OF THE COMPANY TIVOLI d.o.o.
The company pays particular attention to the security of your personal data. All personal data provided to the company is treated confidentially and used only for the purpose for which it was provided. We manage your personal data with the utmost care, complying with applicable legislation and the highest standards of processing. We ensure, among other things, security of your personal data through appropriate organizational measures, work processes and advanced technological solutions, as well as external experts in order to protect your personal data as effectively as possible. We use the appropriate level of security and reasonable physical, electronic and administrative measures to protect the collected data against unintentional or unlawful destruction, loss, alteration, unauthorized disclosure of personal data or against unauthorized access to personal data that has been transferred, stored or otherwise processed.
of your personal data.
• company contact information
• the purposes, bases and types of processing of the different types of personal data of Data Subjects
• retention time of individual types of personal data
• the rights of Data Subjects with regard to the processing of their personal data
• the right to lodge a complaint concerning the processing of personal data
2) Personal data collected by the company
If you are merely a visitor to our website, we only collect your data by using cookies. If you use or order the services provided by our company such as the Apartment Finder for the luxury apartments, we also collect other personal data about you necessary for the performance of the services ordered or used. This personal data is:
- name, surname, phone number, e-mail, tax number, personal identification number,
Bank Account Number
3) The personal data controller
4) Categories of Data Subjects whose personal data is processed
5) The purposes of data processing and the basis for data processing
5.1. Contract based processing:
Within the exercise of contractual rights and performance of contractual obligations, the company processes your personal data for the following purposes: identification of the data subject, preparation of the offer, conclusion of the contract, provision of the services ordered, notification of any changes, additional details and instructions for the use of the services, to solve any technical issues, objections or complaints, billing for services, and for other purposes necessary to perform or enter into a contractual relationship between the company and the data subject.
When billing for services based on tax regulations, we also collect and process your address to be able to correctly issue the invoice.
5.2. Legislation-based processing:
Based on a legitimate interest, we use your personal data to detect and prevent fraudulent use and abuse of services, and further to ensure stable and secure functioning of our system and services, as well as for the purposes of implementing data security measures, complying with quality requirements and detecting any technical failures of the systems and services.
Based on a legitimate interest, we also use your personal data for the purposes of potential enforcement, or judicial and extrajudicial recovery.
In accordance with the General Regulation, in case of suspected abuse, the company may process to a reasonable and proportionate extent the Data Subjects’ data for the purpose of identifying and preventing possible fraud or abuse and may, where appropriate, forward this information to other service providers, business partners, the police, the prosecutor-general or other competent authorities. For the purpose of preventing future abuse or fraud, data on the history of identified abuse or fraud in connection with a data subject, such as subscriber information and, for example, IP address, may be stored for up to five years after the termination of the business relationship.
5.3. Consent-based personal data processing:
Data processing may also be based on your consent provided to the company.
Withdrawal or modification of consent only applies to the data processed on the basis of your consent. The valid consent is your latest consent given to us. The possibility of withdrawal of consent does not constitute a waiver in the data subject’s business relationship with the company.
The data for which your consent has been given is processed until withdrawn. Upon receipt of the withdrawal, your personal data will be deleted under the conditions, in the manner and within the time limit explained in point 8.
6) Restrictions on the transmission of personal data
As necessary, we will authorize other companies and individuals to perform certain work that add to our services. In such an instance, the company may also provide personal data to such carefully selected external processors who enter into an agreement with the company for the processing of personal data or a substantially identical agreement or other binding document (hereinafter referred to as the Processing Agreement). We will only transmit or make such data available to external processors to the extent required by a specific purpose. This data may not be used by an external processor for any other purpose, while they must meet at least all the standards of personal data processing provided by applicable legislation. External processors are contractually obligated to respect the confidentiality of your personal data.
Based on a reasoned request and a suitable legal basis, the company also provides personal data to competent national authorities. TIVOLI d.o.o. will, for instance, respond to requests from courts, law enforcement agencies and other national authorities, which may also include national authorities of another EU Member State.
7) Period of retention of personal data
The retention period is determined by the category of certain data. We store the data for as long as is necessary to achieve the purpose for which it was collected or further processed, or until the expiry of limitation periods to meet obligations or statutory retention period.
Billing information and associated contact details of Data Subjects may be retained for the purpose of fulfilling their contractual obligations until full payment of the service, or until the expiry of the limitation period in respect of a certain claim, which, by law, may be between one and five years. Invoices are retained for 10 years after the end of the year to which the invoice relates, in accordance with the law governing value added tax.
