Politika varovanja osebnih podatkov

POLITIKA VARSTVA OSEBNIH PODATKOV

*** Please find English version below

Namen politike varstva osebnih podatkov je seznaniti posameznike, uporabnike storitev, sodelavce, zaposlene in druge osebe (v nadaljevanju: »posameznik«), ki sodelujejo s Cankarjevim domom, kulturnim in kongresnim centrom (v nadaljevanju: »Cankarjev dom« ali »organizacija«), o namenih, pravnih podlagah, varnostnih ukrepih in pravicah posameznikov glede obdelave osebnih podatkov, ki jih izvajamo.

Cenimo vašo zasebnost, zato vaše podatke vedno skrbno varujemo.

Osebne podatke obdelujemo v skladu z evropsko zakonodajo – Uredbo (EU) 2016/697 o varstvu posameznikov pri obdelavi osebnih podatkov in o prostem pretoku takšnih podatkov (v nadaljevanju: »Splošna uredba«), veljavno slovensko zakonodajo iz varstva osebnih podatkov in drugo zakonodajo, ki nam daje pravno podlago na tem področju.

Politika varstva osebnih podatkov vsebuje informacije, kako kot upravljavec obdelujemo osebne podatke, ki jih prejmemo od posameznika na osnovi pravne podlage.

1. Upravljavec

Upravljavec osebnih podatkov je:
Cankarjev dom, kulturni in kongresni center
Prešernova cesta 10, SI-1000 Ljubljana
www.cd-cc.si
e-pošta: info@cd-cc.si
telefon: +386 (0)1 24 17 100

2. Pooblaščena oseba

V skladu z določilom 37. člena Splošne uredbe smo za pooblaščeno osebo za varstvo podatkov imenovali družbo:
DATAINFO.SI, d.o.o.
Tržaška cesta 85, SI-2000 Maribor
www.datainfo.si
e-pošta: dpo@datainfo.si
telefon: +386 (0) 2 620 4 300

3. Osebni podatki

Osebni podatek pomeni katero koli informacijo v zvezi z določenim ali določljivim posameznikom; to je tistim, ki ga je mogoče neposredno ali posredno določiti, zlasti z navedbo identifikatorjev, kot so ime, identifikacijska številka, podatki o prebivališču, spletni identifikator, ali z navedbo enega ali več dejavnikov, ki so značilni za fizično, fiziološko, genetsko, duševno, gospodarsko, kulturno ali družbeno identiteto tega posameznika.

4. Nameni obdelave in podlage za obdelavo podatkov

Osebne podatke zbiramo in obdelujemo na naslednjih pravnih podlagah:

  • obdelava je potrebna za izpolnitev zakonske obveznosti, ki velja za upravljavca;
  • obdelava je potrebna za izvajanje pogodbe, katere pogodbena stranka je posameznik, na katerega se nanašajo osebni podatki, ali za izvajanje ukrepov na zahtevo takega posameznika pred sklenitvijo pogodbe;
  • obdelava je potrebna zaradi zakonitih interesov, za katere si prizadeva upravljavec ali tretja oseba;
  • posameznik, na katerega se nanašajo osebni podatki, privoli v obdelavo njegovih osebnih podatkov za enega ali več določenih namenov;
  • obdelava je potrebna za zaščito življenjskih interesov posameznika, na katerega se nanašajo osebni podatki, ali druge fizične osebe.

4.1 Izpolnitev zakonske obveznosti
Na osnovi zakonskih določil obdelujemo podatke o svojih zaposlenih, kar omogoča delovnopravna in socialnovarstvena zakonodaja. Na podlagi zakonske obveznosti za namene zaposlovanja obdelujemo predvsem naslednje vrste osebnih podatkov: ime in priimek, spol, datum rojstva, EMŠO, davčno številko, kraj, občino in državo rojstva, državljanstvo, prebivališče ipd. Pravna podlaga za obdelavo osebnih podatkov posameznikov pa je tudi Zakon o uresničevanju javnega interesa za kulturo ter druga zakonodaja s področja kulture in kongresne dejavnosti. V omejenih primerih je v organizaciji dopustna obdelava osebnih podatkov tudi na osnovi javnega interesa. Vsi veljavni področni predpisi iz kulture so zbrani na spletni strani pristojnega ministrstva (Zakonodaja Ministrstva za kulturo | GOV.SI).

