Personal Data Protection Policy

Contact

Datalab Tehnologije, d.d.
Hajdrihova ulica 28c
SI-1000 Ljubljana
T (01) 25‍2 89 00
F (01) 252 89 10
info@datalab.si
www.datalab.eu

1. INTRODUCTORY INFORMATION

Datalab respects your privacy and thoroughly protects your personal data

This Personal Data Protection Policy (hereinafter referred to as the Policy) sets out how we collect your personal data, the purposes for which we collect it, the security measures we take to protect it, the persons with whom we share it, and your rights regarding the protection of your personal data.

This Policy applies to:

  • All users of the website i datalab.si (hereinafter referred to as the website) or other web servers from the datalab.si and datalab.eu domains.
  • The subscription and performance of subscription contracts for services offered by Datalab.
  • The organization and performance of events held by Datalab Academy, including the handling of registration for such events.
  • Registration for webinars conducted by Datalab Academy, including the processing of such registrations.
  • Subscription to blog news.
  • Subscription to notifications about new developments in our offers and event organization.
  • Inquiries about offers, by phone, email, printed forms, or online forms.
  • Downloads of any documents published on our website.
  • The use of social media platforms.
  • The use of any technical support or service offered by Datalab on its websites.
  • The use of our online shop.

Datalab acts as a contractual processor in relation to users of the services it offers (e.g., PANTHEON Software Suite). In these cases, Datalab processes personal data on behalf of and for the account of the controller and in accordance with the provisions of the Personal Data Processing Contract, which is attached as Appendix 1 to this Policy and constitutes a contractual agreement in accordance with the third paragraph of Article 28 of the GDPR. For all questions regarding the protection of personal data, service users should contact their employer (the personal data controller) who is responsible for the processing of their personal data.

2. DATA CONTROLLER

This Policy applies to all personal data collected and stored about you by Datalab Tehnologije, d.d., Hajdrihova ulica 28c, 1000 Ljubljana, and Datalab SI d.o.o., Hajdrihova ulica 28c, 1000 Ljubljana (hereinafter referred to as “Datalab,” “we,” “us”).

As the personal data controller, Datalab is responsible for processing and storing your personal data.

Should you have any questions regarding the use of this Policy or the exercise of your rights under this Policy, please contact us at any of the contacts below:

  • info@datalab.eu,
  • 01 25 28 900,
  • Datalab Tehnologije, d.d. / Datalab SI d.o.o., Hajdrihova ulica 28c, 1000 Ljubljana, with the note “Personal data protection”.

3. DEFFINITION OF TERMS

Here you will find explanations of the basic terms used in our Policy.

Each term defined below has a purpose within this Policy as defined in this section.

Personal data refers to any information from which an individual can be identified (e.g. first name, last name, email address, telephone number, etc.).

Controller refers to the legal person who determines the purposes and means of the processing of your personal data.

Processor refers to the legal or natural person who processes personal data on behalf of the controller.

Processing refers to the collection, storage, access and any other use of personal data.

EEA stands for the European Economic Area, which includes all the Member States of the European Union, Iceland, Norway and Liechtenstein.

4. PERSONAL DATA PROCESSING

Datalab processes your personal data solely on the basis of clearly stated purposes, securely and transparently.

We collect your personal data when you provide it to us (e.g., through the use of our website, ordering our services, registering for our events or webinars, through inquiries by email, phone, or in writing to our address, or in any other way in which you provide us with your personal data).

We also obtain your personal data from publicly accessible data records (such as AJPES), to which we have legal access and which we use in accordance with their purpose.

We also obtain your personal data through the use of cookies on our website. You can read more about our use of cookies in Section 7 of this Policy

Datalab processes your personal data solely on the basis of clearly stated purposes, securely and transparently.

We collect your personal data when you provide it to us (e.g., through the use of our website, ordering our services, registering for our events or webinars, through inquiries by email, phone, or in writing to our address, or in any other way in which you provide us with your personal data).

We also obtain your personal data from publicly accessible data records (such as AJPES), to which we have legal access and which we use in accordance with their purpose.

We also obtain your personal data through the use of cookies on our website. You can read more about our use of cookies in Section 7 of this Policy.

