The company Rol Group d.o.o., Cesta v Kleče 16, 1000 Ljubljana, Slovenia, registration number 6724914000, (hereinafter: "Controller") on the basis of the Personal Data Protection Act of the Republic of Slovenia, hereinafter: "ZVOP-1") and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: "General Data Protection Regulation")
adopts the following
Personal Data Protection Policy
I. Introduction to the processing of personal data
The Controller is a business entity engaged in the following activities
41.200 Construction of residential and non-residential buildings
42.210 Construction of utility projects for fluids
42.220 Construction of utility projects for electricity and telecommunications
42.990 Construction of other civil engineering projects n.e.c.
43.120 Site preparation
43.210 Electrical installation
43.220 Plumbing, heat and air-conditioning installation
43.290 Other construction installation
43.320 Joinery installation
43.330 Floor and wall covering
43.342 Painting work
43.390 Other building completion and finishing
43.910 Roofing activities
43.990 Other specialised construction activities
46.130 Agents involved in the sale of timber and building materials
46.150 Agents involved in the sale of furniture, household goods, hardware and ironmongery
46.160 Agents involved in the sale of textiles, clothing, fur, footwear and leather goods
46.190 Agents involved in the sale of a variety of goods
46.900 Non-specialised wholesale trade
47.910 Retail sale via mail order houses or via Internet
47.990 Other retail sale not in stores, stalls or markets
49.420 Removal services
52.100 Warehousing and storage
56.101 Restaurants and inns
56.102 Snack bars and similar
56.103 Sweetshops and coffee-houses
56.300 Beverage serving activities
81.100 Combined facilities support activities
81.210 General cleaning of buildings
81.300 Landscape service activities
95.220 Repair of household appliances and home and garden equipment
95.240 Repair of furniture and home furnishings
95.290 Repair of other personal or household goods
The main economic activity of the Controller is 43.290 - Other construction installation.
The Controller does not transmit or transfer the data to third countries and/or international organisations.
In carrying out the above activities, the Controller processes the following personal data: personal name, address, e-mail address, telephone number. The Controller does not process special categories of personal data (so-called sensitive personal data), nor does it process personal data relating to criminal convictions and offences.
The Controller processes personal data on the basis of a contractual relationship or on the basis of the consent of natural persons for the following purposes:
- doing business
- sales contracts
- market research
- direct marketing
- profiling and data segmentation
- market research and statistics.
For the purpose of identifying all types of personal data processed by the Controller and keeping a registry thereof, a list of records of data processing operations shall be kept (hereinafter: "List of records"), the purpose of which is to provide a complete overview of the flow of personal data. The List of records shall also serve as the basis for the adoption of the technical, organisational and human resources measures for the protection of personal data as described in this Policy.
The List of records shall be kept in such a way that for each record of an activity for processing of personal data the following shall be evident:
- on what legal basis the data is processed,
- what is the purpose of the processing of personal data,
- what types of personal data are processed,
- the persons or users, if any, to whom the personal data may be disclosed,
- what technical, organisational and human resources measures are in place to ensure the protection of personal data.
The Controller shall ensure that the List of records is accurate and up-to-date. Upon request from the supervisory authority, the Controller will provide them with access to the List of records.
Workers who process personal data in the course of their work and/or while performing tasks for the Controller must be familiar with the List of records; the act of consultation of the List of records must also be made possible for anyone who requests it and has a legitimate interest for it (e.g. the data subject, a supervisory authority).
Taking into account the described nature, scope, context and purpose of the processing, as laid out in Article 2 of the present Policy and in the List of records, the Controller concludes that the processing of the data does not constitute significant risk to the rights and freedoms of natural persons and therefore no prior impact assessment in relation to the processing of the data is necessary.
Prior to any new processing of personal data, and in particular prior to use of new technologies, and before any change in the nature, scope, context and purposes of the processing, and whenever there is a change in the extent of risk that arises from the processing operations, the Controller undertakes to re-examine the risks and to assess whether it is necessary to carry out an impact assessment in relation to the processing.
II. General provisions
This Personal Data Protection Policy (hereinafter: "Policy") lays down the technical, organisational and human resources procedures and measures for the protection of personal data adopted by the Controller in order to comply with the legal requirements for the protection of personal data and to protect the rights of data subjects.
