Regulations on Personal Data Protection

Based on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as GDPR), and the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, hereinafter referred to as ZVOP-2), the director of Rdeča Oranža, izkustveni marketing d.o.o. (hereinafter referred to as Rdeča Oranža), adopts the regulations on personal data protection.

Article #1

This regulation defines organizational, technical, and logical-technical procedures and measures for ensuring the security of personal data in Rdeča Oranža, with the aim of:

Ensuring that personal data is processed lawfully, fairly, and transparently.
Collecting personal data for specific, explicit, and lawful purposes and not processing them in a manner that is incompatible with those purposes.
Processing only the personal data necessary for each specific purpose by default; this obligation applies to the amount of collected personal data, the scope of their processing, the retention period, and their accessibility.
Respecting and protecting the rights and freedoms of individuals to whom the personal data relates.
Ensuring the security of personal data, including protection against unauthorized or unlawful processing, as well as accidental loss, destruction, or damage.
Being able to demonstrate compliance with data protection legislation.

The provisions of this regulation also apply to employees of Rdeče Oranže who must adhere to them. These provisions also extend to other individuals who work for the company based on contracts that are not employment contracts. In case of any doubts regarding the meaning of any provision in this document, please contact Director Martin Korošec.

Article #2

The terms used in this policy have the following meanings:

Personal data – the same meaning as defined in the GDPR.
Natural person – an identified or identifiable natural person; a natural person is considered identifiable if it can be directly or indirectly identified, primarily by reference to an identification number or one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity, where the means of identification does not involve disproportionate effort or time.
Collection of personal data – the same meaning as defined in the GDPR.
Processing of personal data – the same meaning as defined in the GDPR.
Data controller – the same meaning as defined in the GDPR.
Sensitive personal data – the same meaning as defined in the GDPR.
Data subject – the same meaning as defined in the GDPR.
Data processor – all types of means on which data is recorded or stored (documents, records, materials, files, computer equipment including magnetic, optical, or other computer media, photocopies, audio and visual materials, microfilms, data transmission devices, etc.).
Employees – individuals who have an employment contract with the company, individuals working as apprentices or students in the company, individuals working for the company based on contracts between the company and employers, individuals providing services to other employers, and individuals performing tasks for the company based on civil law contracts.
Security incident – a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data being transmitted, stored, or otherwise processed.

Article #3

The company keeps and maintains a record of personal data processing activities with the prescribed components, in accordance with the provisions of Article 30 of the GDPR, separately for each collection. The record of processing activities is kept in electronic form, and access is possible upon prior request. Each department head responsible for a specific collection is responsible for maintaining the record of processing activities within their department, and supervision is carried out by the director.

Article #4

Only personal data for which there is an appropriate legal basis according to the provisions of the GDPR or other legislation may be processed within the company or for the company’s needs. If there is no legal basis for processing, active processing of personal data must be immediately stopped, access to them must be denied, and the lack of a basis must be reported to the company’s director, who will determine further actions regarding that data. Personal data may only be collected for specific and lawful purposes and must not be further processed in a manner that is incompatible with those purposes unless otherwise specified by law. When the company intends to further process personal data for a purpose that is not the purpose for which the personal data were collected, it is necessary to verify in advance whether the new purpose is compatible with the original purpose and prepare a written report on it. Measures to ensure the security of specific personal data collections, such as pseudonymization and encryption, time and access restrictions, processing limitations, purpose limitations, etc., as well as the implementation method, are determined by the director upon the proposal of the manager.

According to the GDPR, maintaining this record is not required for companies with fewer than 250 employees, UNLESS: – the processing is likely to result in a risk to the rights and freedoms of individuals (i.e., it is invasive); – the processing is not occasional; – the processing involves special categories of data. In light of the above, particularly the condition of the frequency of processing, it is recommended that companies with fewer than 250 employees also maintain a record of processing activities. Special categories of personal data may only be processed in accordance with the provisions of the GDPR and other laws. During processing, these data must be specifically marked and secured in a way that prevents unauthorized access. Individuals must be informed about the processing of their personal data in accordance with the provisions of Articles 12, 13, and 14 of the GDPR. Each department head responsible for a specific collection is responsible for preparing the notice within their department. Each service manager responsible for a specific collection is obliged (for each specific collection) to establish and maintain a written list of individuals who, due to the nature of their work and/or function in the company, may process certain personal data or have access to the collections (hereinafter referred to as “authorized data processors”). Department heads are required to submit a written list of authorized data processors to the company’s director. Before processing personal data, authorized data processors must familiarize themselves with the provisions of the GDPR and the content of this regulation, and they are obliged to sign a special “Data Processing Agreement Appendix.”