4.1.  Types of personal data we collect

Datalab may collect the following information or types of information about you:

  • Basic personal data (first name, last name).
  • Basic contact data (telephone number, e-mail address).
  • Basic data about the company you work for (company name, function you perform in the company, number of employees).
  • Basic data about your subscription to Datalab services (type of license, date of purchase).
  • Information about your computer (IP address, type of device, type of browser), information about your use of our website (content viewed, time spent on our website, what you clicked on) and information about your response to our emails.
  • Information about the Datalab partner company with which you are working (for more information about partner companies, please refer to Section 6 of this Policy).
  • Information we need in order to carry out the delivery of the goods you have ordered (address, postcode, location).

At Datalab, we carefully protect the principle of data minimization as provided for by law and therefore only collect data that is relevant, adequate and limited to what is necessary for the purposes for which it is processed. The purposes for which we collect personal data are set out in section 4.3 of this Policy.

4.2. Legal basis for personal data collection and processing

In accordance with the legislation governing the protection of personal data, we may process your personal data on the following legal bases:

  • Where the processing of your personal data is necessary for the fulfilment of a contract to which you have subscribed.
  • Where you have given your consent to the processing of your personal data for a specific processing purpose, where you always have the right to withdraw your consent.
  • Where Datalab has a legitimate interest in processing your personal data (where we process data on the basis of a legitimate interest, we will explicitly define this within this Policy).
  • Where it is absolutely necessary for the fulfilment of certain obligations imposed on us by law (this includes, in particular, the data we hold for tax purposes).

The only mandatory provision of personal data is that which we collect as required by law.

The provision of personal data that we need to fulfill the agreement is voluntary. Please note that if you do not provide us with all the personal data we need to perform the service we offer (e.g., concluding an agreement, registering for a webinar, etc.), we will not be able to provide such services.

The provision of consent is always voluntary and without any negative consequences. Please note, however, that we will not be able to provide certain services (such as e-notifications and tailoring advertising to your needs) without your consent or after you have withdrawn your consent.

4.3. Purposes of processing

Datalab will only process your data for specified, explicit and legitimate purposes. We undertake not to process your personal data in a way that is incompatible with the purposes set out in this Policy.

The purposes for which we may use your personal data are set out below. Datalab may use your personal data for one or more of the specified purposes.

The purposes for which we will use your personal data are as follows:

  • Communicating with you regarding the provision of our services and responding to your questions (this includes, in particular, notifications regarding the PANTHEON software suite, responding to your inquiries submitted online or on printed forms, and completing satisfaction surveys).
  • Conclusion of a contract and fulfilment of the obligations arising from the concluded contract. This includes, in particular, the execution of registrations and orders placed via our website (in this way we can ensure your successful registration for our events, webinars and enable the execution of orders, such as e-Business, orders in our online store). We process all the personal data that we process in relation to orders placed in our online store for the purpose of concluding and executing the contract that has been concluded with you. In the event that you do not provide us with all the data necessary for the execution of the order, we reserve the right to postpone or cancel the order.
  • For marketing communication purposes (this includes notifications about new services or upgrades to existing services and events organized by Datalab, as well as subscription to our blog news).
  • For tailored marketing communication purposes. The use of certain personal data helps us tailor our communications with you so that they are as interesting and useful to you as possible. Based on certain personal data, we classify individuals into groups, which means that each group thus created receives marketing messages with different content from us. When classifying individuals, we also monitor their activity. We will only carry out marketing communication with tailored or individualized offers based on your expressly given consent.
  • To exercise any legal claims and resolve disputes. Personal data may be disclosed to protect our business and to exercise and/or protect our rights.

We will only disclose your personal data in the manner and under the conditions set out by law.

  • For statistical analysis purposes. To improve the user experience, we analyze the use of our website, the manner and frequency of use of our software, which represents our legitimate interest in maintaining and/or improving the user experience and/or software performance, and thus your and our business success.
  • Transfer of personal data to third parties. We will only transfer personal data to third parties specified in Section 6. We will only disclose your data when justified by our legitimate interest in ensuring secure and lawful business operations and fulfilling legal obligations (such as tax obligations, which may include disclosing your personal data to tax authorities). An exception to this are contractual partners that we use for remarketing purposes; in this case, we will only disclose your personal data on the basis of your express consent.

You have the right to withdraw any processing of your personal data based on your consent at any time. You can withdraw your consent by contacting us at any of the contact points set out in Section 2 of this Policy.