These measures consist of binding rules, recommendations or principles stemming from practices, internal procedures, organisational structures and IT security.
The purpose of this Policy is to ensure the confidentiality, integrity, availability and accuracy of personal data in the interests of data subjects at every stage of the processing of personal data. All employees must be aware of the risks associated with technical and information systems as well as with communication technology and must therefore exercise due care when processing personal data.
The measures described in this Policy are designed taking into account the state of the art in technology and the costs of implementation, the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, and to ensure adequate data security in relation to the potential risks posed by the processing, in particular in the event of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The Controller shall comply with generally accepted rules on information security. At the same time this Policy is based on the premise that there is no such thing as absolute security and that ensuring information security is not a static state, but that security must continuously be improved and adapted to changing conditions. The measures are therefore a compromise between what is technically possible and what is feasible, with the latter depending on human resources and economic capacity of the Controller.
When processing personal data, the Controller shall comply with the general principles relating to the processing of personal data.
The Controller processes only personal data for which it has the appropriate legal grounds based on the provisions of ZVOP-1 and the General Data Protection Regulation.
Personal data may only be collected for specified and legitimate purposes and may not be further processed in a way that would render their processing incompatible with those purposes, unless otherwise provided by the relevant legislation.
When processing personal data, the Controller shall ensure that the personal data are:
- processed lawfully, fairly and in a transparent manner in relation to the data subject;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up-to-date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, unless otherwise provided by law;
- processed in a manner which ensures their integrity and confidentiality and, in particular, that they are adequately protected against unauthorised or unlawful processing and against accidental loss, destruction or damage by adopting appropriate technical or organisational measures.
This Policy applies to all workers of the Controller, regardless of whether they are in an employment relationship with the Controller (hereinafter: "Worker"). The Policy is aimed in particular at those Workers who are directly or indirectly involved in the processing of personal data and in ensuring the security of information technology.
The terms used in this Policy shall have the meanings as derived from the ZVOP-1 in force and the General Data Protection Regulation.
III. Staff measures
Tasks and responsibilities regarding the processing of personal data that conflict with each other shall be assigned to different persons or departments, with the aim to be able to identify unauthorised or accidental changes to data as soon as possible.
The purposes and responsibilities for the processing of personal data are determined by the manager of the Controller and are recorded in the catalogues of the personal data files.
The manager of the Controller shall have final authority and responsibility for the proper implementation of this Policy.
Since processing of personal data by the Controller does not involve regular and systematic large-scale monitoring of natural persons and since the Controller does not process special categories of personal data and/or data relating to criminal convictions and offences, the Controller will not appoint a specific data protection officer.
- Article 12
Any Worker acting under the authority of the Controller who has access to personal data shall not process such data without or outside the instructions of the Controller. All Workers who process personal data in the course of their work are obliged to implement the prescribed procedures and measures for data protection and to safeguard data of which they become aware or have become aware in the course of their work.
The obligation to protect data shall not cease upon termination of performing work for the Controller.
All Workers who process personal data in the course of their work must be familiar with the legislation on the protection of personal data and with the content of this Policy. To this end, the Controller will ensure that such Workers sign a special declaration on the protection of personal data, which indicates that they are aware of the provisions of this Policy and of the legislation on the protection of personal data.
In accordance with the accountability principle, the Controller will provide, where appropriate, appropriate training on the protection of personal data to Workers who handle personal data.
In case of infringement of the provisions of this Article, the Workers shall be subject to disciplinary proceedings, action for damages and criminal prosecution. Infringement of the provisions of this Policy shall be considered a serious breach of the rights and obligations arising from the employment or other contractual (students, external contractors) relationship. In the event of such infringement, employees may be subject to fair dismissal for culpable misconduct or to extraordinary termination in the event of serious infringement, while other Workers may be subject to termination of the relevant contract of employment.
IV. Physical security and safe environment
Personal data and information systems must be adequately protected against theft, damage and adverse environmental effects.
The premises where personal data, copies of personal data and information systems are located must be fireproof (fire extinguishers), protected against spillage, flooding and electromagnetic interference within the prescribed climatic conditions, and locked.
