposes.
3. Personal data shall be processed to the minimum extent necessary for the purposes for which it is processed.
4. We ensure that the personal data we process is accurate and regularly updated, and that incorrect data is corrected or deleted.
5. We only keep personal data for as long as is necessary for the purposes for which we process it.
6. We take appropriate technical and organisational measures to ensure adequate security of personal data, including the prevention of unauthorised or unlawful processing and accidental loss, destruction or damage.

1. PRIVACY CONTACT

For questions concerning the processing and use of personal data, information, rectification, blocking, erasure of personal data or withdrawal of consent to information, withdrawal of consent, please contact [email protected] (hereafter referred to as the email address in point 1).

2. WHAT PERSONAL DATA IS COLLECTED.

• Basic personal data (e.g. name and surname);
• communication details (e.g. address, post, phone number);
• information about communication between the company and you;
• payment details;
• any other data obtained on the basis of consent.

3. WHAT ARE THE LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA

We may handle personal data in accordance with applicable data protection legislation:

• if this is necessary for the conclusion and/or performance of the contract (registration for an event, workshop, etc.)
• if required by law;
• if consent is given (which can be withdrawn at any time);
• if the processing is necessary for the legitimate interests of the company or of a third party.

3.1. PROCESSING ON THE BASIS OF A CONTRACT

The Company processes personal data of individuals for the performance of contractual obligations to organise events, workshops or other services agreed between the parties. In the context of exercising rights and fulfilling contractual obligations, the Company processes personal data of individuals for the following purposes:

• identification of the individual;
• preparing the offer and concluding the contract;
• the provision of services, whereby the Company may share data with contractual partners who will provide specific services (e.g. accommodation provider, etc.).
• sending notices to individuals in connection with the performance of the contractual relationship;
• informing you about changes to legislation in a particular area or changes to terms and conditions of sale;
• invoicing services;
• resolving objections or complaints
• carrying out all recovery procedures, selling receivables;
• for other purposes necessary for entering into or performing the contractual relationship.

The Company processes data to the extent necessary for the authentication and identification of transactions, for the preparation of reports and for the planning of further activities.

The Company processes all necessary information for the purposes of organising events and related services or other services requested by the individual. This includes in particular, but not exclusively: name, surname, date of birth, address, place, country, telephone number, e-mail, etc.

We do not require explicit consent for the contractual processing of personal data.

For events or workshops that are strictly related to taking photos and posting images (on Facebook, Twitter, YouTube and Instagram), please note that taking photos and posting images are part of the event or workshop. Although the taking of photographs and the publication of images is a contractual relationship, the Company will still obtain the explicit consent of the individual. If explicit consent to photograph and publish images is not given and the Company cannot ensure that the individual will not be in the photograph, the Company may reasonably refuse to accept the registration for such event or workshop.

If the individual does not provide all the personal data that the Company needs for the performance of the contractual relationship, the Company cannot perform the individual's order. In doing so, the Company shall always obtain and further process only the personal data necessary for the performance of the contractual relationship.

3.2. PROCESSING UNDER THE LAW

The legal basis means that the Company processes the personal data of the data subject in order to comply with applicable legal obligations imposed by law. In particular, in the Republic of Slovenia, the legal obligations for the processing of certain personal data are set out in:

Law on value added tax ZDDV-1;

Tax Procedure Act;

Companies Act;

Accounting Act;

Rules on the implementation of the Law on Value Added Tax;

Slovenian Accounting Standards.

If the company processes personal data of an individual who has made an online purchase or ordered a service, it will keep the invoice for 10 years (as well as the data of the individual/buyer on the invoice).

3.3. PROCESSING BASED ON LEGITIMATE INTEREST

The Company may process data on the basis of a legitimate interest pursued by the Company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data relate to a child. In the event of further use of the data collected about the data subject, the Company shall carry out an assessment in accordance with the General Data Protection Regulation. For example, such further use of the data in pseudonymised or aggregated form constitutes a legitimate use of the data for marketing and other business or technical analysis by the Company.

Direct marketing is also a legitimate interest under the GDPR. For direct marketing purposes, the Company may, without consent, create individual profiles based on basic information about the services selected, such as the type or specific characteristics of the service selected, the timing of the selection or past marketing contacts with the individual, in particular in relation to expressed interest or disinterest in certain services. Such basic profiling shall never include sensitive data. The individual may object to processing in accordance with the right to restriction (point 7.4).

The Company may, on the basis of legitimate interest, contact the individual to improve the service or to determine his or her satisfaction with the services, even if this is not strictly necessary for the performance of the contract. The Company shall not contact those individuals who have objected on the grounds of their interest.