4.4.  How long we keep your personal data

We store your personal data in accordance with applicable law and (i) only for as long as is necessary to achieve the purposes for which we process the data, or (ii) for the period prescribed by law (e.g., 10 years for the storage of issued invoices), or (iii) for the period necessary to fulfill the contract, which includes warranty periods and periods during which it is possible to assert any claims based on the concluded contract (e.g., 5 years from the fulfillment of contractual obligations).

We retain personal data collected on the basis of your consent permanently or until you withdraw your consent (please see Section 9 of this Policy for more information on how to withdraw your consent). We will delete data collected on the basis of consent prior to your withdrawal in the event that the purpose for which the data was collected has been achieved.

Personal data for which the retention period has expired (e.g. because the purpose for which it was collected has been fulfilled, because the statutory time limit has expired, etc.) will be erased, destroyed or anonymized in such a way that reconstruction of the personal data is no longer possible.

If you require any further information regarding the retention period of your personal data, please contact us using any of the contact details set out in Section 2 of this Policy.

5. PERSONAL DATA PROTECTION

To protect your personal data, Datalab has implemented appropriate technical and organizational measures, including in particular:

  • Regular and effective updating of software and hardware where we store your personal data.
  • Protection of access to your personal data.
  • Making backups.
  • Training of employees who process personal data at work.
  • Informed and diligent action in the selection of processors of your personal data.
  • Supervision of employees and other processors of your personal data, including the performance of audits.
  • Supervision and appropriate action in the event of security incidents, preventing or limiting damage to personal data.
  • Other measures prescribed by security standards (e.g., ISO/IEC 27001:2022 and others) applied by our company.

Datalab protects your personal data from unlawful or unauthorized processing and/or access, as well as from accidental loss, destruction, or damage. We implement all measures taking into account our technological capabilities (including the costs of implementing certain measures) and an assessment of the impact on your privacy.

In the event of a personal data breach, Datalab will notify the competent supervisory authority of each such breach without delay. The competent supervisory authority in the Republic of Slovenia is the Information Commissioner.

In the event of suspected criminal activity, Datalab will also report violations to the police and the competent state prosecutor’s office.

In the event of a data breach that could pose a high risk to the rights and freedoms of individuals, Datalab will notify you of such an event without delay.

6. TRANSFERRING PERSONAL DATA

We may disclose, allow access to, or permit access to your personal data to certain third parties specified below, solely for the purpose of collection. Any user with whom we share personal data may only process the data for the purposes for which it was collected. All users are also obliged to comply with applicable legislation and the provisions of the personal data protection policy.

We may transfer your personal data to:

  1. The subsidiaries of Datalab.
  2. Business partners who help us provide certain services: These primarily include advertising and marketing agencies, as well as LogMeIn, Inc. and ISL Group, which help us organize registrations for our webinars. For remarketing purposes, we use Google AdWords and Google Analytics services, as well as Facebook Ads, which help us show you ads that are relevant to you. Our certifications are managed by the Moodle application of the University of Maribor.
  3. Other contractual partners that take care of Datalab’s needs (accounting services, law firms, etc.).
  4. Partner companies, that help us provide our services (e.g., data center providers).
  5. When required by law (e.g., tax authorities, courts, etc.).

In exceptional cases, we may transfer your personal data to third parties (as defined above) outside the European Economic Area (EEA), where we or the third party may process that data. For each transfer outside the European Economic Area, we will take specific additional measures to ensure the adequate security of your personal data.

Such measures primarily include agreements with third parties on the establishment of binding rules in the field of personal data protection, verifying whether there are approved certification mechanisms that meet our personal data protection standards, and concluding appropriate contractual obligations governing personal data protection.

7. COOKIE POLICY

What are cookies?

Cookies are small text files that most websites store on the devices that users use to access the internet, in order to identify the individual devices that users have used to access the internet. Their storage is under the complete control of the user’s browser – which can restrict or disable the storage of cookies if desired. Cookies are not harmful and are always time-limited.

We use cookies to provide user-friendly online services, improve user experience and monitor visit statistics. Cookies make the interaction between the web user and the website faster and easier. They help the website to remember the individual’s preferences and experience, saving time and making browsing more efficient and user-friendly. Cookies are not harmful and are time-limited.