4.2 Izvajanje pogodbe
Če posameznik s Cankarjevim domom sklene določeno pogodbo, ta predstavlja pravno podlago za obdelavo osebnih podatkov. Osebne podatke smemo tako obdelovati za sklenitev in izvajanje pogodbe, kot je npr. prodaja vstopnic, abonmajev ipd. Če posameznik osebnih podatkov ne posreduje, ne moremo skleniti pogodbe, prav tako ne moremo izvesti storitve oziroma dostaviti blaga ali drugih produktov v skladu s sklenjeno pogodbo, saj nimamo potrebnih podatkov za izvedbo. Na podlagi opravljanja zakonite dejavnosti lahko posameznike in uporabnike naših storitev na njihov elektronski naslov obveščamo o svojih o storitvah, dogodkih, izobraževanjih, ponudbah in drugih vsebinah. Posameznik lahko kadarkoli zahteva prekinitev tovrstnega komuniciranja in obdelave osebnih podatkov ter prekliče prejemanje sporočil na povezavi za odjavo v prejetem sporočilu ali kot zahtevek po elektronski pošti na info@cd-cc.si ali z redno pošto na naslov Cankarjev dom, kulturni in kongresni center, Prešernova cesta 10, 1000 Ljubljana, Slovenija.

4.3 Zakoniti interes
Osebne podatke lahko obdelujemo tudi na podlagi zakonitega interesa, za katerega si prizadevamo. Slednje ni dopustno, kadar nad takšnimi interesi prevladajo interesi ali temeljne pravice in svoboščine posameznika, na katerega se nanašajo osebni podatki, ki zahtevajo varstvo osebnih podatkov. V primeru uporabe zakonitega interesa vedno opravimo presojo skladno s Splošno uredbo. Obdelava osebnih podatkov posameznikov za namene neposrednega trženja se šteje za opravljeno v zakonitem interesu. Osebne podatke posameznikov, ki jih zberemo iz javno dostopnih virov ali v okviru zakonitega opravljanja dejavnosti, lahko obdelujemo tudi za namene ponujanja blaga, storitev, zaposlitev, obveščanja o ugodnostih, dogodkih ipd. Za dosego teh namenov lahko uporabljamo navadno pošto, telefonske klice, elektronsko pošto in druga telekomunikacijska sredstva. Za namene neposrednega trženja lahko obdelujemo naslednje osebne podatke posameznikov: ime in priimek posameznika, naslov stalnega ali začasnega prebivališča, telefonsko številko in naslov elektronske pošte. Navedene osebne podatke lahko za namene neposrednega trženja obdelujemo tudi brez izrecne privolitve posameznika. Posameznik lahko kadarkoli zahteva prekinitev tovrstnega komuniciranja in obdelave osebnih podatkov ter prekliče prejemanje sporočil na povezavi za odjavo v prejetem sporočilu ali kot zahtevek po elektronski pošti na info@cd-cc.si ali z redno pošto na naslov Cankarjev dom, kulturni in kongresni center, Prešernova cesta 10, 1000 Ljubljana, Slovenija.

4.4 Obdelava na podlagi privolitve oz. soglasja
Če nimamo pravne podlage, izkazane na osnovi zakona, pogodbene obveznosti ali zakonitega interesa, smemo posameznika zaprositi za privolitev oz. soglasje. Tako lahko obdelujemo določene osebne podatke posameznika tudi za naslednje namene, kadar posameznik poda za to soglasje:

  • naslov prebivališča in naslov elektronske pošte za namene obveščanja in komunikacije;
  • fotografije, video posnetki in druge vsebine, ki se nanašajo na posameznika (npr. objava slik posameznikov na naši spletni strani) za namene dokumentiranja aktivnosti ter obveščanja javnosti o našem delu in dogodkih;
  • druge namene, za katere se posameznik strinja s privolitvijo.

