Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation; “GDPR”) and the Personal Data Protection Act data (Official Gazette of the Republic of Slovenia, hereinafter: ZVOP-2) is issued by the director of the company Rdeča Oranža, izkustveni marketin d.o.o (hereinafter Rdeča Oranža).
I. General provisions
Article 1
These rules determine the organizational, technical and logical-technical procedures and measures for the protection of personal data in the company Rdeča Oranža. in order to ensure that: • personal data are processed lawfully, fairly and transparently; • personal data are collected for specific, explicit and legitimate purposes and are not processed in a way incompatible with those purposes; • by default, only personal data that are necessary for each specific purpose of processing are processed; this obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their availability; • the rights and freedoms of data subjects are respected and protected; • ensure the security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage; • the company can demonstrate compliance with legislation in the field of personal data protection. • The provisions of these rules and determine the obligations of employees in the company Red Orange, which they must comply with. The provisions of these Rules also apply to other persons who perform work in the company on the basis of contracts other than employment contracts. If in doubt about the meaning of any of the provisions of this document, please contact the Director, Martin Korošec.
Article 2
Terms used in this policy have the following meanings:
2. Personal data – the meaning is the same as determined by the GDPR
3. Individual – is an identifiable or identifiable natural person to whom personal data relates; a natural person is identifiable if he or she can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. high cost or time consuming;
4. Collection of personal data – the meaning is the same as defined by the GDPR
5. Processing of personal data – the meaning is the same as defined by the GDPR
6. Personal data controller – the meaning is the same as defined by the GDPR
7. Sensitive personal data – the meaning is the same as defined by the GDPR
8. User of personal data – the meaning is the same as defined by the GDPR
9. Data carrier – are all types of means on which data are recorded or recorded (documents, acts, materials, files, computer equipment including magnetic, optical or other computer media, photocopies, sound and image material, microfilms, transmission devices data, etc.).
10. Employees – means persons who have an employment contract with the company, persons who perform work in the company as pupils or students, persons who perform work in the company on the basis of a contract between the company and their employer who provides work to others employers, and persons performing work for society under civil law contracts.
11. Security incident – means a breach of security that results in the unintentional or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.
Article 3
The company keeps and maintains records of activities of personal data processing with prescribed components, in accordance with the provision of Article 30 of the GDPR, for each collection separately. Records of processing activities are kept in electronic form, access is possible upon prior request. Each head of the department within which an individual collection is kept is responsible for keeping records of processing activities, and supervision is performed by the director.
Article 4
Only those personal data for which there is an appropriate legal basis under the provisions of the GDPR or other legislation may be processed in the company or for the needs of the company. If there is no legal basis for processing, it is necessary to immediately stop actively processing personal data and prevent access to them, and to inform the director of the company about the absence of a basis, who will determine the further handling of such data. Personal data may be collected only for specified and lawful purposes and may not be further processed in such a way that their processing is inconsistent with these purposes, unless otherwise provided by law. When the company intends to further process personal data for a purpose other than the purpose for which the personal data were collected, it is necessary to check in advance whether the new purpose is compatible with the original and prepare a written report. Measures to ensure the security of specific (collections) of personal data, such as pseudonymization and encryption, limitation of storage and access, restriction of processing, restriction of purposes, etc., and the method of implementation are determined by the director at the suggestion of the head.
1 Under the GDPR, keeping these records is not necessary for companies with less than 250 employees, UNLESS: – processing is likely to pose a risk to the rights and freedoms of individuals (it is therefore invasive); – processing is NOT uncommon; – processing involves specific types of data. In view of the above, especially the condition regarding the (non) frequency of processing, we recommend that companies with less than 250 employees also keep records of processing activities. Special types of personal data may only be processed in accordance with the provisions of the GDPR and other legislation. During processing, this data must be specially marked and protected in such a way as to prevent unauthorized persons from accessing it. The individual must be informed about the processing of personal data in accordance with the provisions of Articles 12, 13 and 14 of the GDPR. Each head of the department within which each collection is kept is responsible for the implementation of notifications. Each head of the department within which an individual collection is kept is obliged (for each individual collection) to determine and maintain a written list of persons who may, due to the nature of their work and / or function in the company, process certain personal data or have access to collections. hereinafter referred to as “authorized processors”). Heads of departments are obliged to submit written lists of authorized processors to the director of the company. Authorized processors must be acquainted with the provisions of the GDPR and the content of these rules before processing personal data, and they are obliged to sign a special Declaration “Addendum to the data processing contract”.
