On the basis of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in the processing of personal data and on the free flow of such data (General Data Protection Regulation, hereinafter: GDPR), and the Act on the Protection of Personal Data data (Official Gazette of the Republic of Slovenia, no. 163/22, hereinafter: ZVOP-2) issued by Soča Trout – Bojan Rusjan, sport activity, s.p.

REGULATION ON THE PROTECTION OF PERSONAL DATA

INTRODUCTORY PROVISIONS

Article 1
(Purpose and legal nature of the regulations)

These regulations define the technical and organizational measures with which the entrepreneur Soča Trout – Bojan Rusjan, sport activity, s.p. (hereinafter: entrepreneur) protects personal data.

The measures from the previous paragraph are implemented with the aim of:
• the personal data are processed legally, fairly and in a transparent manner in relation to the individual to whom the personal data refer (principle of legality, fairness and transparency);
• personal data are collected for specific, explicit and legal purposes, and are not processed in a way that is incompatible with these purposes (principle of purpose limitation);
• by default, only personal data that is necessary for each specific processing purpose is processed; this obligation applies to the amount of personal data collected, the scope of their processing, the period of their storage and their accessibility (principle of the minimum amount of data and principle of storage limitation);
• the rights and freedoms of individuals to whom personal data refer are respected and protected;
• that the processed personal data is accurate or appropriately updated (principle of accuracy);
• the security of personal data is ensured, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage with appropriate technical or organizational measures (principle of integrity and confidentiality);
• the entrepreneur can demonstrate compliance with the legislation in the field of personal data protection.

This rulebook is a general act in the sense of legislation in the field of labor relations and defines the obligations that workers must be aware of in order to fulfill their contractual and other obligations.

This policy also applies to persons who work for the entrepreneur or for the entrepreneur on the basis of contracts other than employment contracts, including pupils and students.

The persons listed in paragraphs 3 and 4 of this article and other persons who, due to the nature of their work, may process certain personal data, must be familiar with the provisions of the currently applicable Act on the Protection of Personal Data, Regulation (EU) on the Protection of Individuals before processing personal data in the processing of personal data and on the free flow of such data and on the repeal of Directive 95/46/EC (hereinafter: GDPR) and with the content of this regulation and are bound to confidentiality in the processing of personal data. Any of the persons listed in paragraphs 3 and 4 of this article and any of the authorized/contractual processors is obliged to seek professional explanation or help from the entrepreneur in case of any doubt regarding the meaning of the stated regulations or the provisions of this rulebook.

In matters not regulated by this regulation, ZVOP-2 and GDPR are directly applied.

Article 2
(Definition of terms)
In this policy, the terms “personal data”, “special types of personal data”, “collection”, “processing”, “individual”, controller”, “processor”, “user”, “third party” and “individual consent, on “data subject” has the same meaning as in the GDPR, unless it is regulated differently below or in individual places of this regulation.

“Data carrier” means all types of means on which personal data is recorded or recorded (documents, acts, materials, files, computer equipment, photocopies, audio and visual material, etc.).

“Employees” means persons who have an employment contract with the entrepreneur, persons who work for the entrepreneur as pupils or students, persons who work for the entrepreneur on the basis of a contract between the entrepreneur and their employer, who performs the activity of providing work to other employers , and persons who perform work for an entrepreneur on the basis of civil law contracts.

“Security Incident” means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of Personal Information that is transmitted, stored or otherwise processed.

Article 3
(Record of personal data processing activities)
Due to the non-existence of the conditions from the fifth paragraph of Article 30 of the GDPR, the entrepreneur does not keep records of personal data processing activities.

Article 4
(Processing of personal data, security and notification of individuals)
When adopting and implementing security measures and procedures, the entrepreneur takes into account the nature of personal data and the level of risk posed by individual processing.

With the entrepreneur or for the needs of the entrepreneur (with the help of processors), only those personal data for which there is an appropriate legal basis according to the provisions of the GDPR or other applicable and applicable legislation in the field of personal data protection may be processed. If there is no legal basis for processing, it is necessary to immediately stop actively processing personal data and disable access to them, and to inform the entrepreneur of the non-existence of the basis, who determines the further handling of such data.

Personal data may only be collected for specified and lawful purposes and may not be further processed in such a way that their processing would be inconsistent with these purposes, unless otherwise provided by law. When the entrepreneur intends to further process personal data for a purpose that is not the purpose for which the personal data was collected, it is necessary to check beforehand whether the new purpose is compatible with the original one and prepare a written report on this.

Measures to ensure the security of specific collections of personal data, such as, among other things, pseudonymization and encryption, limitation of storage and access period, limitation of processing, limitation of purposes, etc., and the method of implementation are determined by the entrepreneur.