Če posameznik poda soglasje za obdelavo osebnih podatkov in v nekem trenutku tega ne želi več, lahko zahteva prekinitev njihove obdelave z zahtevkom po elektronski pošti na info@cd-cc.si ali z redno pošto na naslov Cankarjev dom, kulturni in kongresni center, Prešernova cesta 10, 1000 Ljubljana, Slovenija. Preklic privolitve ne vpliva na zakonitost obdelave pred tem.

4.5 Obdelava je potrebna za zaščito življenjskih interesov posameznika
Osebne podatke posameznika, na katerega se ti nanašajo, lahko obdelujemo, če je to nujno za zaščito njegovih življenjskih interesov. V nujnih primerih lahko poiščemo osebni dokument posameznika, preverimo, ali ta oseba obstaja v naši zbirki podatkov, preučimo njegovo anamnezo ali navežemo stik z njegovimi svojci, za kar ne potrebujemo posameznikove privolitve. Navedeno velja, če je to nujno potrebno za zaščito življenjskih interesov posameznika.

5. Hranjenje in izbris osebnih podatkov

Osebne podatke hranimo le toliko časa, dokler je to potrebno za uresničitev namena, zaradi katerega so bili ti zbrani in obdelovani. Če podatke obdelujemo na podlagi zakona, jih hranimo za obdobje, ki ga predpisuje zakon. Pri tem so nekateri podatki shranjeni za čas sodelovanja z nami, nekatere pa je treba hraniti trajno. Osebne podatke, ki jih obdelujemo na osnovi pogodbenega razmerja s posameznikom, hranimo toliko časa, kolikor je potrebno za izpolnitev pogodbe, in še šest let po njenem prenehanju, razen ko med posameznikom in nami nastane spor v zvezi s pogodbo. V takšnem primeru podatke hranimo še deset let po pravnomočnosti sodne odločbe, arbitraže ali sodne poravnave ali ob odsotnosti sodnega spora pet let od dneva njegove mirne razrešitve. Osebne podatke, ki jih obdelujemo na podlagi osebne privolitve posameznika ali zakonitega interesa, hranimo do preklica privolitve ali do zahteve za njihov izbris. Po prejemu preklica ali zahteve za izbris podatkov to storimo najpozneje v petnajstih dneh. Podatke lahko izbrišemo tudi pred preklicem, če je bil dosežen namen njihove obdelave ali če tako določa zakon.

Izjemoma lahko zavrnemo zahtevo za izbris osebnih podatkov iz razlogov Splošne uredbe, kot so našteti: uresničevanje pravice do svobode izražanja in obveščanja, izpolnjevanje pravne obveznosti obdelave, razlogi javnega interesa na področju javnega zdravja, nameni arhiviranja v javnem interesu, znanstveno ali zgodovinsko raziskovalni ali statistični nameni, izvajanje ali obramba pravnih zahtevkov. Po preteku hranjenja moramo osebne podatke učinkovito in trajno izbrisati ali anonimizirati, tako da jih ni več mogoče povezati z določenim posameznikom.

6. Pogodbena obdelava osebnih podatkov in njihov iznos 

Posamezno obdelovanje osebnih podatkov lahko na osnovi pogodbe o pogodbeni obdelavi zaupamo pogodbenemu obdelovalcu. Ta lahko zaupane podatke obdeluje izključno v imenu upravljavca, v mejah njegovega pooblastila, ki je zapisano v pisni pogodbi oziroma drugem pravnem aktu in skladno z nameni, ki so opredeljeni v tej politiki varstva osebnih podatkov.