All information systems that are critical to the Controller must be placed in a secure environment. This means that all premises where data carriers containing personal data as well as hardware and software are located shall be physically secured (e.g. locked, stored in a safe, etc.) to prevent unauthorised persons from accessing the data.
Such secure premises, or the entire building where personal data are stored, are equipped with a burglar alarm. Such measures shall allow for the actions of triggering an alarm and securing evidence.
Personal data must not be stored outside secure premises.
Secure premises must not be left unattended and they are to be locked in the absence of the Workers who supervise them. Outside working hours, the secure premises shall be locked and keys must be kept in accordance with the house rules. Keys shall never be left in the lock on the outside of the door.
Outside working hours, cabinets and desks with data carriers containing personal data must be locked, computers and other hardware switched off and physically or programmatically locked.
Workers must not leave data carriers containing personal data on desks when there are present persons who do not have the right to consult them (the "clean desk policy").
When away from work, Workers must turn off or otherwise physically or programmatically lock their computer screen (the "clean screen policy").
Data carriers containing personal data, that are located outside secure premises (e.g. in corridors, common areas), must be locked at all times.
In customer-facing areas, the location and orientation of data carriers and computer displays must be such so as to prevent customers from viewing their content.
Maintenance staff, hardware and software operators, visitors and business partners are only allowed in the secured premises with the knowledge of the responsible Worker of the Controller.
V. Protecting the integrity and confidentiality of data at the time of reception and transmission
The Worker responsible for receiving and registering daily mail must hand over the postal item containing personal data directly to the individual or service to which it is addressed.
The Worker responsible for receiving and registering daily mail shall open and inspect all postal items and items arriving by other means at the Controller's premises, except those referred to in paragraph 1 of this Article.
The Worker responsible for receiving and registering daily mail shall not open wrongly delivered post that is addressed to another authority or organisation, or items marked as personal data.
The Worker responsible for receiving and registering daily mail shall not open items addressed to a Worker which state on the envelope that they are to be delivered personally to the addressee, or items which first state on the envelope the Worker’s personal name without indicating his official capacity and only after this state the address of the Controller.
Personal data is sent by registered mail or by in-person delivery by courier.
The envelope in which the personal data are transmitted must be made in such a way that the envelope does not allow the contents of the envelope to be visible in normal light or when the envelopes are illuminated by a normal light. The envelope must also ensure that the envelope cannot be opened and its contents examined without a visible trace of the opening of the envelope.
Personal data may be transmitted by information technology, telecommunications and other means only if appropriate procedures and measures are in place to prevent unauthorised persons from obtaining or destroying the data and from having unauthorised access to its contents.
In the case of electronic transmission of communications containing personal data, the Controller shall ensure that technical procedures are in place to prevent the interception, copying, alteration, redirection or destruction of the transmitted information. These procedures include encrypting the data in a ZIP file and protecting it with strong passwords of at least 12 characters. Passwords are not sent to users by email, but via another channel, such as SMS, which prevents a potential actor that intercepted the email from intercepting the password as well.
VI. Ensuring the confidentiality, integrity and resilience of data processing systems and services
To prevent potential attackers from gaining access to highly sensitive information, the Controller establishes several security zones by various technical measures.
Users and IT services and systems shall be kept separately in networks. Development, test and operational environments shall also be kept separately.
Access controls shall be in place to ensure that only authorised persons can access the functions, programs and data of the information system.
Access to the software is secured by access control where only predefined Workers or external service providers have access to it.
The scope of access to information systems is limited to the rights necessary to carry out a specific task (e.g. edit (write) or consultation (read) rights, access denied). When granting access rights, the Controller follows the "need-to-know" principle, which means that users should not receive more rights than are necessary to perform their tasks or to access the data.
Each user is assigned an unique (personal) user name (user ID). This also applies to privileged access rights (e.g. for administrators).
All critical access attempts, and in particular failed access attempts, shall be logged to help in preventing a possible attack or security risk.
If a particular Worker changes his/her work position, his/her access rights must be re-assessed. In any case, access rights must be reviewed regularly.