Why are they used?

They are fundamental for providing user-friendly online services. Cookies make the interaction between the web user and the website faster and easier. They help the website to remember the individual’s preferences and experience, saving time and making browsing more efficient and user-friendly.

Some concrete examples of how cookies are used:

  • To improve the user experience of a website, we tailor the display of content to visitors based on past visits.
  • To store choices when creating device shortlists and offers and to compare them.
  • To recognize your device (computer, tablet, mobile phone), which allows the display of content to be adapted to your device.
  • To monitor visits to check the effectiveness of content display and the relevance of ads and to continuously improve websites.

Cookie list:

  1. Strictly necessary:

These cookies enable the use of essential components for the proper functioning of the website. Without these cookies, the services you wish to use on this website would not function properly.

  1. Experience

These cookies collect information about how users behave on the website in order to improve the user experience (e.g., which content on our website you visit most often). These cookies do not collect information that could identify the user. However, they ensure that the use of the website is a pleasant experience.

  1. Functional

These cookies allow the website to remember some of your preferences and choices (e.g., language, region,) and provide advanced, personalized features. These types of cookies may allow us to track your actions on the website.

  1. Advertising or targeted cookies

These cookies are most commonly used by advertising and social networks (third parties) to show you more targeted ads, limit ad repetition or measure the effectiveness of advertising campaigns. These types of cookies may allow us to track your actions online.

Cookie control

The choice whether to use cookies is yours. You can always remove cookies to remove your visibility online. You can also set most browsers not to store cookies.

For information on the options for each browser, we suggest you check your settings.

We use cookies on our website to help us improve and optimize our website and provide you with a better user experience.

Cookies are simple text files that some websites store on your computer via your browser and store certain non-personal data.

The use of cookies allows us to tailor individual web content to make it more appealing to the individual. In addition, we also perform website usage analyses, which enable us to improve and edit our website to make it more user-friendly.

Some cookies are essential, as without them the website cannot function properly, but you can refuse all other cookies. We provide strictly necessary cookies to store statistical data on the use of our website and to store information necessary to complete the contact forms offered on our website.

In addition to the strictly necessary cookies, we also use other cookies on our website that enable us to better understand our users and provide you with customized advertising based on the data collected. Refusing to use cookies may result in certain content or functions of the website not being available (this mainly includes customizing the website to make it more interesting and attractive to the user).

An overview of all cookies can be found in the table at the end of this section.

In addition to our own cookies, we use the following cookies from cookie providers on our websites

(third party cookies): Google Analytics, Google Ads, Display Advertising extension for Google

Analytics(all cookies listed are managed by Google Inc., 1600 Amphitheater Parkway, Mountain View,

CA 94043, USA), Hotjar, ActiveCampaign (cookies are managed by ActiveCampaign, LLC, North Dearborn

Street, 5th Floor, Chicago, IL 60602), AdRoll (cookies managed by AdRoll Inc. 972 Mission Street, San Francisco, CA 94103), Facebook Custom Audience and Facebook remarketing (cookies managed by Facebook Inc, 1 Hacker Way, Menlo Park, CA 9420).

You can reject all of the above third-party cookies or delete them from your browser at any time.

  • To delete Google Analytics cookies, set your browser to refuse cookies with the domain “pum”.
  • To delete Google Ads cookies, set your browser to refuse cookies with the domain “www.datalab.si”.
  • To delete Display Advertising extension for Google Analytics cookies, set your browser to refuse cookies with the domain “__or_v4”.
  • To delete Hotjar cookies, set your browser to refuse cookies with the domain “_hjIncludedInSample”.
  • To delete ActiveCampaign cookies, set your browser to refuse cookies with the “_form_” domain.
  • To delete AdRoll cookies, set your browser to refuse cookies with the domain “_te_”.
  • To delete Facebook Custom Audience and Facebook Remarketing cookies, set your browser to refuse cookies with the domain “facebook”.

Users are advised that the above providers may collect certain personal data that is not related to the collection of data by Datalab. Any such separate collection of personal data is not covered by this Policy, but is defined in the privacy policies of each cookie provider.