Article 5
The individual has the right to obtain confirmation from the company as to whether his personal data are being processed and, if so, the right to obtain access to personal data (insight) and information referred to in Article 15 (1) of the GDPR. An individual has the right to obtain that the company corrects inaccurate or incomplete personal data relating to him / her without undue delay. An individual has the right to have the company delete personal data concerning him without undue delay when one of the following reasons applies: – personal data are no longer needed for the purposes for which they were collected or otherwise processed; – the individual revokes the consent on the basis of which the processing takes place and there is no other legal basis for the processing; – the individual objects to the processing, but there are no overriding legal reasons for their processing; – personal data have been processed illegally; – personal data must be deleted in order to fulfill a legal obligation in order to fulfill legal obligations; – personal data were collected in connection with the provision of information society services from a minor individual. An individual has the right to have the company restrict processing when one of the following cases applies: – the individual disputes the accuracy of the data, for a period that allows the company to verify the accuracy of personal data; – the processing is illegal and the individual opposes the erasure of personal data and instead requests that their use be restricted; – the company no longer needs personal data for the purposes of processing, but the individual needs them to assert, implement or defend legal claims; – the individual has lodged an objection to the processing until it has been verified that the controller’s legitimate reasons outweigh the data subject’s reasons. An individual has the right to receive personal data provided to the company in a structured, commonly used and machine-readable form, and the right to pass this data on to another controller without being hindered by the company when: – processing is based on consent and – processing is carried out by automated means. The director of the company is obliged to ensure that individuals are informed about the rights referred to in the previous paragraphs of this article in an appropriate manner, in accordance with the requirements of the GDPR.
The Director shall also provide a single point of contact for individuals to exercise their rights. The head of the department within which the collection containing personal data of the individual is kept is responsible for enforcing the rights of individuals and for communicating with them. If the personal data of an individual are in several collections, the director of the company shall appoint a competent head of department.
Article 6
The head of department or another person who perceives this is obliged to draw the director’s attention to the fact that the planned processing of personal data, in particular (but not exclusively) using new technologies, taking into account the nature, scope, circumstances and purposes of personal data processing high risk to the rights and freedoms of individuals. In this case, the director decides whether it is necessary to carry out an assessment of the impact of the intended processing operations on the protection of personal data. The head or another person authorized by the director is responsible for carrying out the impact assessment itself. All employees who can make the necessary data and assessments available are obliged to participate. The impact assessment shall be carried out in writing and shall include: – a systematic description of the intended processing operations and the purposes of the processing, and, where appropriate, the legitimate interests pursued by the company; – an assessment of the necessity and proportionality of the processing operations in relation to their purpose; – an assessment of the risks to the rights and freedoms of data subjects; – risk management measures, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other data subjects . If the head of department or another person who has made an impact assessment finds that the planned treatment would pose a significant risk if the company did not take risk mitigation measures, he is obliged to inform the company’s director to assess whether consultation with the supervisory authority is necessary. organ. II. PROTECTION OF PREMISES AND COMPUTER EQUIPMENT
Article 7
Premises in which personal data carriers, hardware and software (protected premises) are located must be protected by organizational and physical and / or technical measures that prevent unauthorized persons from accessing data. Access is possible only during regular working hours, and outside this time only with the permission of the director or manager. The keys are not left in the lock in the door from the outside. Protected areas must not remain unattended or must be locked in the absence of the workers they supervise. Outside working hours, cabinets and desks with personal data carriers must be locked, computers and other hardware must be switched off and physically or programmatically locked. Employees must not leave personal data carriers on desks in the presence of persons who do not have the right to inspect them. Holders of personal data located outside the protected premises (corridors, common areas) must be permanently locked. Sensitive personal data must not be stored outside secure premises. An employee who uses personal data in his work or processes it in any way may not leave personal data carriers unattended during his working hours or otherwise expose them to the risk of unauthorized persons gaining access to personal data. Keys, cards, passwords and other means of access to secure premises must be protected, managed and stored diligently and carefully. Any loss or misappropriation or suspicion of abuse must be reported immediately by the employee
Article 8
In premises intended for customer service, data carriers and computer displays must be installed in such a way that customers cannot see them.
Article 9
Maintenance and repair of hardware, computer and other equipment is permitted only with the knowledge of an authorized person, and may only be performed by authorized services and maintainers who have concluded an appropriate contract with the Red Orange Company or issued an order form.