Article #5

An individual has the right to obtain confirmation from the company as to whether their personal data is being processed and, if so, the right to access personal data (inspection) and information referred to in Article 15(1) of the GDPR. An individual has the right to request the company to correct inaccurate or incomplete personal data concerning them without undue delay. An individual has the right to request the erasure of personal data concerning them without undue delay if one of the following grounds applies: – the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; – the individual withdraws consent on which the processing is based, and there is no other legal basis for the processing; – the individual objects to the processing, and there are no overriding legitimate grounds for the processing; – the personal data have been unlawfully processed; – the personal data must be erased for compliance with a legal obligation; – the personal data have been collected in relation to the offer of information society services to a child. An individual has the right to request the restriction of processing when one of the following cases applies: – the individual contests the accuracy of the data, for a period enabling the company to verify the accuracy of the personal data; – the processing is unlawful, and the individual opposes the erasure of the personal data and requests the restriction of their use instead; – the company no longer needs the personal data for processing purposes, but the individual requires them for the establishment, exercise, or defense of legal claims; – the individual has objected to processing pending the verification of whether the legitimate grounds of the company override those of the individual to whom the personal data relate. An individual has the right to receive the personal data concerning them, which they have provided to the company, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another controller without hindrance from the company, where: – the processing is based on consent, and – the processing is carried out by automated means. The company’s director is responsible for ensuring that individuals are properly informed about the rights described in the preceding paragraphs of this article, in accordance with the requirements of the GDPR. The director also ensures the establishment of a single point of contact to which individuals can address to exercise their rights. The department head is responsible for facilitating the exercise of individuals’ rights and communicating with them. If an individual’s personal data are found in multiple collections, the company’s director determines the competent department head.

Article #6

The department head or any other person who becomes aware of the fact that the planned processing of personal data, especially (but not exclusively) by using new technologies, considering the nature, scope, context, and purposes of the processing, could pose a high risk to the rights and freedoms of individuals, must alert the director. In such cases, the director decides whether it is necessary to carry out an assessment of the impact of the intended processing activities on the protection of personal data. The department head, or another authorized person designated by the department head, is responsible for conducting the impact assessment. All employees who can provide necessary information and assessments must participate. The impact assessment is conducted in writing and includes: – a systematic description of the intended processing activities and purposes of the processing, as well as, where appropriate, the legitimate interests pursued by the company; – an assessment of the necessity and proportionality of the processing activities in relation to their purpose; – an assessment of the risks to the rights and freedoms of individuals to whom the personal data relate; – measures to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other relevant persons. If the head of the department or the authorized person who conducted the impact assessment determines that the intended processing would result in a high risk and the company does not take measures to mitigate the risk, they must inform the company’s director and assess whether consultation with supervisory authorities is necessary.

Article #7

Premises where personal data storage, hardware, and software equipment (secured premises) are located must be protected by organizational, physical, and/or technical measures that prevent unauthorized access to the data. Access is only permitted during regular working hours, and outside of those hours, it is only allowed with the permission of the director or supervisor. Keys should not be left in the lock from the outside. Secured premises must not be left unattended and should be locked in the absence of supervising employees. Cabinets and desks with stored personal data must be locked outside of working hours, computers and other hardware must be turned off, and physically or programmatically locked. Employees must not leave stored personal data on their desks in the presence of unauthorized individuals. Stored personal data located outside secured premises (hallways, common areas) must be permanently locked. Sensitive personal data should not be stored outside secure areas. An employee who uses or processes personal data in their work must not leave stored personal data unattended on their desk during working hours or expose them to the risk of unauthorized access by other individuals. Keys, cards, passwords, and other means that enable access to secured premises must be protected, managed, and securely stored. Any loss, misuse, or suspicion of misuse must be immediately reported by the employee.

Article #8

In premises intended for work with customers, stored data and computer screens must be positioned so that customers cannot see them.

Article #9

Maintenance and repair of hardware, computer, and other equipment are only permitted with the knowledge of authorized personnel, and can only be carried out by authorized technicians and technicians who have a relevant agreement with Rdeča Oranža or an issued work order.

