The purpose of the privacy policy is to inform users of our services, employees, and other natural persons (hereinafter: “individual”) who work with CRMT d.o.o. (hereinafter: “organization”) on the purposes, legal bases, security measures and rights of individuals regarding the processing of personal data carried out by our company.
We value your privacy, so we always protect your data carefully.
We process personal data in accordance with European legislation (Regulation (EU) 2016/679 of the European Parliament on the protection of natural persons with regard to the processing of personal data and on and on the free movement of such data (hereinafter: “General Regulation”)), current Slovenian legislation in the field of individual data protection and other legislation, which gives us the legal basis for processing personal data.
The personal data protection policy contains information on how our company, as an administrator, processes personal data received from individuals based on legal grounds.
1. Administrator:
The administrator of personal data is the company:
Name: CRMT d.o.o.
Adress: Ukmarjeva ulica 2, 1000 Ljubljana
https://www.crmt.com/
E-mail: dpo@crmt.com
Phone: +386 (0) 5 994 3 700
2. Authorized person
In accordance with Article 37 of the General Regulation, we have not appointed an authorized person, but if you have any questions regarding the processing of your personal data, you can always contact us at dpo@crmt.com.
3. Personal data
Personal data means any information relating to a specific or identifiable individual; an identifiable individual is one who can be identified directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, online identifier, or by reference to one or more factors that characterize the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
4) Purposes of processing and basis for data processing
The company collects and processes your personal data on the following legal bases:
- processing is necessary to fulfill a legal obligation applicable to the controller;
- the processing is necessary for the performance of a contract to which the individual to whom personal data relates is a contracting party, or for the implementation of measures at the request of such an individual prior to the conclusion of the contract;
- processing is necessary due to the legitimate interests pursued by the controller or a third party;
- the individual to whom the personal data relates has consented to the processing of his personal data for one or more specified purposes;
- processing is necessary to protect the vital interests of the data subject or other natural persons.
4.1) Fulfillment of legal obligations
Based on the provisions of the law, the company processes data about its employees, which is allowed by labor law and social welfare legislation. Based on the legal obligation, the company mainly processes the following types of personal data for employment purposes: first and last name, gender, date of birth, ID number, tax number, city, municipality and country of birth, citizenship, residence, etc.
4.2) Execution of contracts
In the event that an individual enters into a contract with the company, this constitutes the legal basis for the processing of personal data. Personal data may be processed for the purpose of concluding and implementing a contract, such as e.g. sale of goods and services, membership in benefit clubs, participation in events, trainings, promotions, etc. If the individual does not provide personal data, the company cannot conclude a contract, nor can the company perform the service or deliver the goods in accordance with the concluded contract. Based on the performance of a legal activity, the company can inform individuals and users of its services to their email address about its services, events, trainings, offers and other content. The individual can at any time request the termination of this type of communication and processing of personal data and cancel receiving messages via the unsubscribe link in the received message, or as a request by e-mail to dpo@crmt.com or by regular mail to the company’s address.
4.3) Legitimate interest
The company may also process personal data on the basis of the legitimate interest it pursues. The latter is not permissible when such interests prevail over the interests or fundamental rights and freedoms of the individual to whom the personal data relate, which require the protection of personal data. In case of use of legitimate interest, the company always conducts an assessment in accordance with the General Regulation. The processing of personal data of individuals for the purposes of direct marketing is considered to be carried out in legitimate interest. The company may process the personal data of individuals that it has collected from publicly available sources or within the framework of the legal performance of activities, also for the purposes of offering goods, services, employment, informing about benefits, events, etc. To achieve these purposes, the company may use regular mail, telephone calls, e-mail and other means of telecommunications. For the purposes of direct marketing, the company may process the following personal data of individuals: first and last name of the individual, address of permanent or temporary residence, telephone number and e-mail address. For the purposes of direct marketing, the company may process the specified personal data even without the express consent of the individual. The individual can at any time request the termination of this type of communication and processing of personal data and cancel receiving messages via the unsubscribe link in the received message, or as a request by e-mail to dpo@crmt.com or by regular mail to the company’s address.
4.4) Processing on consent
Insofar as the company does not have a legal basis demonstrated on the basis of law, contractual obligation, or legitimate interest, it may ask the individual for consent or consensus. Thus, it can process certain personal data of an individual also for the following purposes, when the individual gives this consent:
residential address and email address for notification and communication purposes;
photos, video recordings, and other content relating to individuals (e.g. publication of images of individuals on the company’s website) for the purposes of documenting activities and informing the public about the company’s work and events;
other purposes for which the individual agrees with consent.
If an individual gives his consent to the processing of personal data and at some point no longer wishes to do so, he can request the termination of the processing of personal data by sending a request by e-mail to dpo@crmt.com or by regular mail to the company’s address. Revocation of consent does not affect the lawfulness of processing based on consent prior to its revocation.
4.5) Processing is necessary to protect the vital interests of the individual
Processing is necessary to protect the vital interests of the individual
The company can process the personal data of the individual to whom the personal data relates, insofar as this is necessary to protect his vital interests. In urgent cases, the company can search for an individual’s personal document, check whether this person exists in its database, examine his medical history or establish contact with his relatives, for which the company does not need the individual’s consent. The above applies in cases where this is absolutely necessary to protect the vital interests of the individual.