The entrepreneur does not process or store special types of personal data.

The individual must be informed about the acquisition and processing of personal data in accordance with the provisions of Articles 12, 13 and 14 of the GDPR. The entrepreneur or a person authorized by the entrepreneur.

The entrepreneur (for each individual collection) determines and maintains a written list of persons who, due to the nature of their work and/or function at the entrepreneur, may process certain personal data or have access to the collections (hereinafter “authorized processors”).

Before processing personal data, authorized processors must be familiar with the provisions of ZVOP-2, GDPR and the content of these regulations, to which they are obliged to sign a special declaration.

Article 5
(Ensuring and realizing the rights of individuals)
The individual has the right to obtain confirmation from the entrepreneur as to whether his personal data is being processed, and if so, the right to obtain access to personal data (inspection) and information from Paragraph 1 of Article 15 of the GDPR.

When the processing is based on the consent to the processing of personal data for one or more specific purposes, the individual has the right, in accordance with the provisions of the GDPR, to revoke the consent at any time, without this affecting the legality of the data processing, which was carried out on the basis of the consent until its cancellation.

The individual has the right to have the entrepreneur correct inaccurate or complete incomplete personal data relating to him without undue delay.
An individual has the right to have the entrepreneur delete personal data concerning him without undue delay, when one of the following reasons applies:
• personal data are no longer needed for the purposes for which they were collected or otherwise processed;
• the individual revokes the consent on the basis of which the processing takes place and there is no other legal basis for the processing;
• the individual objects to the processing in accordance with the provisions of the GDPR (Article 21), and there are no overriding legal reasons for their processing;

• personal data were processed illegally;
• personal data must be deleted in order to fulfill a legal obligation due to the fulfillment of legal obligations;
• personal data was collected in connection with the offer of information society services from a minor.

The previous paragraph of this article does not apply or does not apply if the processing is necessary for the assertion, implementation or defense of legal claims.

The individual has the right to have the entrepreneur limit the processing when one of the following cases applies:
• the individual disputes the accuracy of the data, namely for a period that allows the entrepreneur to verify the accuracy of the personal data;
• the processing is illegal and the individual opposes the deletion of personal data and instead requests a restriction of their use;
• the entrepreneur no longer needs personal data for processing purposes, but the individual needs them to assert, implement or defend legal claims;
• the individual has filed an objection regarding the processing until it is verified whether the legitimate reasons of the controller prevail over the reasons of the individual to whom the personal data refer.

The individual has the right to receive the personal data that he has provided to the entrepreneur in a structured, commonly used and machine-readable form, and the right to forward this data to another controller without the entrepreneur hindering him in doing so, when the processing is based on consent.

Where personal data is processed for the purposes of direct marketing, the data subject shall have the right to object at any time to the processing of personal data relating to him for the purposes of such marketing, including profiling in so far as it is related to such direct marketing . When the data subject objects to the processing for direct marketing purposes, the personal data is no longer processed for these purposes.

The entrepreneur ensures that individuals are informed about the rights from the previous paragraphs of this article in an appropriate way that complies with the requirements of the GDPR.

The entrepreneur is responsible for asserting the rights of individuals and communicating with them.

Article 6
(Data Protection Impact Assessment)
The entrepreneur or other person who detects this is obliged to draw attention to the fact that the planned processing of personal data, especially (but not exclusively) using new technologies, taking into account the nature, scope, circumstances and purposes of the processing of personal data, could cause a high risk for the rights and freedoms of individuals.

In this case, the entrepreneur decides whether it is necessary to carry out an assessment of the impact of the intended processing actions on the protection of personal data. The entrepreneur is responsible for performing the impact assessment itself. All employees who can provide the necessary data and assessments are obliged to participate.

The impact assessment is carried out in writing and includes at least:
• a systematic description of the intended processing actions and purposes of the processing, when appropriate, as well as the legitimate interests pursued by the entrepreneur;
• assessment of the necessity and proportionality of processing actions in relation to their purpose;
• risk assessment for the rights and freedoms of individuals to whom personal data refer;
• measures to address risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of individuals to whom personal data relate and other persons concerned. .

If the entrepreneur or another person who has made an impact assessment finds that the intended processing would cause a high risk if the entrepreneur does not take measures to mitigate the risk, the entrepreneur shall judge whether consultation with the supervisory authority is necessary.

DEFINITION OF COLLECTION OF PERSONAL DATA

Article 7
(Collections of personal data)
The entrepreneur’s personal data is processed electronically in a structured manner in the following collections:
• Human Resources records,
• records of service buyers and business partners,
• record of video materials of the activities carried out.

