Privacy Policy
Privacy Policy
The purpose of the Personal Data Protection Policy is to inform individuals, service users, collaborators, employees, and other persons (hereinafter: "individual") who interact with ZKŠT Zavod za kulturo, šport in turizem Žalec, Aškerčeva 9a, 3310 Žalec, represented by the director Mag. Marko Repnik (hereinafter: "organization"), about the purposes, legal bases, security measures, and rights of individuals regarding the processing of personal data carried out by our organization.
We value your privacy, and therefore, we always carefully protect your data.
We process personal data in accordance with European legislation (Regulation (EU) 2016/679 on the protection of individuals regarding the processing of personal data and the free movement of such data (hereinafter: "General Regulation")), applicable Slovenian legislation on personal data protection, and other laws that provide us with a legal basis for processing personal data.
The Personal Data Protection Policy contains information on how our organization, as a data controller, processes personal data received from individuals based on legal grounds.
1) Data Controller
The data controller for personal data is the organization:
ZKŠT Zavod za kulturo, šport in turizem Žalec
Aškerčeva 9a, 3310 Žalec
Email: info@zkst-zalec.si
Phone: +386 3 712 12 50
2) Data Protection Officer
In accordance with Article 37 of the General Regulation, we have appointed the following company as the Data Protection Officer:
DATAINFO.SI, d.o.o.
Tržaška cesta 85, SI-2000 Maribor
Website: www.datainfo.si
Email: dpo@datainfo.si
Phone: +386 (0) 2 620 4 300
3) Personal Data
Personal data refers to any information related to an identified or identifiable individual. An identifiable individual is one who can be directly or indirectly identified, particularly by reference to an identifier such as name, identification number, location data, online identifier, or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.
4) Purposes of Processing and Legal Bases for Data Processing
The organization collects and processes your personal data based on the following legal grounds:
Processing is necessary for compliance with a legal obligation to which the data controller is subject;
Processing is necessary for the performance of a contract to which the individual, whose personal data is being processed, is a party, or for taking steps at the request of such an individual prior to entering into a contract;
Processing is necessary for the legitimate interests pursued by the data controller or a third party;
The individual has given consent for the processing of their personal data for one or more specific purposes;
Processing is necessary to protect the vital interests of the individual whose personal data is being processed or of another natural person.
4.1) Compliance with Legal Obligations
Based on legal provisions, the organization processes data about its employees in accordance with labor and social security legislation. For employment purposes, the organization processes the following types of personal data:
Name and surname
Gender
Date of birth
EMŠO (unique personal identification number)
Tax number
Place, municipality, and country of birth
Citizenship
Residence address, etc.
The legal basis for processing personal data also includes:
Institutes Act
Local Self-Government Act
Employment Relations Act
Public Interest in Culture Act
Tourism Development Promotion Act
Sports Act
Protection of Documentary and Archival Material and Archives Act
Act on Ensuring Funds for Certain Urgent Programs in Slovenian Culture
Other laws related to culture, sports, and tourism
In limited cases, personal data processing is also allowed based on public interest. All applicable sectoral regulations are available on the website of the relevant ministry:
Ministry of Culture Legislation.
4.2) Contract Execution
When an individual enters into a contract with the organization, this contract serves as the legal basis for processing personal data. Personal data may therefore be processed for the purpose of concluding and executing the contract, such as the sale of tickets, subscriptions, etc.
If the individual does not provide personal data, the organization cannot conclude the contract, nor can it provide the requested services or deliver goods or other products in accordance with the agreement, as the necessary data for execution is missing.
Based on its lawful activities, the organization may inform individuals and users of its services via email about its services, events, training programs, offers, and other content.
An individual may request at any time to opt out of such communications and the processing of personal data, and withdraw consent for receiving messages:
By clicking the unsubscribe link in the received message, or
By submitting a request via email to info@zkst-zalec.si, or
By sending a written request via regular mail to the organization's address:
ZKŠT Zavod za kulturo, šport in turizem Žalec, Aškerčeva 9a, 3310 Žalec.