Pogodbeni obdelovalci, s katerimi sodelujemo, so predvsem:

  • revizorske storitve ter drugi ponudniki pravnega in poslovnega svetovanja;
  • vzdrževalci infrastrukture (videonadzor, varnostne storitve);
  • vzdrževalci informacijskih sistemov;
  • ponudniki e-poštnih storitev in programske opreme, storitev v oblaku;
  • ponudniki družabnih omrežij in spletnega oglaševanja (Google, Facebook, Instagram, Twitter ipd.).

V nobenem primeru osebnih podatkov posameznika ne posredujemo tretjim nepooblaščenim osebam. Pogodbeni obdelovalci smejo osebne podatke obdelovati zgolj v okviru naših navodil in jih ne smejo uporabiti za katerekoli druge namene.
Cankarjev dom kot upravljavec in njegovi zaposleni osebnih podatkov ne iznašamo v tretje države (zunaj držav članic Evropskega gospodarskega prostora – članice EU ter Islandija, Norveška in Lihtenštajn) in v mednarodne organizacije, razen v ZDA, pri čemer so razmerja s pogodbenimi obdelovalci iz ZDA urejena na podlagi standardnih pogodbenih klavzul (tipske pogodbe, ki jih je sprejela Evropska komisija) in/ali zavezujočih poslovnih pravil (ki jih sprejme organizacija in potrdijo nadzorni organi v EU).
Za namene boljšega pregleda in nadzora nad pogodbenimi obdelovalci ter zaradi urejenosti medsebojnega pogodbenega razmerja vodimo seznam pogodbenih obdelovalcev, v katerem so navedeni vsi konkretni pogodbeni obdelovalci, s katerimi sodelujemo.

7. Varovanje podatkov in točnost podatkov

Skrbimo za informacijsko varnost in varnost infrastrukture (prostorov in aplikativno-sistemske programske opreme). Naši informacijski sistemi so med drugim zaščiteni s protivirusnimi programi in požarnim zidom. Uvedli smo ustrezne organizacijsko-tehnične varnostne ukrepe, namenjene varstvu osebnih podatkov pred naključnim ali nezakonitim uničenjem, izgubo, spreminjanjem, nepooblaščenim razkrivanjem ali dostopom ter pred drugimi nezakonitimi in nepooblaščenimi oblikami obdelave. V primeru posredovanja posebnih vrst osebnih podatkov to storimo v šifrirani obliki in zaščitene z geslom.
Posameznik je sam odgovoren, da svoje osebne podatke posreduje varno ter da so ti točni in verodostojni. Trudimo se, da so osebni podatki, ki jih obdelujemo, točni in po potrebi osveženi, občasno se lahko obrnemo na posameznika za njihovo potrditev.

8. Pravice posameznika glede obdelave podatkov

V skladu s Splošno uredbo ima posameznik naslednje pravice iz varstva osebnih podatkov:

  • zahteva lahko informacije o tem, ali imamo njegove osebne podatke in, če je tako, katere imamo ter na kakšni podlagi in zakaj jih uporabljamo;
  • zahteva lahko dostop do svojih osebnih podatkov, kar mu omogoča, da prejme kopijo osebnih podatkov, ki jih ima organizacija, ter preveri, ali jih obdeluje zakonito;
  • zahteva lahko popravke nepopolnih ali netočnih osebnih podatkov;
  • zahteva lahko izbris svojih osebnih podatkov, kadar ni razloga za nadaljnjo obdelavo oziroma kadar uveljavlja svojo pravico do ugovora;
  • ugovarja lahko nadaljnji obdelavi osebnih podatkov, pri čemer se sklicujemo na zakoniti poslovni interes (tudi v primeru zakonitega interesa tretje osebe), kadar obstajajo razlogi, povezani s posameznikovim posebnim položajem; posameznik ima pravico kadarkoli ugovarjati, če obdelujemo osebne podatke za namene neposrednega trženja;
  • zahteva lahko omejitev obdelave svojih osebnih podatkov, kar pomeni prekinitev njihove obdelave, na primer če posameznik želi, da ugotovimo točnost ali preverjanje razlogov za nadaljnjo obdelavo osebnih podatkov;
  • zahteva lahko prenos svojih osebnih podatkov v strukturirani elektronski obliki k drugemu upravljavcu, če je to mogoče in izvedljivo;
  • prekliče lahko privolitev oziroma soglasje, ki ga je podal za zbiranje, obdelavo in prenos svojih osebnih podatkov za določen namen; po prejemu obvestila, da je umaknil svojo privolitev, prenehamo obdelovati osebne podatke za namene, ki jih je prvotno sprejela, razen če nimamo druge zakonite pravne podlage, da to storimo zakonito.

