The purpose of the personal data protection policy is to inform individuals, service users, collaborators, employees, and other persons (hereinafter referred to as “individuals”) who engage with ZKŠT Zavod za kulturo, šport in turizem Žalec, Aškerčeva 9a, 3310 Žalec, represented by Director Mag. Marko Repnik (hereinafter referred to as the “organization”) about the purposes, legal bases, security measures, and individuals’ rights regarding the processing of personal data carried out by our organization.
We value your privacy and always protect your data with great care.
We process personal data in accordance with European legislation (Regulation (EU) 2016/679 on the protection of individuals concerning the processing of personal data and on the free movement of such data (hereinafter referred to as the “General Regulation”)), applicable Slovenian legislation on personal data protection, and other laws that provide us with a legal basis for processing personal data.
The personal data protection policy provides information on how our organization, as the data controller, processes personal data received from individuals based on legal grounds.
1) Data Controller
The data controller of personal data is the organization:
ZKŠT Zavod za kulturo, šport in turizem Žalec
Aškerčeva 9a, 3310 Žalec
Email: info@zkst-zalec.si
Phone: +386 (0)3 712 12 50
2) Data Protection Officer
In accordance with Article 37 of the General Regulation, we have appointed the following company as the Data Protection Officer:
DATAINFO.SI, d.o.o.
Tržaška cesta 85, SI-2000 Maribor
Website: www.datainfo.si
Email: dpo@datainfo.si
Phone: +386 (0)2 620 4 300
3) Personal Data
Personal data refers to any information related to an identified or identifiable individual. An identifiable individual is someone who can be directly or indirectly identified, particularly by reference to an identifier such as a name, identification number, location data, online identifier, or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.
4) Purposes of Processing and Legal Bases for Data Processing
The organization collects and processes your personal data based on the following legal grounds:
Processing is necessary to comply with a legal obligation to which the controller is subject.
Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract.
Processing is necessary for the legitimate interests pursued by the controller or a third party.
The data subject has given consent for the processing of their personal data for one or more specific purposes.
Processing is necessary to protect the vital interests of the data subject or another natural person.
4.1) Compliance with Legal Obligations
Based on legal provisions, the organization processes data related to its employees as permitted by labor and social security legislation. For employment purposes, the organization primarily processes the following types of personal data: name and surname, gender, date of birth, personal identification number (EMŠO), tax number, place, municipality, and country of birth, nationality, residence, etc.
The legal basis for processing personal data also includes the following laws:
Institutions Act (Zakon o zavodih)
Local Self-Government Act (Zakon o lokalni samoupravi)
Employment Relationships Act (Zakon o delovnih razmerjih)
Act on the Realization of the Public Interest in Culture (Zakon o uresničevanju javnega interesa za kulturo)
Promotion of Tourism Development Act (Zakon o spodbujanju razvoja turizma)
Sports Act (Zakon o športu)
Protection of Documentary and Archival Materials and Archives Act (Zakon o varstvu dokumentarnega in arhivskega gradiva ter arhivih)
Act on Providing Funds for Certain Urgent Programs of the Republic of Slovenia in Culture (Zakon o zagotavljanju sredstev za nekatere nujne programe Republike Slovenije v kulturi)
Other relevant legislation in the fields of culture, sports, and tourism.
In limited cases, the organization may process personal data based on public interest. All relevant sectoral regulations can be found on the website of the competent ministry: https://www.gov.si/drzavni-organi/ministrstva/ministrstvo-za-kulturo/zakonodaja/.
4.2) Contract Performance
When an individual enters into a contract with the organization, the contract itself serves as the legal basis for processing personal data. This means that personal data may be processed for contract execution, such as the sale of tickets, subscriptions, etc. If an individual does not provide the necessary personal data, the organization cannot conclude the contract, nor can it provide the requested services, deliver goods, or fulfill other contractual obligations.
As part of its lawful activities, the organization may inform individuals and users of its services via email about its services, events, training sessions, offers, and other content. Individuals may request to stop such communication and processing of their personal data at any time by unsubscribing via the opt-out link in received messages, by sending a request via email to info@zkst-zalec.si, or by regular mail to the organization’s address:
ZKŠT Zavod za kulturo, šport in turizem Žalec
Aškerčeva 9a, 3310 Žalec
4.3) Legitimate Interest
The organization may process personal data based on its legitimate interest unless such interests are overridden by the interests, fundamental rights, or freedoms of the individual requiring the protection of personal data. When relying on legitimate interest, the organization always conducts an assessment in accordance with the General Regulation.
The processing of personal data for direct marketing purposes is considered to be in the legitimate interest of the organization. The organization may process personal data collected from publicly available sources or through the lawful conduct of its activities for purposes such as offering goods and services, employment opportunities, informing about benefits, events, etc. To achieve these purposes, the organization may use postal mail, phone calls, emails, and other telecommunication methods.
For direct marketing purposes, the organization may process the following personal data of individuals: name and surname, permanent or temporary address, phone number, and email address. The organization may process these personal data for direct marketing purposes even without the individual’s explicit consent.