The personal data of the personnel records are also processed in a structured way by the entrepreneur in physical form, namely in personnel folders.

Article 8
(Human Resources records)
Collections of personal data of employees are established at the conclusion of the employment or contractual relationship, or are updated at each change notified by the employee.
Personnel records contain personal data of employees in accordance with the meaning of this term described in Article 2 of these regulations. The entrepreneur collects exclusively personal data that is mandatory in accordance with the regulations for the individual legal area (e.g. legislation in the field of labor relations and regulations in the field of social security, the field of tax legislation, etc.). The entrepreneur does not process personal data of employees for any other purpose, does not pass it on to any user or other third party, with the exception of those who demonstrate a legitimate interest, and the entrepreneur also does not export this data abroad.

Personnel records in electronic form are kept exclusively on the entrepreneur’s computer, which is protected by all the technical measures described in these regulations. Personnel records are kept in the form of personnel folders in a locked fireproof cabinet.

Only the entrepreneur and the authorized person have access to the personal data of the personnel record.

All employees of the entrepreneur, when concluding the contract that is the basis for their work, sign a special statement on being aware of all the facts and rights they have in relation to this data on the basis of ZVOP-2, GDPR and on the basis of these regulations. The statement may be part of the employment contract. Those who are already employed by the entrepreneur sign such a declaration of familiarization afterwards.

Personal data processed in personnel records are kept for the duration of the contracts with the individuals to whom this data relates, and for a certain period after the termination of the validity of these contracts, if the legislation so provides. After the expiration of this period, the data is permanently deleted. Personal data for which special legislation stipulates permanent storage shall not be deleted after the expiry of the period referred to in this paragraph.

Article 9
(record of buyers of services and business partners)
The entrepreneur keeps a single record of the buyers of his services and business partners in the electronic record, which is located on the server of the provider of such services.

In the records of customers of services and business partners, the entrepreneur does not process special types of personal data, but only contact personal data (name and surname, address, employment, telephone number, e-mail address), on the basis of which it is possible to contact individuals to whom to which this personal data relates. Also, based on the data from this record, the entrepreneur does not make automated individual decisions, nor does he create profiles based on them.

Access to the server with a unified record of customers of its services and business partners is possible only with a username and password, which are available exclusively to employees of the entrepreneur.

The processing of all personal data of individuals in the records of service buyers and business partners is based on their personal consent, or the processing of this data in accordance with Article 6 of the GDPR is necessary for the implementation of contracts whose contractual parties are the individuals to whom the personal data relate.

Personal data processed in the records of service buyers and business partners due to the implementation of contracts whose contractual parties are individuals are kept and processed for the period necessary to fulfill the contract, including warranty and limitation periods (these are usually 5 years). . After the expiration of this period, the data is permanently deleted.

Personal data processed in the records of service buyers and business partners based on the consent of individuals are permanently deleted from these records as soon as the individual revokes his consent.

Personal data for which special legislation stipulates permanent storage shall not be deleted after the expiry of the period referred to in this article.

 


Article 9a
(posts on social networks)

The entrepreneur keeps a single record of video materials of the entrepreneur’s activities. The collection and processing of the data presented below is partly the responsibility of the entrepreneur and partly the respective operators of the social network platforms. For certain aspects of the processing, the entrepreneur and the platform operators act as jointly responsible within the meaning of Article 26 of the GDPR.

The entrepreneur manages the following pages on social networks:
• Facebook: [https://www.facebook.com/socatrout.flyfishing/]• Instagram: [https://www.instagram.com/socatrout.flyfishing/]

The provisions of Article 9 of these regulations and the provisions of the Declaration on the protection of personal data for our pages on social networks, which is published on the operator’s website, must be observed by all employees and other persons of the entrepreneur. .

MEASURES TO PROTECT PERSONAL DATA

Article 10
(Security of premises and data carriers)
The entrepreneur’s premises are located in an office building at the address Trg golobarskih szrebi 50, 5230 Bovec. Data carriers and hardware and software are located in these premises, as well as cabinets with all documents of the collections referred to in Article 6 of these regulations (hereinafter: secured premises) and are protected by organizational and/or technical measures that prevent unauthorized persons from accessing data.

Entry to the premises where the entrepreneur is located is only possible during working hours. Employees have access to the premises. The premises have an entrance door with a lock. Access to secured premises is possible and permitted only during working hours, and outside of working hours only on the basis of the entrepreneur’s permission. In the event that individual employees regularly perform work outside of working hours, in the form of overtime or in another way, they may access protected premises without special permission even outside of regular working hours.

Protected areas must not remain unattended or must be locked in the absence of the employees supervising them.