If a Worker ceases to work for the Controller, all access rights issued must be withdrawn no later than at the end of the last working day. The same applies to all external service providers.
Hardware and system software, including I/O units, must be secured in a way that safeguards the integrity and confidentiality of data.
All personal computers on which personal data can be accessed shall be protected by a username and password.
Access to software that is installed on a computer and is used to access personal data shall be protected by a username and password different from the username and password used to log into the same computer.
The authorised person shall determine the rules regarding creating, storing and updating passwords.
All passwords and procedures used to access and manage the network of PCs (admin passwords), to manage e-mail and to manage application programmes shall be kept in sealed envelopes and protected against access by unauthorised persons. They should only be used in exceptional circumstances or in an emergency.
Maintenance, repair, modification and additions to the system and application software may only be carried out with authorisation and by authorised repairers, organisations and individuals who have a contract with the Controller. Contractors must document the modifications and additions to system and application software.
Employees are not allowed to install software without the knowledge of the person responsible for the operation of the computer information system, nor may they remove software from the premises without the authorisation of the head of the organisational unit and the knowledge of the person responsible for the operation of the computer information system.
The contents of the network server and local workstations’ disks, where personal data is stored, are checked regularly and in real-time for presence of computer viruses.
All workstations and laptops and other equipment must be equipped with up-to-date anti-virus protection. All computers in the workplace must be protected with a combination of a local firewall and a local intrusion detection and prevention system. All laptops and other equipment must be protected by a local firewall.
Shall the presence of a computer virus be determined, it shall be dealt with as soon as possible by an appropriate professional service, and the cause for presence of virus in the computer information system shall be established.
All personal data and software intended for use in the computer information system that reach the Controller on data carriers or through telecommunications channels must be scanned for computer viruses before use.
If the user or administrator leaves the workstation or the latter is not currently actively used, a screen saver with password protection must be activated automatically within a certain time period.
On systems where this is technically possible, an automatic logout of the user takes place if no entries have been made within a defined time period.
It is not allowed to store personal data on laptop computers. Since the company stores personal data in the cloud, it is neither necessary nor allowed to store personal data on laptops.
Communication tools in the workplace such as printers, fax machines, copiers, etc. must also be protected against unauthorised access and manipulation.
The Controller must also take appropriate information security measures in the event of remote access.
VII. Ensuring the availability of data in the event of a physical or technical incident
Each data operation is logged in the system log files. The logging system must be set up by the administrator in accordance with the requirements and capabilities of the operating systems and applications.
The audit trail shall include the information needed to establish when singular personal data were entered in the database, used or otherwise processed or modified and by whom. All events must be time-stamped.
Personal data shall only be transmitted to those users who provide the appropriate legal grounds for it or the written request or consent of the data subject.
For each transmission of personal data, the beneficiary must submit a written application, which must clearly indicate the provision and the legal basis authorising the user to obtain the personal data or be accompanied by the written request or consent from the data subject.
Any transmission of personal data shall be recorded in a record of transmissions, which shall include the information about which personal data have been transmitted, to which address or to whom, when and on what basis. The entries in the record of data transmissions shall be kept in chronological order.
Original documents are never transmitted unless ordered in writing by a court. The original document must be replaced by a copy during its absence.
For the purpose of restoring the computer system in the event of failures and other exceptional situations, the contents of the network server and local stations, if the data are located there, shall be regularly backed up.
For data with a high availability requirement, a backup must be established on a regular basis so that the entire system can be restored to operational readiness in the event of a failure of one or more components.
It shall be ensured that even in the event of a system failure no critical information is lost.
Backup storage devices must be located in premises that meet the requirements of confidentiality, integrity and availability of the information concerned. This entails sufficient spatial separation between the backup storage devices and the source of backup (e.g. storage in other facilities).
It must be ensured that administrative staff have access to security media in case of emergency.
It is necessary to establish time limits for storage and for erasure of backup copies.
Information is archived in accordance with legal, contractual and business requirements.
It is necessary to establish the duration of retention of business-critical information and archival copies.
Archival data must be stored or kept in premises that meet the requirements of availability, integrity and confidentiality.
VIII. Regular testing, assessment and evaluation of measures
The Controller undertakes to regularly test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the processing.