Če želi posameznik uveljavljati katero koli od prej navedenih pravic, lahko pošlje zahtevek po elektronski pošti na info@cd-cc.si ali z redno pošto na naslov Cankarjev dom, kulturni in kongresni Center, Prešernova cesta 10, 1000 Ljubljana, Slovenija. Na zahtevo, ki se nanaša na pravice posameznika, odgovorimo brez nepotrebnega odlašanja in vsekakor v enem mesecu po prejemu. Če bi se ta rok ob upoštevanju kompleksnosti in števila zahtev podaljšal (za največ dva dodatna meseca), o tem obvestimo posameznika. Dostop do osebnih podatkov in uveljavljenih pravic je za posameznika brezplačen. Vendar pa lahko zaračunamo razumno plačilo, če je zahteva posameznika, na katerega se nanašajo osebni podatki, očitno neutemeljena ali pretirana, zlasti če se ponavlja. V takšnem primeru lahko zahtevo tudi zavrnemo. Ob uveljavljanju pravic iz tega naslova morebiti moramo od posameznika zahtevati določene informacije, ki nam pomagajo pri potrditvi identitete posameznika, kar je le varnostni ukrep, ki zagotavlja, da se osebni podatki ne razkrijejo nepooblaščenim osebam.

Pri uveljavljanju pravic iz tega naslova lahko posameznik uporabi obrazec Informacijskega pooblaščenca, ki je na voljo na njihovi spletni strani (Obrazci s področja varstva osebnih podatkov - IPRS (ip-rs.si).

Če posameznik meni, da so mu kršene pravice, se lahko za zaščito ali pomoč obrne na nadzorni organ (Informacijskega pooblaščenca): Prijava kršitev varnosti - IPRS (ip-rs.si).

Če ima posameznik kakršnakoli vprašanja v zvezi z obdelavo svojih osebnih podatkov, se lahko vedno obrne na nas po elektronski pošti na info@cd-cc.si ali po redni pošti na naslov Cankarjev dom, kulturni in kongresni center, Prešernova cesta 10, 1000 Ljubljana, Slovenija.

9. Objava sprememb

Vsaka sprememba naše Politike o varstvu osebnih podatkov je objavljena na naši spletni strani (https://www.cd-cc.si/), in sicer v delu https://www.cd-cc.si/politika-varovanja-osebnih-podatkov. Z uporabo spletne strani posameznik potrjuje, da sprejema vso vsebino te politike varstva osebnih podatkov in se z njo strinja.

Politiko varstva osebnih podatkov je sprejela generalna direktorica organizacije dne 22. 8. 2022


Zadnjič pregledano: avgust 2022
 

PERSONAL DATA PROTECTION POLICY


The purpose of this Personal Data Protection Policy is to inform individuals, service users, external partners, employees and other persons (hereinafter referred to as "the individual" or “data subject”) working with Cultural and Congress Centre Cankarjev dom, (hereinafter referred to as "Cankarjev dom" or "Organization") of the purposes, legal bases, security measures and rights of individuals with regard to the processing of personal data carried out by Cankarjev dom.

We value your privacy, and always carefully protect your data.