Persons who are not employed by the entrepreneur may not enter the secured premises without an escort or the presence of an employee who supervises these premises. An employee who works in protected areas must conscientiously and carefully control the area and lock it when leaving.

Maintenance workers, cleaners, security guards, repairmen, visitors, business partners may only stay in protected areas with the knowledge of employees. Outside of working hours, workers such as cleaners or security guards, if absolutely necessary, can only move in those protected areas where access to personal data is prevented (data carriers are stored in locked cabinets and desks, computers and other hardware are turned off or otherwise physically or software locked).

Holders of personal data stored outside active work spaces or outside protected areas (corridors, common areas, etc.), they must be permanently locked, except when they are directly in use.

Special types of personal data may under no circumstances be stored outside of secured premises. Secured premises in which data carriers containing special types of personal data are located must be secured in such a way that full control over work and movement in these premises is ensured.

An employee who uses personal data in his work or processes it in any way must not leave personal data carriers unattended on the desk during working hours or otherwise expose them to the risk of unauthorized persons gaining access to personal data (computer displays must also be installed so that customers have no insight into them).

Keys, cards, passwords and other means that enable access to secured premises must be protected, managed and stored conscientiously and carefully. Any loss or misappropriation or suspicion of misuse must be reported immediately to the entrepreneur, who must take appropriate measures.

Article 11
(Place of personal data processing)
Processing of personal data is permitted only on the premises of the entrepreneur and outside when it comes to the implementation of marketing activities. Exceptionally, in cases where an employee works at home or in the field using remote access technology, processing of personal data outside the premises of the entrepreneur is permitted, and all necessary measures to secure personal data must be provided.

The entrepreneur allows the export of personal data carriers, where the reason for the export of the carriers must be recorded. One permit can be issued for several withdrawals or repeated withdrawals.

The transfer of personal data to users is permitted by the entrepreneur. The transmission of personal data from the previous paragraph of this article is duly recorded.

PROTECTION OF SOFTWARE FOR THE PROCESSING OF PERSONAL DATA

Article 12
(General)
Access to the software with or with the help of which personal data is processed must be protected in a way that allows access only to pre-determined employees and persons who perform servicing or maintenance of hardware or software for the entrepreneur under the contract, whereby employees may not exchange or disclose access data with each other or with third parties (regardless of the level of rights granted to them).

The entrepreneur is responsible for assigning access to the software for employees and keeping records of this.

Repairing, changing and supplementing (updating) the software or compiling instructions in this regard are the responsibility of the entrepreneur.

Employees may not install any software on hardware and other devices owned or used by the entrepreneur without the entrepreneur’s approval. Employees may not remove software from the entrepreneur’s premises without the entrepreneur’s knowledge.

Repairing, changing and supplementing (updating) the software by external contractors is permitted only on the basis of the entrepreneur’s approval, and it can only be carried out by authorized services and organizations and individuals who have a contract with the entrepreneur, which includes relevant provisions on the contractual processing of personal data .

All changes and additions to the software must be documented in a way that allows traceability of the changes or additions.
An employee who creates or allows a copy (database) of personal data to be created within the scope of his work duties for the purposes of servicing, repairing, modifying or supplementing software or for providing support, is obliged to ensure that, when the need ceases, the copy is effectively destroyed or deleted .

The entrepreneur determines in more detail or prescribes the creation of copies (databases) of personal data, so that restoration of personal data is possible in case of unwanted deletion, change or destruction of personal data or the carrier on which personal data is located.

Article 13
(Restriction and control of access to personal data)
Access to personal data through the software must be protected by a unified and centralized system of passwords or other secure means of authorization and identification of users. In the case of software, there must be event monitoring in the individual application, which enables the possibility of subsequently determining when individual personal data was entered into the collection

of data used or otherwise processed and who did it, namely for a period of 5 years from the last processing of personal data.

All the entrepreneur’s computers or software are protected by licensed anti-virus equipment, which also prevents unauthorized intrusions into the system and is automatically updated in accordance with the instructions of the manufacturer of the mentioned equipment. When a computer virus appears, it is eliminated as soon as possible, if necessary with the help of the appropriate professional service from paragraph 5 of the previous article, and at the same time the cause of the appearance of the virus in the entrepreneur’s computer information system is determined. Each computer is additionally protected by a personal security password, which prevents unauthorized users from unlocking the system. All collections of personal data that are kept in electronic form are also securely stored on an external hard drive due to the risk of destruction or irreversible disabling of the hard drive in the computer in which it is located.

The entrepreneur is responsible for determining the system regime, or the method of assigning, storing and changing passwords.

All passwords and procedures used to enter and administer the network of personal computers (supervisor passwords), administer e-mail and administer application programs are kept and protected against access by unauthorized persons. In case of unauthorized access to this data, a new password content is determined.