The Company has a legitimate interest in keeping and further using the data for analysis and research for marketing, business planning and similar purposes until the expiry of the statutory retention period.

3.4. PROCESSING BASED ON CONSENT TO THE PROCESSING OF PERSONAL DATA

Explicit consent is the basis for processing personal data for which the company has no legal or contractual basis. For example, consent may relate to:

• information about other offers and services of the Company, which shall be provided exclusively through the communication channel chosen by the individual;
• photographing and recording the event or workshop to showcase the Company's activities and publishing the photos, videos and audio recordings on the Company's website and Facebook, Twiter, YouTube and Instagram profiles.

Consent is given by the individual or, in the case of a child, by a parent or legal guardian.

In these cases, the processing of personal data until revocation shall be carried out to the extent and for the purposes permitted by the data subject's declaration and through the agreed communication channels.

If the data subject does not consent to the collection and processing of personal data for one or more of the purposes set out in the individual consent, this shall have no consequences for data processed on the basis of other legal bases.

Personal data collected on the basis of consent will be processed only within the scope and for the purpose of the consent given and will not be disclosed to third parties, unless this is explicitly stated in the consent and the data subject agrees that the personal data may be disclosed to the processor indicated in the consent.

The data subject may withdraw consent to the processing of personal data at any time by contacting our Data Protection Point (point 8). You may withdraw your consent by sending an email to the email address provided in point 1.

4. HOW LONG THE PERSONAL DATA ARE KEPT

Personal data is stored in accordance with the applicable rules governing the protection of personal data. It shall be kept only for as long as is necessary for the purposes for which it is processed or in accordance with the law. Personal data processed on the basis of the individual's personal consent is kept permanently, until revoked. Personal data processed on the basis of the law or a contractual relationship shall be kept for as long as the law provides.

If the data are processed on the basis of the data subject's consent for the purposes of marketing by the company, the data may be processed to the extent necessary for the duration of such marketing or services.

At the end of the retention period, the personal data shall be effectively and permanently erased or anonymised so that they can no longer be linked to the data subject.

5. HOW WE PROTECT PERSONAL DATA

We use technical and organisational security measures to protect personal data against unlawful or unauthorised access or use and against accidental loss or impairment of its integrity. We have designed these measures in light of our IT infrastructure, the potential impact on individual privacy and costs, and in accordance with applicable industry standards and practices. Our contract processors only process your personal data if they comply with these technical and organisational security measures.

Ensuring data security means protecting the confidentiality, integrity and availability of personal data:

• confidentiality and integrity: personal data of individuals are protected against unauthorised or unlawful processing and against accidental loss, destruction or damage;
• availability: we ensure that authorised processors can access personal data only when necessary.

Our security procedures include access security, backups, monitoring, auditing and maintenance, security incident management, etc.

6. WHO PROCESSES PERSONAL DATA

Depending on the purposes for which we process personal data of individuals, we may disclose such data to the following categories of processors:

1. a) within the company of the employee.
2. b) Our business partners We require them to comply with applicable laws and data protection policies and to pay close attention to the confidentiality of personal data:

• advertising, marketing and promotional agencies and suppliers.MailChimp, Google (Google - remarketing cookie identifier only, email address for displaying ads in Google AdWords, analytics cookie identifier in Google Analytics; Facebook - remarketing cookie identifier only, email address for displaying ads in Facebook Custom Audiences), which help us to implement and analyse the effectiveness of our campaigns and promotions.
• companies providing services to society, i.e. the accounting service provider
• natural and legal persons who are our contractual partners. and provide consultancy or individual services to the company in order to perform a contractual relationship between the company and an individual (e.g. partner agencies, hotels, airlines, carriers, etc.);

1. c) Other third parties if required by law or for statutory protection:

• Company (compliance with laws, requirements of authorities, court orders, legal proceedings, reporting and notification obligations to authorities, etc.), verifying or enforcing compliance with Company policies and agreements;
• the rights, property or safety of the Company and/or its customers in connection with corporate transactions: in the context of the transfer or disposal of all or part of the business of the Company or otherwise in connection with mergers, consolidations, changes of control, corporate reorganisations.

Our business partners listed above under b) may only process personal data of individuals within the scope of our instructions and may not use personal data to pursue their own interests. Each individual should be aware that the processors listed under b) and c) above, in particular service providers offering services within apps and/or through their own channels, may collect your personal data separately. In this case, they are solely responsible for their control and their cooperation with individuals must be in accordance with their terms and conditions.

