Privacy Policy

This Privacy Policy aims to inform individuals, service users, partners, employees and other people (hereinafter referred to as Individuals) working with ZAVOD ZA TURIZEM PTUJ (hereinafter referred to as the Organization) about the purpose and legal basis of, and security measures and Individuals’ rights in the processing of their personal data carried out by our Organization.

We value your privacy and always carefully protect your data.

We process your personal data in compliance with the European regulations (Regulation (EU) 2016/697) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; hereinafter referred to as GDPR), the national personal data protection legislation (Personal Data Protection Act; ZVOP-1, Official Gazette of RS no. 94/07), and other regulations that provide us with the legal basis for processing personal data.

Our Privacy Policy contains the information on the way our Organization as the data controller processes personal data it receives from Individuals based on the legal basis specified below.

Controller

The data controller is:
ZAVOD ZA TURIZEM PTUJ
Murkova ulica 7, SI-2250 Ptuj
E-mail: info@ptuj.info
Phone: +386 (0)59 308 335

Data Protection Officer

In accordance with Article 37 of the GDPR, we appointed a service company as our data protection officer, namely:
DATAINFO.SI, d. o. o.
Tržaška cesta 85, SI-2000 Maribor
www.datainfo.si
e-mail: dpo@datainfo.si
phone: +386 (0) 2 620 4 300

Personal data

Personal data is any information about a specific or identifiable individual (hereinafter referred to as data subject); an individual is deemed identifiable when they can be identified, directly or indirectly, in particular by reference to an identifier, e.g. a name, ID number, location data, internet ID or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

Purposes of and legal basis for data processing

The Organization shall collect and process your personal data on the following legal basis:

  • processing is necessary for the compliance with the legal obligations of the Controller;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • processing is necessary for performing a contract with the data subject, or for implementing measures at such individual’s request before concluding a contract;
  • processing is necessary for the legitimate interests pursued by the controller or a third party;
  • the data subject agreed to the processing of their personal data for one or more purposes;
  • processing is necessary to protect the vital interests of the data subject or of another natural person.

Compliance with legal obligations and performing a task in the public interest

The Organization processes primarily the personal data of its employees based on the labor laws. Types of personal data processed by the Organization for the purpose of compliance with legal obligations comprise full name, gender, date of birth, EMŠO (unique personal identification number), tax ID number, place, municipality and country of birth, citizenship, and the residential address for the purpose of executing the employment contract and fulfilling the obligations arising from it.

The legal basis for processing personal data of Individuals also comprises the Promotion of Tourism Development Act, Protection of Documents and Archives and Archival Institutions Act, Institutes Act, Local Self-Government Act, and other legislation governing tourism.

In these cases, the Organization is also permitted to process personal data for the purposes of public interest.

Preforming a contract

Any contract that you conclude with the Organization represents a legal basis for processing personal data. We are permitted to process your personal data for the purpose of concluding and performing contracts, e.g. sale of tickets, subscriptions, library membership etc. If an individual fails to provide personal data, the Organization will be unable to conclude the contract, and subsequently provide a service or deliver goods or other products pursuant to that contract due to not having the information necessary for its performance. The organization can also use e-mail addresses of Individuals and users of its services to inform them about its services, events, training courses, promotions and other news in the course of its legitimate activities. An Individual may at any time request that such communication and personal data processing be stopped, and unsubscribe from messages through the link in the received message, or by sending a request by email to info@ptuj.info or regular mail to the Organization’s address.

Legitimate interests

The legal basis of pursuing legitimate interests is restricted to data processing performed by public authorities carrying out their duties. The Organization can process personal data on the basis of legitimate interest, which the Organization is pursuing to a limited extent. Such processing is not permitted when the interests and fundamental rights and freedoms of the data subject requesting personal data protection overrule legitimate interests. When applying legitimate interests as a legal basis, the Organization always conducts an assessment in compliance with GDPR.