Article 14
(Data storage outside databases)
Personal data may only be exceptionally stored and processed locally (on local computers and other similar devices) when this is absolutely necessary due to the nature of the work. After the need for such storage and processing of personal data ceases, the personal data must be transferred to centralized databases or permanently deleted.

Any copies of the contents of personal data collections on local media (external disks, USB keys, etc.) are kept in locked cabinets.

Possible copies of the content of the network server and local stations for the needs of restoring the computer system in the event of breakdowns and other exceptional situations are kept in designated places, which must be properly protected and locked.

CONTRACTUAL PROCESSING OF PERSONAL DATA

Article 15
(General)
A written contract provided for in Article 28 of the GDPR is concluded with any external legal or physical person who performs individual tasks related to the collection, processing, storage or transmission of personal data (processor). The entrepreneur enters into a contract with such a processor only upon the assurance that he has implemented all appropriate measures for the protection of personal data and fulfills his duties, as determined by the applicable ZVOP-2 and GDPR as well as these regulations.

In the contract concluded in accordance with the first paragraph of this article, conditions and measures to ensure the protection of personal data and their insurance must also be prescribed. Before entering into a contract with the processor, the legal entrepreneur is obliged to obtain from the controller information that enables verification of whether the processor meets the requirements of the legislation in the field of personal data protection; this also includes disclosure of all sub-processors, including their names and registered offices.

The mere possibility of accessing data, even at the express request of the entrepreneur (e.g. in the context of service intervention on hardware, etc.), is considered contractual processing in the sense of paragraph 1 of this article.

Processors may perform personal data processing services only within the scope of the authorizations granted in the contract and within the framework of other duly documented instructions of the entrepreneur and may not process or otherwise use the data for any other purpose to which they are obligated by the contract.

The processor must have at least as strict a method of protecting personal data as provided for in this regulation.

In addition to other requirements, in contracts with processors, the entrepreneur must secure the right to conduct an inspection or audit in the field of personal data protection at the contractual processor at least once a year. An inspection or audit must be carried out in case of any suspicion or indication that the processor is in breach of the concluded contract or that it does not ensure a sufficient level of protection of personal data. The audit is carried out at the expense of the entrepreneur, whereby the processor may not charge the entrepreneur for any engagement of its own people and/or subcontracted processors.

DELETION, DESTRUCTION AND ANONYMISATION OF PERSONAL DATA

Article 16
(General)
Personal data can only be stored for as long as is stipulated by law or for the time required to fulfill the contract, including warranty and limitation periods (usually 5 years), or for the time for which the individual has consented to the processing of their personal data data. The retention period for specific (database) personal data is determined by the entrepreneur.

After the need to manage personal data ceases, personal data is effectively deleted, destroyed or anonymized, unless otherwise provided by law or another act. Destruction, deletion or anonymization of personal data is ordered by the entrepreneur. About the destruction, deletion or anonymization of personal data of devices

and minutes, which must not contain personal data of individuals whose data has been deleted, destroyed or anonymized.

To delete data from computers, servers and similar devices or carriers of personal data in electronic form, such a deletion method is used that it is impossible to reconstruct the deleted data.

Data on physical media that cannot be deleted is destroyed in a way that ensures that the personal data becomes unrecognizable and unrecoverable. The exact method of destruction for individual types of personal data or carriers is determined by the entrepreneur.

It is forbidden to dispose of data carriers in a way that enables the recovery or recognition of personal data (e.g. in the trash can).

When transferring personal data carriers to the place of destruction, it is necessary to provide adequate insurance during the transfer, especially in such a way that the recognition or recovery of personal data is impossible.

ACTION IN THE EVENT OF SECURITY INCIDENTS RELATED TO PERSONAL DATA

Article 17
(General)
Employees are obliged to implement measures to prevent the misuse of personal data and must handle personal data that they come across in the course of their work conscientiously and carefully in the manner and according to the procedures specified in these regulations.

Employees are obliged to immediately notify the entrepreneur of activities related to the discovery or unauthorized destruction of personal data, malicious or unauthorized use, appropriation, modification or damage of personal data, and they themselves must try to prevent such activity with legal measures.

Upon any suspicion of a violation of the protection of personal data, the entrepreneur must notify the Information Commissioner within 72 hours. When it is likely that a breach of personal data protection causes a high risk to the rights and freedoms of individuals, the entrepreneur shall ensure that the affected individuals are informed without undue delay that a breach of personal data protection has occurred. If a crime is suspected, the security incident must be reported to the police or the prosecutor’s office.