An individual may request the cessation of such communication and data processing at any time by unsubscribing via the opt-out link in the received message, by sending a request via email to info@zkst-zalec.si, or by regular mail to the organization’s address:
ZKŠT Zavod za kulturo, šport in turizem Žalec
Aškerčeva 9a, 3310 Žalec
4.4) Processing Based on Consent
If the organization does not have a legal basis under the law, contractual obligation, or legitimate interest, it may request the individual’s consent for processing. In such cases, the organization may process certain personal data for the following purposes, provided the individual has given their consent:
Address of residence and email address for communication and information purposes.
Photographs, videos, and other content related to the individual (e.g., publishing images of individuals on the organization’s website) for documentation purposes and informing the public about the organization’s activities and events.
Other purposes for which the individual provides consent.
If an individual provides consent for personal data processing but later wishes to withdraw it, they can request the cessation of data processing by sending a request via email to info@zkst-zalec.si or by regular mail to the organization’s address:
ZKŠT Zavod za kulturo, šport in turizem Žalec
Aškerčeva 9a, 3310 Žalec
The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
4.5) Processing Necessary for the Protection of an Individual’s Vital Interests
The organization may process personal data of an individual if it is necessary for the protection of their vital interests. In emergency situations, the organization may search for an individual’s identification document, verify whether the person exists in its database, review their medical history, or contact their relatives. In such cases, the organization does not require the individual’s consent. This applies when it is essential for the protection of the individual’s vital interests.
5) Storage and Deletion of Personal Data
The organization will store personal data only for as long as necessary to achieve the purpose for which the data was collected and processed. If the data is processed based on legal obligations, the organization will retain it for the period prescribed by law. Some data is stored for the duration of cooperation with the organization, while certain data must be retained permanently.
Personal data processed under a contractual relationship with an individual will be retained for the period necessary to fulfill the contract and for an additional six years after its termination, except in cases where a dispute arises between the individual and the organization concerning the contract. In such cases, the data will be retained for ten years after the final court decision, arbitration, or judicial settlement. If no legal dispute occurs, the data will be retained for five years from the date of peaceful dispute resolution.
Personal data processed based on an individual’s consent or legitimate interest will be stored until the withdrawal of consent or until the individual requests deletion of the data. After receiving a withdrawal or deletion request, the data will be deleted within 15 days. The organization may also delete such data before receiving a request if the purpose of processing has been fulfilled or if required by law.
Exceptionally, the organization may refuse a request for deletion in accordance with the General Regulation for reasons such as:
Exercising the right to freedom of expression and information.
Compliance with a legal obligation requiring processing.
Reasons of public interest in public health.
Archiving purposes in the public interest.
Scientific or historical research purposes or statistical purposes.
The establishment, exercise, or defense of legal claims.
After the retention period expires, the organization must permanently delete or anonymize the personal data so that it can no longer be linked to an identifiable individual.
6) Contractual Processing of Personal Data and Data Transfers
The organization may entrust certain personal data to a contractual data processor based on a data processing agreement. Contractual processors may process the entrusted data exclusively on behalf of the controller, within the limits of their authorization as specified in a written contract or other legal act, and in accordance with the purposes defined in this privacy policy.
The organization primarily collaborates with the following contractual processors:
Accounting services and other providers of legal and business consulting.
Infrastructure maintenance providers (video surveillance, security services).
IT system maintenance providers.
Email service providers and providers of cloud-based software services (e.g., Arnes, Microsoft, Google).
Social media platforms and online advertising providers (Google, Facebook, Instagram, etc.).
The organization will not disclose personal data to any unauthorized third parties. Contractual processors may process personal data only within the instructions provided by the organization and may not use the data for any other purposes.
As a data controller, the organization and its employees do not transfer personal data to third countries (outside the European Economic Area – EU member states, Iceland, Norway, and Liechtenstein) or international organizations, except to the United States. In such cases, relationships with U.S. data processors are governed by standard contractual clauses (model contracts adopted by the European Commission) and/or binding corporate rules (approved by supervisory authorities in the EU).
For improved transparency and oversight of contractual processors, the organization maintains a register of data processors, listing all specific contractual processors with whom it collaborates.
Users can delete cookies stored by their browser. Instructions on how to do this can be found on the official websites of individual web browsers.
8) Video Surveillance
The ZKŠT Zavod za kulturo, šport in turizem Žalec implements video surveillance. Cameras are installed around the organization’s entrances to monitor entries and exits in accordance with Article 77 of ZVOP-2 (Slovenian Personal Data Protection Act).