This allows us to occasionally inform Individuals about services, events, training courses, promotions and other news by email, phone, or regular mail. An Individual may at any time request that such communication and personal data processing be stopped, and unsubscribe from messages through the link in the received message, or by sending a request by email to info@ptuj.info or regular mail to the Organization’s address.

Processing based on consent

If the Organization’s processing of the data is not based on the law, its performance of a task in the public interest, a contractual obligation or legitimate interests, it may ask an Individual for their consent. With an Individual’s consent, the Organization may process certain personal data for the following purposes:

  • residential and email address for the purpose of informing and communicating;
  • tax ID number or EMŠO (unique personal identification number) for the purpose of collection in the event of failure to meet obligations (e.g. unpaid invoice);
  • photos, videos and other content connected with an Individual (e.g. videos from public events) for the purpose of documenting the activities and informing the public about the Organization’s work and events;
  • other purposes, for which the Individual gave their consent.

If an Individual who gave their consent does not want their personal data to be further processed, they may at any time withdraw their consent by sending a request by email to info@ptuj.info or by regular mail to the Organization’s address.

Personal data retention and deletion

The Organization shall only retain personal data for the period of time necessary for the purposes for which the personal data are collected and processed. If the Organization processes data based on a law, it shall retain that data for the period prescribed by that law. Certain data shall be retained for the duration of collaboration with the Organization, while other shall be retained permanently.

The Organization shall retain the personal data it processes based on a contractual relationship with an Individual for the period necessary for performing the contract and 6 years after the contract expires, unless a dispute arises between the Individual and the Organization in relation to said contract. In this event, the Organization shall retain the data for a period of 5 years after the court ruling, arbitration decision or court settlement becomes final, or a period of 5 years after amicably resolving the dispute, if the dispute is not taken to court.

The Organization shall retain the data that it processes based on an Individual’s personal consent or legitimate interest until the consent is withdrawn or a request is made for erasing the data. The data shall be deleted within 15 days of receiving the withdrawal or request for erasure. The Organization may erase these data before receiving a withdrawal of consent, if the purpose of processing has been met or of the law so requires.

The Organization may in exceptional cases reject the request for deleting the data, if data processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for exercise or defence of legal claims.

After the period for data retention expires, the personal data shall be effectively deleted or anonymized, which makes it impossible for the data to be linked with an Individual.

Personal data processing by a contractor and transferring the data

The Organization may commission a contractor for processing the personal data by concluding a service agreement. The contractor may only process the personal data on behalf of the Controller, and within the authorization given in the written contract or another legal document in compliance with the purposes specified in this Privacy Policy.

Contractors, with which the Organization collaborates, primarily include:

  • providers of accounting services and legal and business consultancy;
  • providers of infrastructure maintenance;
  • providers of information system maintenance;
  • email, software and cloud service providers (e.g. Arnes, Microsoft, Google);
  • website and online advertising providers (Google, Facebook, Instagram, YouTube etc.);
  • service providers in tourism and tourism development.

The Organization shall in no case forward an Individual’s personal data to third unauthorized parties.

Contractor may only process the personal data within the instructions given by the Organization, and may not use them for any other purpose.

The Organization as the data controller and its employees may not transfer the personal data to third countries (countries outside the European Economic Area, which includes the EU, Iceland, Norway and Liechtenstein) and international organizations, except USA, in which case the contractors processing the data are included in the EU-USA Privacy Shield program. Read more about the EU-USA Privacy Shield on the Information Commissioner’s page: https://www.ip-rs.si/varstvo-osebnih-podatkov/obveznosti-upravljavcev/iznos-osebnih-podatkov-v-tretje-drzave/iznos-osebnih-podatkov-v-zda/.

Cookies

The Organization’s website uses cookies. Cookies are files that contain website settings. Websites save the cookies on the device used to access the web with the purpose of recognizing devices and settings that users selected for the access. Cookies allow websites to recognize whether the user has already visited the website in the past, and advanced apps use them to adjust the settings. Cookies are controlled by the browser, and the user can at any time restrict or disable them.