For more information on the personal data protection of third-party cookies, please refer to the privacy policies of each third-party cookie provider:

Datalab uses certain third-party widgets on its website, namely Facebook and LinkedIn. For this purpose, both providers use cookies, which you can turn off in your browser. However, the rules for the use of these widgets are defined in the security policies of each provider, which can be found at the links above.

PHPSESSID The cookie is set by PHP, contains a session ID, and lasts until the end of the session (until the browser is closed). It is required for the website to function.

It does not contain any personal data.
_ga _gat These cookies are set by Google Analytics to record website visits (details). Some last until the end of the session, while others remain for a longer period.

They are not mandatory and do not contain any personal data.
complianceCookie A cookie that informs you that the website uses cookies. It lasts for 14 days and ensures that the notice is not shown again during this period.

8. WEB PLUGINS AND ACCESS TO SOCIAL NETWORKS

Our website uses a YouTube plugin (operated by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA), which is operated by Google. If you visit content on our website that contains a YouTube plugin, a connection to YouTube’s servers is established, which means that YouTube is aware of your visit to our website.

You can find out more about how YouTube handles user data on their website.

Datalab also uses social media such as Facebook, Instagram, and LinkedIn in its operations. Each social media platform operates in accordance with its own terms of use and policies governing the handling of its users’ personal data. We would like to remind users that they are responsible for any posts on social media and that each user is obliged to address any questions or claims to the individual social media network.

Datalab assumes no responsibility for the activities of third parties on social media.

9. RIGHTS OF DATA SUBJECTS

You have the following rights regarding the processing of your personal data, which are described below:

9.1.Access to personal data: You can request information from Datalab about whether it processes personal data about you and, if it does, you can request access to the personal data and information about the processing (what data is processed and where the data originates from).

9.2 Correction of personal data: You may request Datalab to correct or amend incomplete or inaccurate data that we process about you.

9.3.Limitation of processing of personal data: You may request Datalab to restrict the processing of your personal data (e.g. when your personal data is

being checked for accuracy or completeness).

9.4 Deletion of personal data: You can request Datalab to delete your personal data (we cannot delete personal data that we hold because of a legal requirement or a contractual relationship).

9.5 Personal Data Extract: You may request Datalab to provide you with the personal data you have provided to us in a structured, commonly used and machine-readable format.

9.6. Withdrawal of consent: You have the right to withdraw your consent at any time with respect to the use of your personal data that we collect and process on the basis of your consent. Consent may be withdrawn in any of the ways set out in Section 2 of this Policy. Withdrawal of consent does not have any negative consequences; however, it is possible that Datalab may no longer be able to provide certain services to you as a result of the withdrawal.

9.7. Objection to the processing of personal data: You have the right to object to the processing of your personal data when it is processed for direct marketing purposes or for the transfer of your personal data to third parties for direct marketing purposes. You may also object to the processing when we use your data for direct marketing purposes using customized or individual offers (“profiling”). You may submit your objection in any manner specified in Section 2 of this Policy.

9.8. Right to data transferability: You have the right to request a copy of the personal data you have provided to us. We will provide you with the data in a structured, commonly used, and machine-readable format. You are entitled to transfer this data to another controller of your choice. Where technically feasible, you may request that your personal data be transferred directly to another controller.

You may exercise all rights by contacting us through any of the channels set out in Section 2 of this Policy. These contacts are also available in case you need any further information regarding your rights.

If you believe that your rights to personal data protection have been violated, you have the right to file a complaint against us with the Information Commissioner, which is the competent supervisory authority for personal data protection.

Datalab ensures that the personal data we process is up to date and complete. Please notify us of any changes to your personal data as soon as possible at info@datalab.si or by phone at 01 25 28 900. We will correct or supplement your personal data as soon as possible.

Datalab reserves the right to request certain personal data from you (such as your first name, last name, and email address) for the purpose of identifying you if you exercise any of the rights set forth in this section.

10. FINAL PROVISIONS

Datalab may amend this Policy. In the event of any changes, we will notify you in advance. You are deemed to have agreed to the new version of this Policy if, after the new version of this Policy comes into effect, you continue to use our website and other services defined by this Policy.

APPENDIX 1: CONTRACT FOR THE PROCESSING OF PERSONAL DATA

PURPOSE AND LEGAL BASIS

This Contract for the Processing of Personal Data (hereinafter: “Contract“) is concluded in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter: “GDPR“) and the Personal Data Protection Act (ZVOP-2, Official Gazette of the Republic of Slovenia, No. 163/22, 40/25 – ZInfV-1).