Article 18
(Internal measures)
The entrepreneur shall ensure that, after a security incident, an analysis of the causes and a proposal for measures to reduce or eliminate the risk of such and future security incidents is carried out, and that, if it is reasonable and possible, the proposed measures are implemented.

If it turns out that an employee caused or participated in the safety incident, or the safety incident occurred due to negligence on the part of the employee, the entrepreneur, regardless of the other provisions of these regulations, takes appropriate labor law measures against the employee.

RESPONSIBILITY FOR IMPLEMENTING PERSONAL DATA SECURITY MEASURES

Article 19
(General)
The entrepreneur is responsible for supervising the implementation of procedures and measures for the protection of personal data, who can authorize other persons who are not employed by the entrepreneur for individual tasks.

The control referred to in paragraph 1 of this article also includes procedures for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure processing security. All employees, contractual partners and other persons are obliged to participate in this.

Everyone who processes personal data is obliged to implement the prescribed procedures and measures for securing data and to protect the data with which they were familiar while performing their work. The obligation to protect data does not end with the termination of the employment relationship or other contractual relationship based on which a certain person performs work for the entrepreneur.

Before starting work at a workplace where personal data is processed, the employee must sign a special declaration obliging him to protect personal data. The statement can also be part of the employment contract.

It must be clear from the signed declaration that the signatory is familiar with the provisions of this rulebook and the provisions of ZVOP-1 and GDPR, and the declaration must also contain instructions on the consequences of the violation.

Employees of the entrepreneur are subject to disciplinary liability for violation of the provisions of these regulations, while others are subject to contractual obligations. Liability does not exclude tort, criminal or tort liability.

FINAL PROVISIONS

Article 20
(Effective Date)
This policy is valid and applicable from 01.02.2023 onwards.


Article 21
(Publication, Accessibility)
This policy is sent in electronic form to all employees of the entrepreneur, the entrepreneur stores it in electronic form in his central computer, and in physical form it is filed in a special folder intended for documents in the field of personal data protection.

In Bovec, January 2023.

 

PROTECTION OF PERSONAL DATA ON SOCIAL NETWORKS

Privacy statement for our social media pages

In the following, we would like to inform you about the handling of your data in accordance with Article 13 of the EU General Data Protection Regulation (hereinafter: GDPR).

1. Liability
We are partly responsible for the collection and processing of the data presented below

Soča Trout – Bojan Rusjan, sports activity, s.p.
Trg Golobarski szni 50, 5230 Bovec
Email: info@socatrout.com

and partly by the operators of the social network platforms concerned. For certain aspects of the processing, we and the platform operators act as jointly responsible within the meaning of Article 26 of the GDPR (processing in accordance with point 4 of this statement).

We manage the following pages on social networks:
• Facebook: [https://www.facebook.com/socatrout.flyfishing/]• Instagram: [https://www.instagram.com/socatrout.flyfishing/]

2. Liability of platform operators
The entrepreneur has only limited influence on the management of personal data carried out by the operators of social network platforms (e.g. management of followers and shared information). In the areas over which it has influence and in which it can process personal data, within the scope of the possibilities available to it, it endeavors that the operator of the social network platform adequately protects personal data. In many areas, however, he cannot influence the processing of personal data by the operator of the social network platform, nor does he know exactly which data it processes.

The platform operator manages the entire IT infrastructure of the service, has its own provisions on the protection of personal data and its own user relationship with the individual (if he is a registered user of the social network service). In addition, only the operator of the platform is responsible for all questions related to the user profile data of an individual to which the entrepreneur does not have access.

You can find more detailed information about the data processing carried out by the social network platform providers and about further objection options in the data protection declaration of the individual provider:
– Facebook: https://www.facebook.com/privacy/explanation
– Instagram: https://help.instagram.com/519522125107875

When using the platform, your personal data is usually also processed by the respective platform operators, among others, on servers in third countries, especially in the USA and Great Britain.

3. Our responsibility
Purpose of data processing by us/legal basis
The purpose of data processing on our part within the framework of our pages on social networks is to familiarize customers with offers, activities, products, innovations in the company; interact with site visitors on social networks regarding these topics; and responding to appropriate feedback, praise or criticism.

We reserve the right to delete illegal content when necessary. This applies, for example, to for objectionable and illegal posts, hateful comments, obscene comments (explicitly sexualized content) or attachments (eg images or videos) that may violate copyright, privacy rights, criminal law or our ethical principles.

Your content may we share on our site when it is a function of the social network platform and we communicate with you through the social network platform. The legal basis is Article 6(1f) GDPR. Data processing is carried out for the purpose of promotion and communication.

As we have already mentioned, in areas where the social network platform provider allows us to do so, we take care to design our pages on social networks as closely as possible to the requirements of personal data protection.