We process personal data in accordance with European legislation – Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the "General Regulation"), the applicable Slovenian legislation on the protection of personal data and other legislation that provides us with a legal basis in this regard.

The Personal Data Protection Policy contains information on how we, as controller, process personal data that we receive from the individual on legal basis.

1. Data Controller

The controller of personal data is:
Cankarjev dom, Cultural and Congress Centre
Prešernova cesta 10, SI-1000 Ljubljana
www.cd-cc.si
e-mail: info@cd-cc.si
telephone: +386 (0)1 24 17 100

2. Data Protection Officer

Pursuant to Article 37 of the General Regulation, the controller has designated as its data protection officer the company:
DATAINFO.SI, d.o.o.
Tržaška cesta 85, SI-2000 Maribor
www.datainfo.si
e-mail: dpo@datainfo.si
telephone: +386 (0) 2 620 4 300

3. Personal Data

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

4. Purposes of and Bases for Data Processing

We collect and process personal data on the following legal grounds:

  • The processing is necessary to fulfil a legal obligation applicable to the controller;
  • The processing is necessary for the fulfilment of a contract to which the data subject is a contracting party, or for the implementation of measures at the request of such an individual prior to the conclusion of the contract;
  • The processing is necessary due to the legitimate interests pursued by the controller or a third party;
  • The data subject consents to the processing of his or her personal data for one or more specific purposes;
  • The processing is necessary to protect the vital interests of the data subject or of another natural person.

4.1 Fulfilment of a Legal Obligation
Under the law, we process our employees’ data; this processing is allowed by the labour law and social assistance legislation. On the basis of the legal obligation for employment purposes, we process mainly the following types of personal data: name, gender, date of birth, personal identity number, tax number, place, municipality and country of birth, nationality, place of residence, etc. The legal basis for the processing of personal data of individuals is also the Exercising of the Public Interest in Culture Act and other legislation governing culture and the meetings industry. In limited cases, the processing of personal data is permissible in the Organisation also on the grounds of public interest. All sector-specific legislation in force is available on the website of the relevant ministry (Legislation of the Ministry of Culture | GOV.SI).

4.2 Fulfilment of a Contract
If the individual enters into a contract with Cankarjev dom, this constitutes the legal basis for the processing of personal data. Personal data can thus be processed for entering into and fulfilling a contract, e.g. sale of tickets, season subscriptions, etc. If the individual does not provide personal data, a contract cannot be entered into, nor can we provide a service or deliver goods or other products in accordance with the contract, as we do not have the necessary data to fulfil the contract. In the course of lawful activities, we can keep individuals and our service users up to date with our services, events, trainings, offers and other content via their e-mail addresses. An individual may at any time opt out of such communication and processing of personal data and exercise the right of withdrawal from receiving notifications by clicking the unsubscribe link in the received message or by e-mailing info@cd-cc.si or sending a land mail to Cankarjev dom, kulturni in kongresni center, Prešernova cesta 10, 1000 Ljubljana, Slovenija.

4.3 Legitimate Interests
The legitimate interests of a controller may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. At any rate the existence of a legitimate interest is subject to careful assessment in accordance with the General Regulation. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. We may also process personal data of individuals collected from publicly available sources or in the course of lawful activities for the purposes of offering goods, services, employment, information on benefits, events, etc. In order to achieve these purposes, we may use land mail, telephone calls, e-mails, and other means of telecommunication. For the purposes of direct marketing, we may process the following personal data of individuals: the name and surname of the individual, address of permanent or temporary residence, telephone number and e-mail address. We may also process these personal data for the purposes of direct marketing without the explicit consent of the individual. The individual may at any time opt out of such communication and processing of personal data and exercise the right of withdrawal from receiving notifications by clicking the unsubscribe link in the received message or by e-mailing info@cd-cc.si or sending a land mail to Cankarjev dom, kulturni in kongresni center, Prešernova cesta 10, 1000 Ljubljana, Slovenija.