The Contract regulates the relationship between:

  • Datalab SI d.o.o., as a service provider that processes personal data on behalf of the client in the course of providing its services (hereinafter: “Processor“), and
  • service client who determines the purposes and means of processing personal data (hereinafter: “Controller“), collectively also: “Contracting Parties”.

The mutual relations between the Contracting Parties are defined in the contracts concluded between the Controller and the Processor and in the general and special terms of the Processor, available at: https://www.datalab.si/pogoji-in-pogodbe/, all of which together form the Subscription Agreement (hereinafter: “Subscription Agreement“).

This Contract is concluded in accordance with the third paragraph of Article 28 of the GDPR for the purpose of defining the conditions and rules for the processing of personal data, measures for their protection, and the rights and obligations of the contracting parties in relation to the processing of personal data of individuals, which the processor performs on behalf of the controller within the framework of the Subscription Agreement.

The provisions of this Contract shall apply in conjunction with the provisions of the contracts and the aforementioned terms governing the Subscription Agreement and shall be interpreted in conjunction with each other.

Article 2

RIGHTS AND OBLIGATIONS OF THE CONTROLLER AND PROCESSOR

  1. a) Legal basis of the Controller

The Controller shall ensure that it has a permissible legal basis for the processing of all personal data that will be processed on the basis of this Contract.

  1. b) Ensuring Processor compliance

The Processor guarantees that it is registered to perform the activities specified in Article 1 of this Contract, and guarantees to the Controller that, during the processing of personal data under this Contract, it will implement appropriate technical and organizational measures to ensure the security of personal data and the full compliance of the tasks undertaken with the applicable law.

  1. c) Access to personal data

The Processor shall only grant access to personal data processed on behalf of and for the account of the Controller to persons under its control who have undertaken confidentiality obligations or are subject to appropriate legal obligations of confidentiality and only to the extent necessary for the performance of their tasks.

  1. d) Reporting breaches

In the event of a personal data breach, the Processor shall, without undue delay, after becoming aware of the breach, formally notify the Controller of the personal data breach in accordance with Article 33 of the GDPR.

  1. e) Shared responsibility for ensuring safety

The Controller and Processor shall ensure appropriate procedures and measures for the security of personal data as set out in Article 32 of the GDPR.

  1. f) Fulfilment of legal obligations

Under this Contract, both Contracting Parties shall be responsible for fulfilling their obligations as controllers or processors in accordance with the legislation applicable in the field of personal data protection.

Article 3

VALIDITY OF THE CONTRACT AND STORAGE OF PERSONAL DATA

This Contract shall be concluded for the duration of the Subscription Agreement between the Contracting Parties.

In the event of termination or cancellation of business cooperation, regardless of the reason, the Processor must:

  • Return to the Controller, without undue delay, all personal data that it processes on its behalf.
  • Delete or destroy all existing copies of this data, unless its storage is required by applicable law.

Article 4

NATURE AND PURPOSE OF PERSONAL DATA PROCESSING

The Processor processes personal data exclusively for the purpose of performing services within the framework of the Subscription Agreement between the Processor and the Controller. This includes, for example:

  • Implementation
  • Providing technical support
  • Maintenance services
  • Fixing bugs in services
  • Cloud data storage

The list is not exhaustive and may be supplemented with other services that are necessary for the performance of obligations under the Subscription Agreement, in accordance with the Controller’s instructions.

In the context of processing personal data, the Processor performs the following processing operations, which include but are not limited to:

  • Collection
  • Storage
  • Organization and structuring
  • Backup
  • Viewing, analyzing, supplementing, or correcting
  • Printing
  • Other forms of processing necessary for the performance of obligations arising from the Subscription Agreement.

The Processor shall process personal data referred to in this Article exclusively on the basis of the Controller’s instructions, in accordance with applicable personal data protection legislation.

Article 5

TYPES OF PERSONAL DATA

The Processor processes only those personal data to which it gains access when performing services based on a Subscription Agreement.