Article #10

Space technicians, hardware and software technicians, visitors, and business partners are only allowed to move within secured premises with the knowledge of authorized personnel. Employees such as cleaners, security personnel, etc., may only move outside of working hours in those secured premises where access to personal data is prevented (stored data is located in locked cabinets and desks, computers and other hardware are turned off or otherwise physically or software locked).

Article #11

Access to software must be protected in a way that allows access only to predetermined employees or legal or physical persons who provide contracted services according to the order.

Article #12

Repair, modification, and supplementation of system and application software are only permitted with the approval of the authorized person and can be performed only by authorized services and organizations, as well as individuals who have a valid contract or have been issued an order by Rdeča Oranža.

Article #13

The same provisions regarding storage and protection of application software apply as for other data in this policy.

Article #14

The content of network server disks and local workstations, which contain personal data, is constantly checked for the presence of computer viruses. When a computer virus is detected, it is promptly eliminated, and the cause of its appearance in the computer’s information system is determined. All personal data and programs intended for use in the computer information system, arriving at Rdeča Oranža on data storage media or via telecommunication channels, must be checked for the presence of computer viruses before use.

Article #15

Employees are not allowed to install programs without the knowledge of the person responsible for the operation of the computer information system. They are also not allowed to remove programs from the business premises without the director’s permission.

Article #16

Access to data through application software is protected by a password system for user authorization and identification of program and data users. The password system must enable retrospective determination of when specific personal data was entered into the database, used, or otherwise processed, as well as who processed it.

Article #17

All passwords and procedures used for accessing and administering personal computer network (supervisory or control passwords), administering electronic mail, and administering application programs are kept in sealed envelopes and protected from unauthorized access. They should only be used in exceptional circumstances or emergency situations.

Article #18

Personal data may only be stored and processed locally (on local computers and similar devices) in exceptional cases when it is necessary due to the nature of the job. After the need for such storage and processing of personal data ceases, the personal data must be transferred to centralized databases or permanently deleted. Any copies of the content of personal data collections on local media (external disks, USB drives, etc.) are kept in locked cabinets. For the purposes of recovering the computer system in case of malfunctions and other exceptional situations, regular copies of the content of the network server and local stations are guaranteed, if the data is stored there. These copies are kept in designated locations that must be fireproof, protected from floods and electromagnetic interference, maintained under specified climatic conditions, and locked.

Article #19

A written contract referred to in Article 28(2) shall be concluded with each external legal or physical person performing specific tasks related to the collection, processing, storage, or transmission of personal data and registered to perform such activities (contracted or subcontracted). The general data protection regulations shall apply. Such a contract must specify the conditions and measures for ensuring the protection and security of personal data. Prior to entering into a contract with a data processor, the responsible person (typically the department manager) shall obtain information from them to verify whether the data processor meets the requirements of the data protection regulations, including disclosing all subprocessors involved in the processing, including their names and registered offices. This also applies to third parties maintaining hardware and software and producing and installing new hardware or software. External legal or physical persons may only provide personal data processing services within the authorized scope of the data controller and must not process the data or use it in any other way for any other purpose. An authorized legal or physical person providing contracted services for Rdeča Oranža outside the operator’s premises must ensure at least an equally strict level of personal data protection as prescribed by this regulation. Among other requirements, in contracts with data processors, the company must ensure the right to conduct inspections or audits in the field of personal data protection at least once a year. Inspections or audits shall be carried out if there is any suspicion or indication that the data processor is breaching the contract or not ensuring an adequate level of personal data protection. The audit shall be conducted at the company’s expense, and the data processor shall not charge the company for engaging their personnel and/or subcontracted data processors.

Article #20

The employee responsible for receiving and recording mail is obliged to deliver mail containing personal data directly to the person or office to which the mail is addressed. The worker responsible for receiving and recording mail opens and examines all postal shipments and shipments received by the administrative body in ways other than through mail services, brought by customers or delivery personnel, except for shipments mentioned in paragraphs 3 and 4 of this article. The official responsible for receiving and recording mail must not open mail addressed to another body or organization that has been delivered by mistake, as well as mail marked as personal data or indicated as such on the envelope related to the competition. The official responsible for receiving and recording mail must not open mail addressed to an employee on which the envelope indicates personal delivery to the recipient, nor mail indicating a personal name. The employee is mentioned first without specifying the official position, followed by the address of the administrative body.