7. YOUR CHOICES AND RIGHTS IN RELATION TO YOUR PERSONAL DATA

The Company shall ensure that individuals exercise their rights without undue delay and in any event within one month of receipt of the request. The Company may extend the time limit for the exercise of an individual's rights by up to two months, taking into account the complexity and number of requests. In the event of an extension of the time limit, the Company shall inform the individual of the extension within one month of receipt of the request, stating the reasons for the delay.

Where the data subject sends a request by e-mail, the information shall, where possible, be provided in electronic form, unless the data subject requests otherwise.

7.1. RIGHT OF ACCESS TO DATA

Any individual may contact us at the e-mail address provided in point 1. in order to find out what personal data we process. Each individual has the right to access personal data and to obtain further information in relation to the processing of personal data, including

• the purpose of the processing;
• categories of personal data;
• users and legal persons to whom personal data have been or will be disclosed;
• if possible, the envisaged period of retention of the personal data or, if this is not possible, the criteria used to determine the period of retention;
• the existence of a right to obtain from the controller the rectification or erasure of personal data or the restriction of personal data concerning the data subject, or the existence of a right to object to such processing;
• the right to complain to the supervisory authority;
• where the personal data are not collected from the individual, any available information concerning their source.

7.2. RIGHT OF RECTIFICATION

If the data subject becomes aware of any error in his or her personal data, or if he or she becomes aware that the personal data is incomplete or incorrect, he or she may request the Company to rectify or supplement the inaccurate or incomplete personal data without undue delay.

7.3. RIGHT TO ERASURE

The individual may request the erasure of his or her personal data without undue delay. The Company must delete the personal data without undue delay:

• when the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• where the data subject withdraws the consent on which the processing of personal data is based and there is no other legal basis for the processing;
• where the data subject objects to processing on the basis of a legitimate interest of the company, while there are no overriding legal grounds for processing the personal data;
• if the data subject objects to processing for direct marketing purposes;
• where the erasure of personal data is necessary to comply with a legal obligation under EU or Slovenian law;
• in the case of incorrectly collected data from a minor for the use of an information society that is unable to provide such data under applicable law.

(except in certain cases, for example to prove a transaction or if required by law).

7.4. THE RIGHT TO RESTRICTION

Any individual may request the restriction of the processing of his or her personal data where:

• contest the accuracy of the data, for a period which allows the company to verify the accuracy of the personal data;
• the processing is unlawful and the data subject objects to the erasure of the personal data and requests the restriction of their use;
• The Company no longer needs the personal data for the purposes of the processing, but the data subject needs the personal data for the establishment, exercise or defence of legal claims;
• the data subject has objected to the processing, pending verification that the legitimate grounds of the company override those of the data subject.

7.5. THE RIGHT TO DATA PORTABILITY

Every data subject shall have the right to receive personal data concerning him or her which he or she has provided to the Company in a structured, commonly used and machine-readable format and the right to have such data transmitted to another controller without hindrance by the Company, where the processing is based on consent based on a contract or on a contract and the processing is carried out by automated means.

7.6. RIGHT TO OBJECT

Each individual shall have the right to object, on grounds relating to his or her particular circumstances, to processing of personal data concerning him or her at any time, on the basis of legitimate interests pursued by the company or by a third party. In this case, the Company shall cease processing the personal data unless it is shown that there are compelling reasons for the processing which override the interests, rights and freedoms of the data subject, or for the establishment or defence of legal claims. Where personal data are processed for the purpose of direct marketing, any individual shall have the right to object at any time to processing of personal data concerning him or her for the purposes of such marketing, including profiling where it relates to such direct marketing. Where direct marketing is based on consent, the right to object may be exercised by withdrawing the consent given.

8. WHO I CAN CONTACT IF I HAVE QUESTIONS ABOUT MY PERSONAL DATA

We have organised a contact point to answer your questions or requests regarding your personal data (and its processing) and the exercise of your rights. You can send us the e-mail address under point 1.

We may request additional information from you in order to reliably identify you when exercising your rights related to personal data, and we may refuse to take action only if we can prove that we cannot reliably identify you.

9. THE RIGHT TO LODGE A COMPLAINT CONCERNING THE PROCESSING OF PERSONAL DATA

Anyone has the right to lodge a complaint regarding the processing of personal data Complaints should be sent to the email address provided in point 1. You also have the right to lodge a complaint directly with the Information Commissioner if you believe that the processing of personal data concerning you violates Slovenian or EU data protection rules. If you have exercised your right of access to data and, after receiving the decision, you consider that the personal data you have received is not the personal data you requested or that you have not received all the personal data requested, you may lodge a reasoned complaint with the Company within 15 days before lodging a complaint with the Information Commissioner. The Company will decide on the complaint as a new request within five working days of receipt.

GDPR will come into force on 11.04.2019.