Categories of personal data may include, for example:

  • Identification data (e.g., first name, last name, address, e-mail address, telephone number, personal identification number, citizenship, vehicle registration number, data on family members, bank account number, etc.).
  • Employment data (e.g., personal data from employment contracts and related documentation—job position, salary, date of employment, etc.).
  • Other personal data that users themselves enter into the system or that the Controller provides to the Processor when using services within the framework of a Subscription Agreement.

Article 6

CATEGORIES OF INDIVIDUALS

The Individuals to whom the personal data refer are natural persons whose data are entered and managed by the Controller in the PANTHEON Software Suite. The Processor processes this personal data exclusively on behalf of and on the instructions of the Controller and solely for the purpose of performing services within the framework of the Subscription Agreement.

Article 7

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES AND INTERNATIONAL ORGANIZATIONS

Any transfer of personal data to third countries (i.e., countries outside the European Economic Area) or international organizations by the Processor will be carried out exclusively on the basis of documented instructions from the Controller and will always comply with the provisions of Section 5 of the GDPR.

In the event of transfers of personal data to third countries or international organizations where the Processor has not received instructions from the Controller to do so, and required by European Union or Member State law to which the Processor is subject, the Processor shall inform the Controller of that legal requirement before processing the personal data, unless that law prohibits such information on important grounds of public interest.

Without documented instructions from the Controller (e.g., the Controller’s approval or specific requirements under European Union or Member State law applicable to the Processor), the Processor shall not:

    1. Transfer personal data to a controller or processor in a third country or international organization.
    2. Transfer personal data to a sub-processor in a third country or international organization.
    3. Enable the processing of personal data by a processor in a third country or international organization.

Article 8

TECHNICAL AND ORGANIZATIONAL MEASURES

The Processor has taken all necessary and appropriate technical and organizational measures to ensure an appropriate level of security of personal data in view of the existing risks. These measures include, in particular:

  • SECURITY OF PREMISES WHERE COLLECTIONS ARE LOCATED:
  • Access to premises where personal data is processed or stored is restricted to authorized persons only.
  • Personal data carriers are appropriately locked and protected against unauthorized access outside working hours.
  • Unauthorized persons may only enter secure areas under the supervision of employees.
  • Computer displays and data carriers are installed and used in such a way as to prevent unauthorized persons from viewing them.
  • The processor implements a “clean desk” policy and uses additional physical security measures, including video surveillance.
  • ENSURING THE INTEGRITY (IMMUTABILITY) AND CONFIDENTIALITY OF DATA
  • Personal data is not left uncontrolled and is protected from access by third parties.
  • Accessible resources (keys, passwords, etc.) must be protected by every employee, and any loss or misuse must be reported immediately.
  • Computers and other equipment are locked outside working hours, and data on disks is adequately protected.
  • Technical staff and cleaners may only access secure areas if the data is physically or programmatically locked.
  • When servicing or upgrading systems, it must be ensured that any copies of personal data are destroyed or deleted after use.
  • When a computer virus appears, all necessary measures are taken to eliminate it, and all external media and software are checked before use.
  • Regular data backups are provided in case of malfunctions or extraordinary events.
  • Installing or modifying software is only permitted with the approval of the managing director.
  • Access to data via software is protected by passwords and user authorization.
  • Employees must prevent misuse of personal data and immediately report any breaches to the responsible persons; in the event of a suspected breach, the Processor is obliged to notify the Information Commissioner within 72 hours at the latest.
  • Appropriate labor law measures shall be taken against employees who misuse personal data or access databases without authorization.
  • ENSURING ACCESSIBILITY OR AVAILABILITY OF DATA

 

  • Access to data via application software is protected by passwords that enable the authorization and identification of individual users.
  • The Processor has introduced an authorization model for assigning rights in accordance with job classification and approval by supervisors.
  • The Processor agrees that, in the event of access to personal data, it will ensure that interference with personal data is minimal. Personal data will only be interfered with to the extent necessary to ensure the performance of services in accordance with the Subscription Agreement.

 

  • ENSURING THE TRACEABILITY OF DATA OPERATIONS
  • Internal traceability of personal data processing: a log of all processing operations (entries, changes, additions, views, deletions) is kept, which allows for subsequent determination of the time, method, and person who performed each operation.
  • Traceability of personal data transfers to third parties: a record of transfers is kept, enabling subsequent verification of which personal data were transferred, to whom, when, and on what legal basis.