Article #21

Personal data may only be transmitted through information, telecommunication, and other means when procedures and measures are implemented to prevent unauthorized persons from unauthorized appropriation or destruction of data and unauthorized access to its content. Sensitive personal data is sent to recipients in sealed envelopes with a signature in the delivery book or by a delivery note. Personal data is sent by registered mail. The envelope used for transmitting personal data must be designed in a way that does not allow the visible content of the envelope under normal light or when the envelopes are illuminated by ordinary light. Additionally, the envelope must ensure that opening the envelope and becoming acquainted with its contents cannot be done without visible evidence of tampering.

Article #22

The processing of sensitive personal data must be specifically marked and secured. Data from the previous paragraph can be transmitted through telecommunication networks only if they are specifically secured by cryptographic methods and electronic signatures in a way that guarantees data confidentiality during their transmission.

Article #23

Personal data is provided only to those users who prove that they have an appropriate legal basis or upon a written request or consent of the individual to whom the data relates. For each transfer of personal data, the user is obliged to submit a written request clearly stating the legal provision authorizing the user to obtain personal data, or the request must be accompanied by a written request or consent of the individual to whom the data relates. In the case of collecting and transferring personal data between state administrative bodies, the provisions of the Regulation governing administrative operations must also be taken into account. Original documents are never delivered, except in the case of a written court order. The original document must be replaced by a copy during the absence.

Article #24

After the expiration of the retention period, personal data is erased, destroyed, or anonymized unless otherwise specified by law or other regulations. The department manager decides on the erasure, destruction, or anonymization of personal data. A record is made of the destruction, erasure, or anonymization of personal data, which must not contain personal data of individuals whose data has been erased, destroyed, or anonymized.

Article #25

For the deletion of data from computer media, a method of deletion is used that makes it impossible to recover all or part of the deleted data. Data on physical media (documents, records, registers, lists, etc.) are destroyed in a way that makes it impossible to read all or part of the destroyed data. The exact method of destruction for specific types of personal data or carriers is determined by the company director. Auxiliary materials (e.g., matrices, calculations and diagrams, sketches, test or unsuccessful prints, etc.) are destroyed in the same manner. Disposal of storage media containing personal data in regular trash is prohibited. When transferring stored personal data to the place of destruction, appropriate security measures must be ensured.

Article #26

Employees are obligated to implement measures to prevent the misuse of personal data and must handle the personal data they come into contact with during their work conscientiously and carefully, in accordance with the procedures outlined in this regulation. In the event of activities related to the discovery or unauthorized destruction of confidential data, malicious or unauthorized use, misappropriation, alteration, or damage, employees are required to immediately notify the authorized person or supervisor and take steps to prevent such actions. Any suspicion of a breach of personal data protection must be reported by the director of the company to the Commissioner for Information within 72 hours. When there is a likelihood that a breach of personal data protection poses a significant risk to the rights and freedoms of individuals, the company director must ensure that the affected individuals are promptly informed of the breach without undue delay.

Article #27

The company director is responsible for ensuring that, following a security incident, a root cause analysis is conducted and measures are proposed to reduce or eliminate the risks of such and future security incidents. Reasonable and feasible measures should be implemented accordingly. If it is determined that an employee caused or participated in the security incident or that the incident occurred due to employee negligence, the company director, irrespective of other provisions in this regulation, shall take appropriate employment-related measures against the employee.

Article #28

The company director and authorized individuals who are not employees of the company are responsible for implementing procedures and measures for the protection of personal data. The control mentioned in paragraph 1 of this article includes regular examination, assessment, and evaluation of the effectiveness of technical and organizational security measures for data processing. All employees and other individuals in the company are obligated to participate in these activities.

Article #29

Anyone processing personal data is obligated to implement prescribed procedures and measures for data security and data protection that they become aware of or are familiar with in the course of their work. The obligation to protect data does not cease upon termination of employment. Prior to commencing work in a position where personal data is processed, an employee must sign a specific declaration committing to the protection of personal data. The signed declaration must clearly indicate that the signatory is familiar with the provisions of this regulation and the provisions of the General Data Protection Regulation, and the declaration must also include instructions on the consequences of a breach.

Article #30

Employees who violate the provisions of the previous article are subject to disciplinary action, while others are subject to contractual obligations.

Article #31

This policy shall enter into force on May 25, 2018.

Article #32

This policy is published on the website www.oranza.si. Employees also have access to the director.

Date of publication of the latest version: March 17, 2023.

Regulations on Personal Data Protection

Menu

Categories

Popular News

Artificial intelligence and cryptocurrencies. A new niche in the world of cryptocurrencies. Using AI in business.

Cryptocurrencies. Important crypto project partnerships. Prospective crypto projects.