Data you enter on our pages on social networks, such as e.g. comments, videos, pictures, likes, public news, etc., are posted by the social network platform and never used or processed for other purposes.

Recipients/categories of recipients:
Your content may we share on our page when this is a feature of the social network platform and we communicate through the social network platform. If you ask us a question via the social network platform, depending on the required answer, you may we refer to other, safer means of communication that ensure confidentiality. You always have the option to send us confidential questions to our address listed under point 1.

As regards the data that you provide to us in a confidential way (e.g. using the function of sending a private message, in a letter or by e-mail), the transmission of data to third parties is generally excluded. Exceptionally, data are processed by contractual processors on our order.

All of your public posts on our pages on these social networks will remain posted on the timeline indefinitely, unless we delete them due to an update to the original thread, an illegal post, or a violation of our guidelines, or if you delete the post yourself.

As for the deletion of your data by the operator of the social network, we cannot influence this. Therefore, the provisions on the protection of personal data of the operator of the social network/platform apply as a supplement.

4. Shared management, Article 26(1) GDPR
With the operators of the following social network services, the situation exists to a certain extent in accordance with Article 26(1) of the GDPR (joint operators

):
•    Facebook:  https://en-gb.facebook.com/legal/terms/page_controller_addendum

For online tracking methods used by social network platform operators, the platform operators and we act as jointly responsible. Online tracking can take place regardless of whether you are logged in or registered on the social network platform. As already

mentioned, unfortunately we have almost no influence on online tracking methods by the social network platform. This, for example, we can’t turn it off.

The legal basis for online tracking methods is consent in accordance with Article 6(1a) GDPR.

Further information about recipients or recipient categories and the retention period or the criteria for determining the retention period can be found in the data protection statements of the individual platform operators. We cannot influence these.

Options regarding exercising your rights to disable these online tracking methods can be found in the data protection statements of the individual platform operators listed under point 2. You can also contact the operators of the platforms using the contact details provided in the legal information of the relevant platform operator.

In connection with the statistics offered to us by the provider of the social network platform, we can influence and disable them only conditionally. Here we point out that we pay attention to the fact that the provider does not provide us with any additional optional statistics.

Please be aware of the following: it cannot be ruled out that the social network platform provider would not use your profile data and data on online behavior to analyze your habits, personal relationships, preferences, etc. We cannot influence the processing or transmission of your data by the provider of the social network platform.

We are also present on Facebook, where we act as the operator of our Facebook page, Facebook Ireland Ltc. and acts as the manager of the Facebook social network. In accordance with the first paragraph of Article 26 of the General Data Protection Regulation (GDPR), we Facebook Ireland Ltd. (the 1st controller) and we (the 2nd controller) are joint controllers who process the Insights data of our company’s Facebook page (aggregated analytical data of visitors).

Facebook Ireland Ltd. gives us access to anonymized statistical data of visitors to our Facebook page. We use this information to optimize our Facebook page so that we provide visitors with more relevant content. The legal basis for processing this data is legitimate interest (Article 6 (1f) GDPR). More information on the liability of Facebook Ireland Ltd. and our company, along with a more detailed explanation of what data is collected, how it is processed and what rights the user has in this regard, can be found in the Page Insights Controller Addendum document and in the Facebook Data Privacy policy document. A visitor to the Facebook social network should be aware that posting content and sending messages to our company’s Facebook page is based on the Facebook Data Privacy Policy and selected privacy settings, unless otherwise specified elsewhere.

5. Data processing in third countries
If we transfer data to recipients in a third country (based outside the European Economic Area), you can find this out in the information on recipients/categories of recipients in the description of the relevant data processing. With a so-called adequacy decision, the European Commission confirms that some third countries have a data protection standard that is comparable to the level in the European Economic Area. A list of these countries is available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. If there is no comparable data protection standard in the country, we ensure that data protection is adequately ensured by other measures. This is possible, for example, through binding business internal regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognized codes of conduct. If you would like more information about this, please contact our Data Protection Officer (Section 8).

Your use of the platform may also result in the platform operator processing your data in a third country (based outside the European Economic Area). For more information about the processing of your data in a third country over which we have no influence, see the data protection statements of the platform operators listed in section 2.

6. Your rights in relation to personal data
a) Review
In addition to the right to revoke your consents granted to us, you also have the following rights in the presence of individual legal conditions:
•    the right to information about your personal data stored by us in accordance with Article 15 of the GDPR,
•    the right to correct incorrect or complete incomplete data in accordance with Article 16 of the GDPR,
•    the right to delete your data stored by us in accordance with Article 17 of the GDPR,
•    the right to limit the processing of your data in accordance with Article 18 of the GDPR,
•    the right to data portability in accordance with Article 20 of the GDPR,
•    the right to object in accordance with Article 21 of the GDPR.