 

Article 9

INFORMATION SECURITY SYSTEM

The Processor confirms that it holds ISO/IEC 27001 certification. Based on this standard, it establishes and maintains a comprehensive information security management system that includes a multi-level protection strategy. Security measures are established at the level of networks, operating systems, databases, applications, employees, and work processes. Compliance with regulations and contractual obligations is checked regularly and systematically, with the Processor implementing the necessary control and improvement procedures to maintain the security standard.

Article 10

SUB-PROCESSORS

In cases where the Provider acts as a personal data processor and the Client as a controller, the Controller gives written consent by entering into a Subscription Agreement (within the meaning of the provisions of the second paragraph of Article 28 of the GDPR) that the Processor may process personal data arising from this Subscription Agreement itself or entrust it in whole or in part to subcontractors acting as sub-processors. The sub-processors with whom the Processor cooperates are:

  • Persons who cooperate with the Processor on the basis of contract, subcontracting, and business cooperation agreements (e.g., computer service providers and other external experts).
  • Data center provider located within the EU.
  • Digital signature service provider.
  • The company Datalab Tehnologije d.d.

To obtain an accurate and up-to-date list of all sub-processors, the Controller may contact the email address specified in Article 13 of this Contract. In the event of a subsequent intention to replace or include a new sub-processor in the aforementioned list, the processor shall notify the Controller in writing at least 15 days prior to the intended granting of access to personal data to such sub-processor. The Controller shall be entitled to raise a reasoned objection to the change within this period.

The Processor shall conclude a contract or other legally binding act with each sub-processor, which shall ensure the same obligations and standards of personal data protection as agreed in the Subscription Agreement between the Processor and the Controller. For each processing of personal data, the sub-processor shall ensure procedures and measures for the protection of personal data that are as strict or stricter than those implemented by the personal data processor in accordance with this Contract.

An individual sub-processor may perform individual tasks related to the processing of personal data within the scope of the contractual processor’s authorizations and may not process personal data for any other purpose.

Article 11

ASSISTANCE TO THE CONTROLLER

The Processor shall provide the following services to the Controller upon its written request:

– Providing information upon written request by the Controller that is necessary to demonstrate compliance with the Controller’s obligations regarding the contractual processing of personal data.

– Providing information, upon written request by the Controller, that is necessary or useful for the Client to respond to requests for the exercise of individuals’ rights to

whom the personal data relate, in relation to which the Processor does not provide the Controller with any technical and organizational measures.

– Providing information upon written request from the Controller regarding the processing of personal data that the Controller needs to perform a data protection impact assessment and for the prior consultation procedure pursuant to Articles 35 and 36 of the GDPR.

– Services enabling the inspection and audit of personal data processing. The Processor shall enable the Controller to carry out an inspection or audit upon the Controller’s written request, which must be submitted at least 8 days prior to the planned inspection or audit. The request must contain at least the desired date of the inspection or audit, the name of the contractor, and the subject of the inspection or audit. As a rule, the inspection or audit shall be carried out during the Processor’s regular working hours and shall be carried out in a manner that interferes as little as possible with the processor’s work process.

For all of the above services, the time spent by the Processor is billed to the Controller as Consulting Hours II, according to the valid price list of the ServiceDesk service provider, publicly available on the website http://www.datalab.si/cene-in-funkcije/ (tab Price list for services and support), including the terms specified therein.

 

Article 12

LIABILITY FOR BREACHES

The liability of the contracting parties for any breaches shall be determined exclusively in accordance with the provisions of the Contract and the special and general terms governing the Subscription Agreement.

Article 13

CONTACT

All notices, requests, inquiries, and other documentation related to personal data protection shall be addressed to info@datalab.eu.

Article 14

FINAL PROVISIONS

This Contract is an integral part of the Subsciption Agreement between the Controller and the Processor. The contract shall enter into force and shall be deemed concluded on the date of conclusion of the contracts and acceptance of the general/special terms by the Controller, which constitute the Subscription Agreement.

The parties may agree at any time to additionally sign this Contract in physical or electronic form, with both copies having equal validity.

This Contract shall be governed exclusively by applicable Slovenian law and applicable European Union law. In the event of a dispute, the parties to the Contract shall attempt to resolve the dispute amicably. If that is not possible, the court in Ljubljana shall have jurisdiction to resolve the dispute.