4.3) Legitimate Interest
The organization may also process personal data based on its legitimate interest. However, this is not permitted if such interests are overridden by the interests or fundamental rights and freedoms of the individual whose personal data is being processed, requiring protection of personal data.
When relying on legitimate interest, the organization always conducts an assessment in accordance with the General Regulation (GDPR).
Processing personal data for direct marketing purposes is considered to be conducted in legitimate interest. The organization may process personal data obtained from publicly available sources or as part of its lawful activities for purposes such as:
Offering goods, services, and job opportunities
Informing individuals about benefits, events, and other updates
To achieve these purposes, the organization may use:
Postal mail
Phone calls
Email
Other telecommunication methods
For direct marketing purposes, the organization may process the following personal data of individuals:
Name and surname
Permanent or temporary residence address
Phone number
Email address
The organization may process these personal data for direct marketing purposes even without the individual's explicit consent.
An individual can request at any time to opt out of such communications and processing of personal data, and withdraw consent for receiving messages:
By clicking the unsubscribe link in the received message, or
By submitting a request via email to info@zkst-zalec.si, or
By sending a written request via regular mail to the organization's address:
ZKŠT Zavod za kulturo, šport in turizem Žalec, Aškerčeva 9a, 3310 Žalec.
4.4) Processing Based on Consent
If the organization does not have a legal basis under law, contractual obligation, or legitimate interest, it may request the individual's consent for data processing.
With the individual's explicit consent, the organization may process certain personal data for the following purposes:
Address and email for notifications and communication
Photographs, videos, and other content related to the individual (e.g., publishing images on the organization’s website) for documenting activities and informing the public about the organization’s work and events
Other purposes for which the individual explicitly agrees by giving consent
If an individual provides consent for the processing of personal data but later wishes to withdraw it, they can request the termination of data processing by sending a request:
Via email to info@zkst-zalec.si, or
By regular mail to the organization's address:
ZKŠT Zavod za kulturo, šport in turizem Žalec, Aškerčeva 9a, 3310 Žalec
Withdrawal of consent does not affect the legality of processing based on consent before its withdrawal.
4.5) Processing Necessary for the Protection of an Individual’s Vital Interests
The organization may process an individual's personal data if it is essential for the protection of their vital interests.
In emergency situations, the organization may:
Verify the individual’s identity document
Check if the person is listed in its database
Review the individual's medical history
Contact their relatives
For such actions, the organization does not require the individual's consent, as they are necessary to protect the vital interests of the individual.
5) Retention and Deletion of Personal Data
The organization will retain personal data only for as long as necessary to fulfill the purpose for which it was collected and processed.
If data is processed based on legal obligations, it will be stored for the period prescribed by law. Some data will be retained for the duration of the individual’s collaboration with the organization, while certain data must be stored permanently.
For data processed under a contractual relationship, the organization will retain it for the duration necessary to execute the contract and for an additional six (6) years after its termination. However, if a dispute arises between the individual and the organization concerning the contract:
Data will be stored for 10 years after a final court decision, arbitration, or judicial settlement;
If no legal dispute occurs, data will be stored for 5 years from the date of amicable resolution.
For personal data processed based on individual consent or legitimate interest, the organization will retain it until consent is revoked or an erasure request is made. Once a revocation or deletion request is received, the organization will delete the data within 15 days at the latest.
The organization may also delete data before withdrawal of consent if the purpose for which the data was processed has been fulfilled or if required by law.
Exceptions to Data Deletion
The organization may deny a deletion request in certain cases outlined in the General Data Protection Regulation (GDPR), such as:
Ensuring the right to freedom of expression and information
Compliance with legal obligations
Public interest reasons in the field of public health
Archival purposes in the public interest
Scientific or historical research and statistical purposes
Establishment, exercise, or defense of legal claims
Once the retention period expires, the organization must permanently delete or anonymize personal data, ensuring it can no longer be linked to any specific individual.