5. Storage and deletion of personal data
The company will keep personal data only as long as it is necessary to fulfill the purpose for which the personal data was collected and processed. If the company processes data on the basis of the law, it will keep it for the period prescribed by law. Here, some data is kept for the duration of cooperation with the company, while some data must be kept permanently. Personal data that the company processes on the basis of a contractual relationship with an individual is kept by the company for the period necessary for the execution of the contract and for another 6 years after its termination, except in cases where a dispute arises between the individual and the company regarding the contract. In such a case, the company keeps the data for 10 years after the finality of the court decision, arbitration or court settlement or, if there was no court dispute, for 5 years from the date of the peaceful resolution of the dispute. The personal data that the company processes on the basis of the individual’s personal consent or legitimate interest will be kept by the company until the consent is revoked or until the data is deleted. After receiving the cancellation or request for deletion, the data will be deleted within 15 days at the latest. The company can delete this data even before cancellation, when the purpose of personal data processing has been achieved or if it is stipulated by law.
Exceptionally, the company may refuse a request for deletion for reasons from the General Regulation, such as: exercise of the right to freedom of expression and information, fulfillment of the legal obligation of processing, reasons of public interest in the field of public health, purposes of archiving in the public interest, scientific or historical research purposes or statistical purposes, the exercise or defense of legal claims. After the retention period has expired, the company must effectively and permanently delete or anonymize personal data so that it can no longer be linked to a specific individual.
6. Contractual processing of personal data and data export
The company can trust a contractual processor for individual processing of personal data on the basis of a contractual processing agreement. Contractual processors can process confidential data exclusively on behalf of the controller, within the limits of his authority, which is written in a written contract or other legal act and in accordance with the purposes defined in this privacy policy.
The contractual processors with whom the company cooperates are mainly:
- accounting services and other providers of legal and business advice;
- maintainers of information systems;
- email service providers and software providers, cloud services;
- providers of social networks and online advertising (Google, Facebook, LinkedIn, etc.).
For the purposes of better inspection and control over contract processors and regulation of the mutual contractual relationship, the company also maintains a list of contract processors, which lists all specific contract processors with which the company cooperates.
Under no circumstances will the company provide personal data of an individual to unauthorized third parties. Contract processors may only process personal data within the framework of the company’s instructions and may not use personal data for any other purposes.
As a controller, the company and its employees do not export personal data to third countries (outside the member states of the European Economic Area – EU members and Iceland, Norway and Liechtenstein) and to international organizations, except in the USA, whereby relations with contractual processors from the USA are regulated on the basis of standard contractual clauses (standard contracts adopted by the European Commission) and/or binding business rules (adopted by the company and approved by supervisory authorities in the EU).
7. Cookies
Cookies saved by the browser can be deleted by the individual (instructions can be found on the websites of the individual browsers).
8. Data security and data accuracy
The company takes care of information security and infrastructure security (premises and application system software). Our information systems are protected by anti-virus programs and a firewall, among other things. We have implemented appropriate organizational and technical security measures aimed at protecting personal data against accidental or illegal destruction, loss, modification, unauthorized disclosure, or access, as well as against other illegal and unauthorized forms of processing. In the case of transmission of special types of personal data, they are transmitted in an encrypted form and protected by a password.
The individual is responsible for providing his/her personal data securely and that the data provided is accurate and authentic. The company will make every effort to ensure that the personal data it processes is accurate and, if necessary, updated, from time to time we may also contact the individual to confirm the accuracy of the personal data.
9. Individual rights regarding data processing
In accordance with the General Regulation, an individual has the following personal data protection rights:
- He may request information about whether we have his personal data and, if so, what data we have and on what basis we have it and why we use it;
- he can request access to his personal data, which allows him to receive a copy of the personal data held by the company and to check whether the company is processing it legally;
- may request corrections of personal data, such as correction of incomplete or inaccurate personal data;
- may request the deletion of his personal data when there is no reason for further processing or when he exercises his right to object to further processing;
- may object to the further processing of personal data where the company refers to a legitimate business interest (even in the case of a third party’s legitimate interest), when there are reasons related to the individual’s special situation; the individual has the right to object at any time if the company processes personal data for direct marketing purposes;
- can request the restriction of the processing of his personal data, which means the interruption of the processing of personal data, for example, if the individual wants the company to establish the accuracy or to check the reasons for the further processing of personal data;
- may request the transfer of their personal data in a structured electronic form to another controller, insofar as this is possible and feasible;
- can revoke the consent or consent he gave to the collection, processing and transfer of his personal data for a specific purpose; upon receiving notice that he has withdrawn his consent, the Company will cease to process the personal data for the purposes for which it was originally accepted, unless the Company has no other lawful legal basis for doing so lawfully.
If an individual wishes to exercise any of the aforementioned rights, he can send a request by email to dpo@crmt.com or by regular mail to the company’s address. The company will respond to a request relating to the rights of an individual without undue delay and in any case within one month of receiving the request. In the event that this deadline is extended (by a maximum of two additional months) taking into account the complexity and number of requests, you will be notified. Access to the individual’s personal data and asserted rights is free for the individual. However, the company may charge a reasonable fee if the data subject’s request is manifestly unfounded or excessive, especially if it is repeated. In such a case, the company can also reject the request. In the case of exercising the rights under this title, the company may have to request certain information from the individual that will help it confirm the identity of the individual, which is only a security measure to ensure that personal data is not disclosed to unauthorized persons.
When exercising the rights from this title, or in the case that an individual believes that his rights have been violated, he can contact the supervisory authority, i.e. the Information Commissioner, on the website: https://www.ip-rs.si/.
If an individual has any questions regarding the processing of their personal data, they can always contact our company by e-mail at dpo@crmt.com or by regular mail to the company address.
10. Announcement of changes
Any changes to our Privacy Policy will be posted on the company website: https://www.crmt.com/. By using the website, the individual confirms that he accepts and agrees with the entire content of this personal data protection policy.
The personal data protection policy was adopted by the responsible person of the company on, 11.10.2022.