We retain other data collected on the basis of your consent for the duration of the business relationship and for 2 years after it ends, unless the law prescribes a longer retention period. Unless a data subject who has consented to the processing of personal data has entered into a business relationship with us, his or her consent is valid for 2 years from the date of its submission or until its withdrawal. After the retention period has expired, the data is deleted, destroyed, blocked or anonymized, unless otherwise demanded by law for each type of data.
8) The rights of the Data Subjects in relation to the processing of personal data
We guarantee to exercise your rights in relation to the processing of your personal data without undue delay. We will respond to your request within one month of receiving it. In the event of complexity of your request or multiple requests, we may extend this deadline by up to two additional months. If the deadline is extended, you will be notified of any such extension within one month of receipt of your request, along with the reasons for the delay.
We accept requests regarding the exercise of your rights by email to email@example.com or by post to TIVOLI d.o.o., Železna cesta 18, 1000 Ljubljana.
If your request is submitted by electronic means, we provide information, if possible, by electronic means, unless you request otherwise.
Where there is a reasonable doubt as to the identity of the data subject making the request in respect of any of their rights, we may require provision of additional information necessary to confirm the identity of the data subject.
We provide the following rights regarding the processing of your personal data:
(i) the right of access to the data
(ii) the right to rectification
(iii) the right to erasure (the “right to be forgotten”)
(iv) the right to restrict processing
(v) the right to data portability
(vi) the right to object
(i) The right of access to the data
You always have the right to know whether in relation to you personal data is processed and if so, access to personal data and the following information:
• the purpose of processing
• the types of personal data being processed
• the users or categories of users to whom personal data has been or will be disclosed
• the estimated period of retention of personal data or, where this is not possible, the criteria used to determine such a period
• the existence of the right to demand the controller to rectify or delete personal data or to restrict the processing of your personal data, or the existence of the right to object to such processing
• the right to lodge a complaint with the supervisory authority
• where personal data is not collected from you, all available information regarding its source
(ii) The right to rectification
You have the right to have the inaccurate personal data concerning you corrected without undue delay, and having regard to the purposes of the processing, the right to supplement incomplete personal data, including the submission of a supplementary declaration.
(iii) The right to erasure (the “right to be forgotten”)
You have the right to have your personal data deleted without undue delay when one of the following reasons applies:
• when the personal data is no longer required for the purposes for which it was collected or otherwise processed
• when you withdraw your consent on the basis of which the processing takes place, and no other legal basis for the processing exists
• when you object to the processing of your data, and no overriding legitimate reasons for the processing exists
• when the personal data has been unlawfully processed
• when the personal data must be deleted in order to fulfil a legal obligation in accordance with EU or Slovenian legislation
(iv) The right to restrict processing
You have the right to have the processing of your personal data restricted when one of the following instances applies:
• when you dispute the accuracy of the data for a period that allows us to verify the accuracy of the personal data
• when the processing is unlawful and you oppose the erasure of your personal data and instead request restriction on its use
• when we no longer require your personal data for processing purposes, whereas you need it to enforce, execute or defend legal claims
• if you have lodged a complaint to processing based on legitimate interests of the company until it is verified that our legitimate reasons outweigh your reasons
When the processing of your personal data has been restricted in accordance with the preceding paragraph, such personal data, with the exception of its storage, shall only be processed with your consent, or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.
We are obliged to inform you before the restriction on the processing of your personal data is lifted.
(v) The right to data portability
You have the right to receive your personal data which you have provided to us in a structured, commonly used and machine-readable form, and the right to pass this data to another controller without the company hindering you when processing is based on your consent and performed by automated means. At your request, where technically feasible, personal data may be transferred directly to another controller.
(vi) The right to object
When your data is processed on the basis of legitimate interest for marketing purposes, you may object to such processing at any time.
We cease processing your personal data unless we demonstrate compelling reasons for processing that outweigh your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
9) The right to lodge a complaint concerning the processing of personal data
Any complaint regarding the processing of your personal data may be sent by email to firstname.lastname@example.org or by post to TIVOLI d.o.o., Železna cesta 18, 1000 Ljubljana.
If we do not respond to your request within the statutory time limit or reject your request, you have the possibility to lodge a complaint with the Information Commissioner.
You also have the right to lodge a complaint directly with the Information Commissioner if you believe that the processing of your personal data violates Slovenian or EU data protection regulation.
If you have exercised your right of access to the data and after the decision is made you believe that the personal data you have received is not the personal data you have requested or that you have not received all the requested personal data, you may, before lodging a complaint with the Information Commissioner, lodge a reasoned complaint with the company within 15 days. We must respond to your complaint as a new request within five business days.
10) Final provisions
Contact person responsible for enforcing GDPR:
Dunajska cesta 156
Dr. Miha Dvojmoč
on 5th February 2020.