Additionally, video surveillance is used to:
Protect individuals (users, employees, and visitors)
Safeguard the organization’s property (based on legitimate interest, as outlined in Article 6(f) of the General Regulation (GDPR) in connection with Articles 76 and subsequent provisions of ZVOP-2)
Scope and Purpose of Surveillance
Video surveillance is conducted within certain workspaces where it is strictly necessary for:
Ensuring the safety of people or property
Protecting classified information or trade secrets
It helps in detecting, investigating, and resolving incidents or exceptional events, including:
Criminal offenses
Compensation claims
Other legal disputes
Retention of Surveillance Footage
Recordings are stored for 14 days (e.g., camera at the Green Gold Beer Fountain)
Video surveillance does not involve unusual or extended processing, such as:
Data transfers to third countries
Live audio interventions during monitoring
Live Monitoring
Live monitoring is only accessible to an authorized person at the staff entrance of Dom II. slovenskega tabora, to prevent unauthorized access by third parties.
For additional information regarding video surveillance, individuals may:
Contact the organization via phone or email
Refer to their rights outlined in this Privacy Policy
Direct any additional inquiries to the Data Protection Officer
9) Photography at the Green Gold Beer Fountain
A fixed-position camera is installed at the Green Gold Beer Fountain location. Visitors have the opportunity to take aerial perspective photographs using a camera positioned in front of the fountain. Visitors at the Green Gold Beer Fountain may be included in photographs taken by other individuals at the location. This feature is designed to enhance the tourist experience. The photograph captures the interior area of the Green Gold Beer Fountain, including any individuals present within the frame. After pressing the shutter button, two photographs will be taken within ten seconds. The captured images will be sent directly to the visitor’s email address. If no email address is entered, the images will not be sent and will instead be immediately deleted. For further details about the photography process, visitors may contact the organization via phone or email, refer to their rights outlined in this Privacy Policy, or direct any additional inquiries to the Data Protection Officer.
10) Data Protection and Data Accuracy
The organization ensures information security and the security of infrastructure (premises and application system software). Our information systems are protected, among other measures, by antivirus programs and a firewall. We have implemented appropriate organizational and technical security measures designed to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as well as from other illegal and unauthorized forms of processing. When transmitting special categories of personal data, we do so in encrypted form and protected by a password.
Individuals are responsible for securely providing their personal data and ensuring that the transmitted data is accurate and truthful. The organization will strive to ensure that the personal data it processes is accurate and updated as necessary. Occasionally, the organization may contact individuals to confirm the accuracy of their personal data.
11) Individual Rights Regarding Data Processing
In accordance with the General Data Protection Regulation (GDPR), individuals have the following personal data protection rights:
They may request information on whether we hold their personal data, and if so, which data we have, on what basis, and for what purpose we use it.
They may request access to their personal data, allowing them to receive a copy of the personal data held by the organization and verify whether it is being processed lawfully.
They may request corrections to their personal data, such as rectifying incomplete or inaccurate personal data.
They may request the deletion of their personal data when there is no justification for further processing or when they exercise their right to object to further processing.
They may object to the further processing of their personal data when the organization relies on a legitimate business interest (including the legitimate interest of a third party), if there are reasons related to their particular situation; individuals have the right to object at any time if the organization processes personal data for direct marketing purposes.
They may request a restriction on the processing of their personal data, meaning a temporary halt to data processing—for example, if they wish the organization to verify the accuracy of the data or the reasons for its further processing.
They may request the transfer of their personal data in a structured electronic format to another data controller, where feasible and practical.
They may withdraw consent given for the collection, processing, and transfer of their personal data for a specific purpose. Upon receiving a notice of consent withdrawal, the organization will cease processing personal data for the originally intended purposes unless it has another lawful basis for doing so.
To exercise any of the above rights, individuals may send a request via email to info@zkst-zalec.si or by regular mail to the organization’s address: ZKŠT Zavod za kulturo, šport in turizem Žalec, Aškerčeva 9a, 3310 Žalec. The organization will respond to such requests without undue delay and, in any case, within one month of receiving the request. If necessary, considering the complexity and number of requests, this period may be extended by a maximum of two additional months, in which case the individual will be informed accordingly.
Access to personal data and the exercise of these rights are free of charge for individuals. However, the organization may charge a reasonable fee if a request is clearly unfounded or excessive, particularly if it is repetitive. In such cases, the organization may also refuse the request. To process a request concerning personal data rights, the organization may need to request additional information from the individual to confirm their identity—this is a security measure to ensure that personal data is not disclosed to unauthorized persons.
If an individual wishes to exercise their rights or believes that their rights have been violated, they can seek protection or assistance from the supervisory authority, the Information Commissioner, via the website: https://www.ip-rs.si/.
For any questions regarding the processing of personal data, individuals can always contact the organization via email at info@zkst-zalec.si or by regular mail at ZKŠT Zavod za kulturo, šport in turizem Žalec, Aškerčeva 9a, 3310 Žalec.
12) Publication of Changes
Any changes to our Privacy Policy will be published on the organization’s website:
https://www.zkst-zalec.si/,
https://www.turizem-zalec.si/,
https://www.beerfountain.eu/.
By using the website, individuals confirm that they accept and agree with the entire content of this Privacy Policy.
The Privacy Policy has been approved by the responsible person within the organization.