4.4 Processing on the Basis of Consent
If there is no legal basis in Union law or in the law of the Member State to which the controller is subject, contractual obligation or legitimate interest, we may seek consent from the individual. Thus, where the individual gives his or her consent, we may process specific personal data of the individual for the following purposes:

  • The address of residence and e-mail address for information and communication purposes;
  • Photos, videos and other content relating to the individual (e.g. posting of pictures of individuals on our website) for the purposes of documenting activities and informing the public about our work and events;
  • Other purposes to which the individual agrees through giving consent.

The data subject shall have the right to withdraw his or her consent to the processing of personal data at any time. The data subject may request that data processing be suspended by e-mailing info@cd-cc.si or sending a land mail to Cankarjev dom, kulturni in kongresni center, Prešernova cesta 10, 1000 Ljubljana, Slovenija. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

4.5 Processing Is Necessary to Protect the Vital Interests of the Individual
The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject. In an emergency, we may search for the individual's identity document, check whether that person exists in our database, examine his or her medical history or contact his or her family, for which the individual's consent is not required. All of this applies solely if strictly necessary to protect the vital interests of the individual.

5. Storage and Erasure of Personal Data

We shall store personal data only for as long as necessary to achieve the purpose for which they were collected and processed. If the data is processed under the law, it is stored for the duration prescribed by law. In doing so, some of the data is stored for the duration of the data subject’s contractual/business relationship with us, while some data needs to be stored permanently. We store personal data that we process on the basis of a contractual relationship with the individual for as long as necessary for the contract to be fulfilled and for six years after its termination, except when a dispute arises between the individual and the controller in connection with the contract. In such cases, we keep the data for ten years after the legal effect of a court ruling, arbitration or court settlement, or in the absence of a court case, for five years from the date of the amicable settlement of a dispute. We may keep the data we process on the basis of the individual’s personal consent or the legitimate interest until consent has been withdrawn or until a request for data erasure has been submitted. The data is erased within 15 days upon the receipt of a withdrawal of consent or request for data erasure. We may also delete data prior to withdrawal if the purpose of their processing has been achieved or if the law so provides.

In exceptional cases, we may refuse a request for erasure of personal data for the reasons specified in the General Regulation, as follows: the exercise of the right to freedom of expression and information, the fulfilment of a legal obligation to process, reasons of public interest in the field of public health, the purposes of archiving in the public interest, scientific or historical research or statistical purposes, the exercise or defence of legal claims. After the purpose of storing has been served, unless there exist legal grounds, personal data shall be effectively and permanently deleted or rendered anonymous in such a manner that the data subject is not or no longer identifiable. 

6. Subcontracting the Processing of Personal Data and Data Output

The processing of personal data may be entrusted to a subcontractor on the basis of a data processing contract. The data entrusted to a subcontracted processor may be processed exclusively on behalf of the controller, within the limits of the powers expressly conferred upon the processor, which shall be recorded in a written contract or other legal act, and in accordance with the purposes set out herein (Personal Data Protection Policy).

The processors with whom we have entered into a subcontract are, in particular:

  • Auditing services and other legal and business consultancy providers;
  • Infrastructure maintenance providers (video surveillance, security services);
  • Information systems maintenance providers;
  • E-mail and software service providers, Cloud services;
  • Social media and online advertising providers (Google, Facebook, Instagram, Twitter etc.).

We do not transmit personal data to third unauthorized parties under any circumstances. Subcontracted processors may process personal data only within the framework of our instructions and may not use it for any other purposes.

Cankarjev dom as the controller and its employees do not transfer personal data to third countries (outside the Member States of the European Economic Area – EU members, as well as Iceland, Norway and Liechtenstein) and to international organisations, except to the USA, whereby relations with US subcontracted processors are regulated on the basis of standard contractual clauses (standard contracts adopted by the European Commission) and/or binding corporate rules (adopted by the organisation and approved by the EU supervisory authorities).