Cookies are essential for providing a user-friendly online service. They are used to save data on the website’s status, collect statistics about users and visits, etc. Cookies also help us evaluate the effectiveness of our website’s design.

Our Organization’s website uses the following cookies:

Cookie Duration Function
_ga 2 years Statistics on website visits – Google Analytics
_fbp 2 years Facebook pixel for Facebook advertising
PHPSESSID Until the end of the session Website functioning
Ptujinfo_cookie_accept 2 years saving decisions on cookies

 

Cookies are saved and managed by the browser used by the Individual. The browser can restrict or disable cookies as desired. You can also delete the cookies saved in your browser by following the instructions on the browser’s website.

Data protection and accuracy

The Organization provides information security and security of its infrastructure (premises and the application system software). Our information systems are protected with anti-viruses and a firewall. We have implemented adequate organizational and technical security measures aimed at protecting your personal data from accidental or illegal destruction, loss, changes, unauthorized disclosure or access, and from other illegal or unauthorized types of processing. If we need to transfer special types of personal data, we will send them encrypted and protected with a password.

You are responsible for providing your personal data safely, and for providing accurate and credible data. We will do our best to keep your personal data that we process accurate and updated, we may however occasionally contact you to confirm their accuracy.

Individual’s rights in regard to data processing

In accordance with GDPR, an individual has the following rights regarding their personal data protection:

  • to request information as to whether or not their personal data are being processed, and, where that is the case, which data are being processed, on which basis, and for what purpose;
  • to request access to your personal data, in which case you can receive the copy of your personal data, and check whether they are being processed legally;
  • to request rectification of incomplete or inaccurate personal data;
  • to request the erasure of your personal data, where the reason for their processing no longer exists, or when you exercise your right to object to further processing;
  • to object to further processing of data in cases where we rely on legitimate interests (also in the case of a third party’s legitimate interest), when there are reasons related to your personal situation. Notwithstanding the provision from the preceding paragraph, you have the right to object at any time if we process your data for the purpose of direct marketing;
  • to request the restriction on processing your personal data, which means their processing will be suspended, if you want us to verify their accuracy or reasons for their further processing;
  • to request that your personal data be transferred to another controller in a structured electronic form, if possible and feasible;
  • to withdraw the consent you gave for the collection, processing and transfer of your personal data for a certain purpose; after receiving the notification about your withdrawal of consent, we will stop processing your personal data for the purpose, for which they were given, unless we have another legal basis for doing it legally.

If you want to exercise any of the aforementioned rights, send a request by email to info@ptuj.info, or by regular mail to the Organization’s address: Murkova ulica 7, SI-2250 Ptuj.

You can access your personal data or exercise your rights free of charge. We may however charge a reasonable fee if the data subject’s request is apparently unjustified or exaggerated, and especially if such requests reoccur. In this case, we may also reject the request.

If you exercise these rights, we may also require certain information that will allow us to verify your identity, which is a safeguard preventing us from disclosing your personal data to unauthorized parties.

You may also exercise these rights by filling out the Information Commissioner’s form on their website. Link: https://www.ip-rs.si/fileadmin/user_upload/doc/obrazci/ZVOP/Zahteva_za_seznanitev_z_lastnimi_osebnimi_podatki__Obrazec_SLOP_.doc

If you believe your rights have been violated, you can also ask for the protection or help of the supervisory authority, i.e. the Information Commissioner. Link: https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/kljucna-podrocja-uredbe/prijava-krsitev/

If you have any questions regarding the processing of your data, you can always contact us.

Publishing amendmends

Any changes to our Privacy Policy will be posted on our website. By using our website, an individual accepts and agrees to this Privacy Policy.

The Privacy Policy was adopted by Katja Gönc, Director of the Ptuj Tourism Public Institute, on 12 June 2019.