For this purpose, the Controller will check the lawfulness of the processing of personal data at least once a year. For the purpose of internal control, the Controller will review the logs relating to the personal data processing operations and consult with relevant information security experts.
IX. Storage period and erasure of data
The Controller shall ensure that the period for which the personal data are stored is limited to a strict minimum. To this end, the Controller shall prescribe, in the List of records, the time limits for erasure of personal data.
After the expiry of the storage period, the personal data shall be erased or permanently destroyed or anonymised, unless otherwise provided by law or another act.
The method of erasure used to delete data from computer media shall be such that it is impossible to restore all or part of the deleted data. The erasure must be complete and irreversible. In addition to the medium of such data, the data in the "Deleted" or "Recycle Bin" folder or other folder/directory of such kind must therefore also be destroyed so that the content can no longer be recovered.
Data on traditional media (paper documents, files, registers, lists, etc.) shall be destroyed in such a way that it is impossible to read all or part of the destroyed data.
Ancillary material (e.g. matrices, calculations and graphs, sketches, trial or failed print-outs, etc.) shall be destroyed in the same way.
It is forbidden to dispose of waste data carriers containing personal data in the regular trash cans.
When data carriers containing personal data are transferred to a destruction site, it is necessary to ensure that they are adequately secured also during the time such transfer is taking place.
X. Services provided by external legal or natural persons
The Controller may also entrust individual data processing operations to an external legal or natural person (hereinafter: "Processor") which must provide sufficient guarantees to implement appropriate technical and organisational measures for the protection of personal data. A Processor providing agreed services outside Controller's premises must have at least the same level of protection of personal data as provided for in this Policy.
In such a case, the Controller and Processor shall enter into a written contract governing the contractual carrying-out of processing of personal data, setting out the rights and obligations of both parties. Such a contract must necessarily lay down the conditions and measures to ensure the protection and safeguarding of personal data and the conditions binding the Processor to the Controller. This also applies to Processors who maintain hardware and software and build and install new hardware or software.
Under such an agreement, the Processor may only carry out, on behalf and for the account of the Controller, the agreed tasks relating to the processing of personal data in Controller's possession. The Processor may not process or otherwise use the data for any other purpose.
XI. Reporting in the event of a security incident
The Controller shall establish a consistent and effective system for handling security incidents that allows also for documentation of security incidents and for security incident notification.
For this purpose, the Controller shall establish an information system that offers monitoring and event identification capabilities (e.g. firewall, intrusion detection, surveillance system). Information systems must further allow for the documentation of all safety-relevant or system-critical events. The person responsible for monitoring these records is Mitja Primožič.
All Workers are obliged to immediately inform Mitja Primožič of any activity involving the discovery or unauthorised destruction of confidential data, malicious or unauthorised use, appropriation, inaccessibility, alteration or corruption of data, and to attempt to prevent such activity themselves.
The Controller shall record any personal data breach in a security incident log, which shall contain the information relating to the personal data breach, the effects of the personal data breach and the corrective measures taken.
All security incidents shall be recorded into the security incident log in chronological order, regardless of the level and type of risk to the rights and freedoms of natural persons. In particular, the Controller shall record breaches of data confidentiality (e.g. unauthorised disclosure of data), breaches related to access to data and breaches of data integrity (e.g. unauthorised alteration of data).
If a personal data breach is likely to compromise the rights and freedoms of natural persons, the Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, in accordance with Article 33 of the General Data Protection Regulation.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall, in accordance with Article 34 of the General Data Protection Regulation, communicate the personal data breach to the data subject without undue delay.
XII. Final provisions
All amendments and supplements to this Policy shall be adopted in the same manner as the Policy and in writing.
The Policy shall enter into force on the eighth (8th) day after its adoption and publication by the manager of the Controller.
The Policy shall be published in the manner usual with the Controller, in such a way that all Workers of the Controller may become acquainted with its contents.
This Policy shall be available for consultation to all Workers at the Human Resources Office of the Controller during working hours. Workers shall be given the possibility to acquaint themselves with the contents of this Policy without supervision.
In Ljubljana, on 1 April 2019
Rol Group d.o.o.
Mitja Primožič, Managing Director