Article 10
Maintainers of premises, hardware and software, visitors and business partners may move in secured premises only with the knowledge of an authorized person. Employees, such as cleaners, security guards, etc., may move outside working hours only in those secure areas where access to personal data is disabled (data carriers are stored in locked cabinets and desks, computers and other hardware are turned off or how. otherwise physically or programmatically locked). III. PROTECTION OF SYSTEM AND APPLICATION SOFTWARE COMPUTER EQUIPMENT AND DATA PROCESSED WITH COMPUTER EQUIPMENT
Article 11
Access to the software must be protected by allowing access only for this purpose to pre-determined employees or legal or natural persons who perform the agreed services in accordance with the order.
Article 12
Correction, modification and supplementation of system and application software is allowed only with the approval of an authorized person, and can only be performed by authorized services and organizations and individuals who have a relevant contract with Red Orange or given an order.
Article 13
The same provisions apply to the storage and protection of application software as to other data from this policy.
Article 14
The contents of the network server disks and local workstations where personal data is located are checked for the presence of computer viruses. When a computer virus appears, it is eliminated as soon as possible, and at the same time the cause of the virus in computer information is determined. All personal data and software intended for use in a computer information system and received by Red Orange on computer data transmission media or telecommunication channels must be checked for the presence of computer viruses before use.
Article 15
Employees may not install software without the knowledge of the person in charge of the computer information system. They are also not allowed to remove software from business premises without the permission of the director.
Article 16
Access to data via application software is protected by a password system for authorization and identification of users of programs and data, and the password system must also provide the ability to subsequently determine when individual personal data were entered into the database, used or otherwise processed and who it is. did.
Article 17
All passwords and procedures used to enter and administer the personal computer network (supervisory or supervisory passwords), administer e-mail and administer application programs are kept in sealed envelopes and are protected from access by unauthorized persons. They are used only in extraordinary circumstances or in emergencies.
Article 18
Personal data may only exceptionally, when strictly necessary due to the nature of the work, be stored and processed locally (on local computers and other similar devices). Once the need for such storage and processing of personal data has ceased, personal data must be transferred to centralized databases or permanently deleted. Any copies of the contents of personal data files on local media (external disks, USB sticks, etc.) are kept in locked lockers. For the purpose of restoring the computer system in the event of failures and other exceptional situations, regular copies of the contents of the network server and local stations are provided, if the data is located there. These copies shall be kept in designated areas, which must be fireproof, protected against floods and electromagnetic interference, within the prescribed climatic conditions and locked. IV. SERVICES PROVIDED BY EXTERNAL LEGAL OR NATURAL PERSONS
Article 19
A written contract provided for in the second paragraph of Article 28 shall be concluded with any external legal or natural person who performs individual tasks related to the collection, processing, storage or transmission of personal data and is registered to perform such activity (contractual or commissioned processor). General data protection regulations. Such a contract must also prescribe the conditions and measures to ensure the protection of personal data and their protection. Prior to concluding a contract with the processor, the responsible person (usually the head of the department) is obliged to obtain information from the processor, which enables verification of whether the processor meets the requirements of legislation in the field of personal data protection; this also includes the disclosure of all subcontracted processors, including their titles and locations. This also applies to outsiders who maintain hardware and software and create and install new hardware or software. External legal or natural persons may only provide personal data processing services only within the scope of the Client’s authorization and may not process or otherwise use the data for any other purpose. An authorized legal or natural person who provides the agreed services for the company Rdeča Oranža outside the premises of the controller must have at least the same strict method of personal data protection as provided by these rules. In addition to other requirements, the company must guarantee in contracts with processors the right to conduct a review or audit in the field of personal data protection at least once a year with the contracted processor. A review or audit must be carried out whenever there is any suspicion or indication that the processor is in breach of contract or that it does not ensure a sufficient level of protection of personal data. The audit is carried out at the expense of the company, and the processor may not charge the company for the possible engagement of its people and / or subcontracted processors. V. RECEIPT AND TRANSMISSION OF PERSONAL DATA
Article 20
The employee in charge of receiving and recording mail must deliver the postal item with personal data directly to the individual or to the service to which the item is addressed. The employee in charge of receiving and recording mail shall open and inspect all postal items and items that otherwise arrive at the administrative body brought by customers or couriers, except for items referred to in the third and fourth paragraphs of this Article. The employee in charge of receiving and recording mail shall not open those items which are addressed to another body or organization and which are delivered by mistake and items which are marked as personal data or for which the indications on the envelope indicate that they relate to competition or call. The worker in charge of receiving and recording mail may not open consignments addressed to the worker stating on the envelope that they are to be served in person on the addressee, and consignments which first state the personal name of the worker without indicating his official position and only then the address of the administrative body.