For the purposes of better review and control over the subcontracted processors and for the sake of the regularity of contractual relationships, we keep a list of subcontracted processors, which specifies all the processors with whom we have entered into a contractual relationship.

7. Data Protection and Data Accuracy

We provide information security and security of infrastructure (premises and application/systems software). Our information systems are protected by antivirus programs and firewalls, among others. We have put in place appropriate organisational and technical security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, and against other unlawful and unauthorized forms of processing. Any transmission of specific types of personal data is password protected and carried out in an encrypted form.
The individual has the sole responsibility for providing his or her personal data securely and for ensuring the data is accurate and authentic. We have spared no effort to ensure that the personal data we process is accurate and, if necessary, updated, and may therefore occasionally contact the individual for data validation.

8. Rights of a Data Subject

In accordance with the General Regulation, the individual may exercise the following personal data protection rights:

  • The right of requesting information concerning whether we have collected his/her personal data and, if so, which data we have collected and on what basis, as well as the purposes of its use;
  • The right to access his/her personal data, enabling him/her to receive a copy of the personal data collected and stored by the organisation and determine whether the data is processed lawfully;
  • The right of rectification: data subject has the right to obtain from the Organisation the rectification of incomplete or inaccurate personal data concerning him/her;
  • The right to erasure of personal data when no reason exists for further processing or where he/she exercises his/her right to object;
  • The right to object to further processing of personal data, where we refer to the legitimate commercial interest (including the legitimate interest of a third party) on grounds relating to his/her particular situation; Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing; 
  • The right to obtain from the controller restriction of processing which means suspending the processing of data, for example if a data subject wishes to establish the accuracy or verify the grounds for further processing of personal data;
  • The right to transmit to another controller the personal data concerning him or her, where technically feasible;
  • The right to withdraw the consent given for the collection, processing and transfer of personal data for a particular purpose; Upon receipt of a notice of withdrawal of consent, we shall cease to process personal data for the purposes initially set out, unless we have other legal basis to do so lawfully.

If wishing to exercise any of the above rights, a data subject may e-mail the request to info@cd-cc.si or send a land mail to Cankarjev dom, kulturni in kongresni Center, Prešernova cesta 10, 1000 Ljubljana, Slovenija. We shall reply to a data subject’s request without undue delay, i.e. within one month at the latest. If this time limit were extended (up to two additional months at the most), taking into account the complexity and number of requests, a data subject shall be informed thereof. Access to personal data and acquired rights is free of charge for the data subject. However, a reasonable charge may be made if the data subject's request is manifestly unfounded or excessive, especially if submitted repeatedly. In such a case, we may also refuse the request. When exercising rights under this title, we may need to request certain information from the data subject to assist us in verifying the identity of the data subject, which is only a security measure to ensure that personal data is not disclosed to unauthorized persons.

In exercising the rights under this title, a data subject may use the form provided by the Information Commissioner available on their website (Obrazci s področja varstva osebnih podatkov - IPRS (ip-rs.si).

If a data subject has reasonable belief that his or her rights have been infringed, he or she may contact the supervisory body (Information Commissioner) for protection or assistance: Prijava kršitev varnosti - IPRS (ip-rs.si).

For any questions regarding the processing of personal data, the individual may always contact us by sending an e-mail to info@cd-cc.si or a land mail to Cankarjev dom, kulturni in kongresni center, Prešernova cesta 10, 1000 Ljubljana, Slovenija.

9. Changes to the Personal Data Protection Policy 

Any change to our Personal Data Protection Policy is posted on our website (https://www.cd-cc.si/), under the heading https://www.cd-cc.si/politika-varovanja-osebnih-podatkov. By using the website, the individual confirms that they accept and agree to the full content of this Personal Data Protection Policy.

The Personal Data Protection Policy was adopted by the Director General of the Organisation on August 22nd 2022.

Last updated: August 2022

© Cankarjev dom

Piškotki   Produkcija ENKI