6) Contractual Processing of Personal Data and Data Transfers
The organization may entrust certain personal data to contracted processors based on a data processing agreement. These processors may only process entrusted data on behalf of the organization, strictly within the scope of authorization defined in a written contract or other legal act, and in compliance with the purposes outlined in this Privacy Policy.
Contracted Data Processors
The organization collaborates with the following types of contracted data processors:
Accounting services and other providers of legal and business consulting
Infrastructure maintenance providers (video surveillance, security services)
IT system maintenance providers
Email service providers, software providers, and cloud service providers (e.g., Arnes, Microsoft, Google)
Social media and online advertising service providers (e.g., Google, Facebook, Instagram)
The organization will never disclose an individual's personal data to unauthorized third parties. Contracted processors may only process personal data in accordance with the organization's instructions and must not use the data for any other purpose.
Data Transfers Outside the EEA
The organization and its employees do not transfer personal data to third countries (outside the European Economic Area (EEA), which includes EU member states, Iceland, Norway, and Liechtenstein) or international organizations, except to the United States (USA).
In such cases, relationships with U.S. processors are regulated based on:
Standard contractual clauses (SCCs) – standard contracts adopted by the European Commission
Binding corporate rules (BCRs) – corporate policies adopted by the organization and approved by supervisory authorities within the EU
Monitoring Contracted Processors
To ensure better oversight and control over contracted processors, the organization maintains a list of all specific contracted processors with whom it collaborates, documenting their contractual obligations and compliance.
7) Cookies
The organization's website operates using cookies. A cookie is a file that stores website settings. Websites save cookies on users' devices when they access the internet, allowing recognition of specific devices and remembering user preferences.
Cookies enable websites to recognize whether a user has previously visited the site. In advanced applications, cookies help personalize settings to enhance user experience. The storage of cookies is fully controlled by the browser used by the individual, which means users can limit or completely disable cookie storage at any time.
Importance of Cookies
Cookies are essential for providing user-friendly online services. They are used for:
Storing website settings
Collecting user statistics
Tracking website visits and traffic analysis
With the help of cookies, the organization evaluates the effectiveness of the website's design and improves its functionality.
Types of Cookies Used
The organization's website uses the following types of cookies:
Users can delete cookies stored by their browser. Instructions on how to do this can be found on the official websites of individual web browsers.
8) Video Surveillance
The ZKŠT Zavod za kulturo, šport in turizem Žalec implements video surveillance. Cameras are installed around the organization's entrances to monitor entries and exits in accordance with Article 77 of ZVOP-2 (Slovenian Personal Data Protection Act).
Additionally, video surveillance is used to:
- Protect individuals (users, employees, and visitors)
- Safeguard the organization’s property (based on legitimate interest, as outlined in Article 6(f) of the General Regulation (GDPR) in connection with Articles 76 and subsequent provisions of ZVOP-2)
- Scope and Purpose of Surveillance
Video surveillance is conducted within certain workspaces where it is strictly necessary for:
- Ensuring the safety of people or property
- Protecting classified information or trade secrets
It helps in detecting, investigating, and resolving incidents or exceptional events, including:
- Criminal offenses
- Compensation claims
- Other legal disputes
- Retention of Surveillance Footage
- Recordings are stored for 14 days (e.g., camera at the Green Gold Beer Fountain)
- Video surveillance does not involve unusual or extended processing, such as:
- Data transfers to third countries
- Live audio interventions during monitoring
- Live Monitoring
- Live monitoring is only accessible to an authorized person at the staff entrance of Dom II. slovenskega tabora, to prevent unauthorized access by third parties.