Article 21
Personal data may be transferred by information, telecommunication and other means only when implementing procedures and measures that prevent unauthorized persons from misappropriating or destroying data and unjustified acquaintance with their content. Sensitive personal data is sent to addressees in sealed envelopes against signature in the delivery book or by delivery note. Personal data is sent by registered mail. The envelope in which personal data are transmitted must be made in such a way that the envelope does not allow the contents of the envelope to be visible under normal light or when the envelopes are illuminated with normal light. The envelope must also ensure that the opening of the envelope and acquaintance with its contents cannot be carried out without a visible trace of the opening of the envelope.
Article 22
The processing of sensitive personal data must be specially marked and secured. The data referred to in the preceding paragraph may be transmitted over telecommunication networks only if they are specially protected by cryptographic methods and electronic signature in such a way as to ensure the illegibility of the data during their transmission.
Article 23
Personal data are provided only to those users who prove themselves with an appropriate legal basis or with a written request or consent of the data subject. For each transfer of personal data, the beneficiary must submit a written application, which must clearly state the provision of the law authorizing the user to obtain personal data, or the application must be accompanied by a written request or consent of the data subject. In the case of obtaining and transmitting personal data between public administration bodies, it is also necessary to comply with the provisions of the Decree on administrative operations. Originals of documents are never provided, except in the case of a written court order. The original document must be replaced by a copy during the absence. VI. DELETE DATA
Article 24
Upon expiration of the retention period, personal data shall be effectively deleted, destroyed, or anonymized, unless otherwise provided by law or other act. The head of the department decides on the deletion, destruction or anonymisation of personal data. A record shall be made of the destruction, erasure or anonymisation of personal data, which may not contain the personal data of individuals whose data have been deleted, destroyed or anonymised.
Article 25
To delete data from computer media, such a method of deletion is used that it is impossible to restore all or part of the deleted data. Data on traditional media (documents, files, register, list …) are destroyed in a way that makes it impossible to read all or part of the destroyed data. The exact method of destruction for individual types of personal data or media is determined by the director of the company. Auxiliary material is destroyed in the same way (eg matrices, calculations and graphs, sketches, trial or unsuccessful printouts, etc.). It is forbidden to dump waste data carriers with personal data in rubbish bins. When transferring personal data carriers to the place of destruction, it is necessary to provide adequate security during the transfer. VII. ACTION ON SECURITY INCIDENTS REGARDING PERSONAL DATA
Article 25
Employees are obliged to take measures to prevent the misuse of personal data and must handle the personal data with which they become acquainted in the course of their work conscientiously and carefully in the manner and according to the procedures set out in these rules. Employees are obliged to immediately notify an authorized person or supervisor of activities related to the discovery or unauthorized destruction of confidential information, malicious or unauthorized use, misappropriation, alteration or damage, and they themselves try to prevent such activity. The director of the company must report such a breach to the Information Commissioner within 72 hours of any suspected breach of personal data protection. Where a personal data breach is likely to pose a significant risk to the rights and freedoms of individuals, the company’s director must ensure that affected individuals are informed without undue delay that a personal data breach has occurred.
Article 26
The director of the company is obliged to ensure that after the security incident an analysis of the causes and proposed measures to reduce or eliminate the risk of such and future security incidents, and that, if reasonable and possible, the proposed measures are implemented. If it turns out that the security incident was caused or involved in the employee or the security incident occurred due to negligence on the part of the employee, the director of the company, notwithstanding other provisions of these rules, shall take appropriate labor action against the employee. VIII. RESPONSIBILITY FOR IMPLEMENTING SECURITY MEASURES AND PROCEDURES
Article 27
The director of the company and authorized persons who are not employees of the company are responsible for the implementation of procedures and measures for the protection of personal data. The supervision referred to in paragraph 1 of this Article shall also include procedures for regular testing, evaluation and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing. All employees and other persons in the company are obliged to participate in this.
Article 28
Everyone who processes personal data is obliged to carry out the prescribed procedures and measures for data protection and to protect data of which he or she was aware or was acquainted with them in the performance of his or her work. The obligation of data protection does not end with the termination of the employment relationship. Before starting work at the workplace where personal data is processed, the employee must sign a special statement committing him to the protection of personal data. It must be evident from the signed statement that the signatory is acquainted with the provisions of these rules and the provisions of the General Data Protection Regulation, and the statement must also contain instructions on the consequences of the breach.
Article 29
Employees are disciplinary liable for violating the provisions of the previous article, while others are subject to contractual obligations. IX. FINAL PROVISIONS:
Article 30
This policy shall enter into force on 25.5.2018.
Article 31
These rules are published on the website www.oranza.si. Employees also have access to the director.
Copyright 2021 | The Art of wealth | General terms and conditions | Rules on personal data protection| PRIVACY POLICY