Right to information in accordance with Article 15 GDPR
In accordance with the first paragraph of Article 15 of the GDPR, you have the right to receive information about your personal data stored by us free of charge upon request. This includes in particular:
•    intentions, with

but whose personal data are processed;
•    types of personal data that are processed;
recipients or the types of recipients to whom your personal information has been disclosed or is still being disclosed;
•    planned retention period of personal data about you, or if specific data cannot be obtained, the criteria for determining the retention period;
•    the existence of the right to request the correction or deletion of personal data about you, the existence of the right to limit the processing of personal data by the controller or the existence of the right to object to such processing;
•    the existence of the right to lodge a complaint with the supervisory authority;
•    all available information on the origin of the data, if the personal data is not obtained from the individual concerned;
•    the existence of automated decision-making, including the creation of profiles from the first and fourth paragraphs of Article 22 of the GDPR and, at least in such cases, meaningful information about the reasons for it as well as the meaning and intended consequences of such processing for the individual concerned.

If personal data is transferred to a third country or an international organization, you have the right to be informed in connection with the transfer of data through appropriate guarantees in accordance with Article 46 of the GDPR.

Right to rectification in accordance with Article 16 of the GDPR
You have the right to require us to correct the inaccuracies in question without undue delay

personal information. Taking into account the purposes of the processing, you have the right to complete incomplete personal data, including the submission of a supplementary statement.

The right to erasure in accordance with Article 17 of the GDPR
You have the right to request that we delete the personal data in question without undue delay where one of the following reasons applies:
•    personal data are no longer needed for the purposes for which they were obtained or otherwise processed;
•    revoke your consent on which the processing is based in accordance with point a, paragraph 1 of Article 6 or point a, paragraph 2 of Article 9 of the GDPR and there is no other legal basis for the processing;
•    in accordance with the first and second paragraphs of Article 21 of the GDPR, you object to the processing, and there are no overriding legal grounds for the processing according to the first paragraph of Article 21 of the GDPR;
•    personal data has been processed illegally;
•    the deletion of personal data is necessary to fulfill a legal obligation;
•    personal data were obtained in connection with the services offered by information companies in accordance with the first paragraph of Article 8 of the GDPR.

If we have published personal data and are obliged to delete it, we take reasonable steps, taking into account available technology and implementation costs, to inform third parties who process your personal data that you also ask them to delete all links to that personal data or their copies.

The right to restriction of processing in accordance with Article 18 of the GDPR
You have the right to request the restriction of processing from us when one of the following conditions applies:
•    dispute the accuracy of personal data;
•    the processing is illegal and you object to the deletion of personal data and instead request the limitation of their use;
•    the person responsible no longer needs the personal data for the purposes of processing, and the individual concerned needs them to assert, exercise or defend legal claims or
•    you have filed an objection against processing in accordance with the first paragraph of Article 21 of the GDPR, until it has been determined whether the reasons of the responsible outweigh those of the affected person.

The right to data portability in accordance with Article 20 of the GDPR
You have the right to receive the relevant personal data that you have provided to us in a structured, commonly used and machine-readable format, and the right to provide this data to another controller without us hindering him from doing so, where:
Processing is based on consent in accordance with point a, first paragraph of Article 6 or point a, second paragraph of Article 9 GDPR or on a contract in accordance with point b, first paragraph of Article 6 GDPR and
•    processing takes place with the help of automated procedures.

When exercising the right to data portability, you have the right to have your personal data transferred directly from us to another controller, when this is technically feasible.

The right to object in accordance with Article 21 of the GDPR

Under the terms of the first paragraph of Article 21 of the GDPR, it is possible to object to data processing for reasons related to your particular situation.
The present general right to object applies to all processing purposes described in these data protection provisions, which are processed on the basis of point f of the first paragraph of Article 6 of the GDPR. Unlike the right to object, which is specifically aimed at processing data for advertising purposes, in accordance with the General Regulation, we are obliged to recognize this type of general right to refuse only if you provide us with reasons of superior importance, e.g. potential danger to life or health. In addition, there is the possibility to contact the supervisory authority responsible for our company

The right to lodge a complaint with a supervisory authority in accordance with Article 77 of the GDPR
You always have the option to contact the competent supervisory authority (Information Commissioner of the Republic of Slovenia) or our company’s data protection officer.

7. Contact person
If you have any questions regarding our social media pages or to exercise your rights regarding the processing of your data (data protection rights), you can contact us at the e-mail address in section 1.