For additional information regarding video surveillance, individuals may:
- Contact the organization via phone or email
- Refer to their rights outlined in this Privacy Policy
- Direct any additional inquiries to the Data Protection Officer
9) Photography at the Green Gold Beer Fountain
A fixed-position camera is installed at the Green Gold Beer Fountain location. Visitors have the opportunity to take aerial perspective photographs using a camera positioned in front of the fountain. Visitors at the Green Gold Beer Fountain may be included in photographs taken by other individuals at the location. This feature is designed to enhance the tourist experience. The photograph captures the interior area of the Green Gold Beer Fountain, including any individuals present within the frame. After pressing the shutter button, two photographs will be taken within ten seconds. The captured images will be sent directly to the visitor’s email address. If no email address is entered, the images will not be sent and will instead be immediately deleted. For further details about the photography process, visitors may contact the organization via phone or email, refer to their rights outlined in this Privacy Policy, or direct any additional inquiries to the Data Protection Officer.
10) Data Protection and Data Accuracy
The organization ensures information security and the security of infrastructure (premises and application system software). Our information systems are protected, among other measures, by antivirus programs and a firewall. We have implemented appropriate organizational and technical security measures designed to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as well as from other illegal and unauthorized forms of processing. When transmitting special categories of personal data, we do so in encrypted form and protected by a password.
Individuals are responsible for securely providing their personal data and ensuring that the transmitted data is accurate and truthful. The organization will strive to ensure that the personal data it processes is accurate and updated as necessary. Occasionally, the organization may contact individuals to confirm the accuracy of their personal data.
11) Individual Rights Regarding Data Processing
In accordance with the General Data Protection Regulation (GDPR), individuals have the following personal data protection rights:
- They may request information on whether we hold their personal data, and if so, which data we have, on what basis, and for what purpose we use it.
- They may request access to their personal data, allowing them to receive a copy of the personal data held by the organization and verify whether it is being processed lawfully.
- They may request corrections to their personal data, such as rectifying incomplete or inaccurate personal data.
- They may request the deletion of their personal data when there is no justification for further processing or when they exercise their right to object to further processing.
- They may object to the further processing of their personal data when the organization relies on a legitimate business interest (including the legitimate interest of a third party), if there are reasons related to their particular situation; individuals have the right to object at any time if the organization processes personal data for direct marketing purposes.
- They may request a restriction on the processing of their personal data, meaning a temporary halt to data processing—for example, if they wish the organization to verify the accuracy of the data or the reasons for its further processing.
- They may request the transfer of their personal data in a structured electronic format to another data controller, where feasible and practical.
- They may withdraw consent given for the collection, processing, and transfer of their personal data for a specific purpose. Upon receiving a notice of consent withdrawal, the organization will cease processing personal data for the originally intended purposes unless it has another lawful basis for doing so.
To exercise any of the above rights, individuals may send a request via email to info@zkst-zalec.si or by regular mail to the organization's address: ZKŠT Zavod za kulturo, šport in turizem Žalec, Aškerčeva 9a, 3310 Žalec. The organization will respond to such requests without undue delay and, in any case, within one month of receiving the request. If necessary, considering the complexity and number of requests, this period may be extended by a maximum of two additional months, in which case the individual will be informed accordingly.
Access to personal data and the exercise of these rights are free of charge for individuals. However, the organization may charge a reasonable fee if a request is clearly unfounded or excessive, particularly if it is repetitive. In such cases, the organization may also refuse the request. To process a request concerning personal data rights, the organization may need to request additional information from the individual to confirm their identity—this is a security measure to ensure that personal data is not disclosed to unauthorized persons.
If an individual wishes to exercise their rights or believes that their rights have been violated, they can seek protection or assistance from the supervisory authority, the Information Commissioner, via the website: https://www.ip-rs.si/.
For any questions regarding the processing of personal data, individuals can always contact the organization via email at info@zkst-zalec.si or by regular mail at ZKŠT Zavod za kulturo, šport in turizem Žalec, Aškerčeva 9a, 3310 Žalec.
12) Publication of Changes
Any changes to our Privacy Policy will be published on the organization's website:
https://www.zkst-zalec.si/,
https://www.turizem-zalec.si/,
https://www.beerfountain.eu/.
By using the website, individuals confirm that they accept and agree with the entire content of this Privacy Policy.
The Privacy Policy has been approved by the responsible person within the organization.