Privacy policy

Pursuant to Articles 24 and 25 of the Personal Data Protection Act (ZVOP-1) and Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Regulation on Personal Data Protection or GDPR), director of the company Ham, d.o.o., Gerbičeva ulica 102, 1000 Ljubljana, registration number 5376491000, tax number SI 70000891 (hereinafter the company), Tomaž Ham, I accept the following:

RULES ON PROCEDURES AND MEASURES FOR PROTECTION OF PERSONAL DATA

I. GENERAL PROVISIONS

Article 1

Content and purpose of the policy

1. These Rules determine the technical and organizational measures for the protection of personal data in the company in order to protect the rights and freedoms of the data subject. The purpose of the company is to prevent accidental or intentional unauthorized destruction of data, their alteration or loss, as well as unauthorized access, processing, use or transmission of personal data to a third party.

2. Employees and external contract employees who process and use personal data in their work must be acquainted with the Personal Data Protection Act (ZVOP-1) and the General Regulation on Personal Data Protection and with the content of these Rules.

3. In matters not regulated by these Rules, the provisions of the Personal Data Protection Act (ZVOP-1) and the General Decree on Personal Data Protection shall apply directly.

Article 2

The meaning of terms

1. Terms used in this Regulation have the following meanings:

• “national legislation” represents the currently valid national legislation (ZVOP-1 – Personal Data Protection Act (Official Gazette of the Republic of Slovenia, no. 86/04, 113/05, 51/2007. 67/2007 and 94/2007);

• General Regulation on the Protection of Personal Data (2016/679) or GDPR;

• “personal data” means any information relating to an identified or identifiable individual (hereinafter: the data subject); an identifiable individual is one who can be identified directly or indirectly, in particular by indicating an identifier such as name, identification number, location data, web identifier, or by indicating one or more factors specific to the physical, physiological, genetic , the mental, economic, cultural or social identity of that individual;

• “processing” means any act or series of actions carried out in relation to personal data or sets of personal data, with or without automated means, such as collecting, recording, editing, structuring, storing, adapting or modifying, retrieving, inspecting , use, disclosure through mediation, dissemination or otherwise making available, adapting or combining, restricting, deleting or destroying;

• “collection” means any structured set of personal data that is accessible according to specific criteria, and the set may be centralized, decentralized or dispersed on a functional or geographical basis;

• “controller” – means a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of processing; where the purposes and means of processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his designation may be determined by Union law or the law of a Member State;

• “processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

• “user” means a natural or legal person, public authority, agency or any other body to whom personal data have been disclosed, whether a third party or not. However, public authorities which may receive personal data in the context of an individual inquiry in accordance with Union or Member State law shall not be considered as users; the processing of this data by these public authorities is carried out in accordance with the applicable data protection rules with regard to the purposes of the processing;

• “consent of the data subject” means any voluntary, explicit, informed and unambiguous statement of the will of the data subject by which he or she expresses consent to the processing of personal data by a statement or a clear affirmative action. nanj;

• “data carrier” means all types of media on which data are recorded or recorded (documents, acts, materials, files, computer equipment including magnetic, optical or other computer media, photocopies, sound and image material, microfilms, transmission devices data, etc.).

II. PRINCIPLES

Article 3

Principles relating to the processing of personal data

1. Personal data shall be:

• processed lawfully, fairly and transparently in relation to the data subject (“lawfulness, fairness and transparency”);

• relevant, relevant and limited to what is necessary for the purposes for which they are processed (“minimum amount of data”), which means that field forms are pre-defined and we do not collect or store unnecessary personal data;

• kept in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed;

• are processed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by appropriate technical or organizational measures (“integrity and confidentiality”);

• pseudonymized in certain business processes to avoid the risk of their disclosure. In business processes, where decryption of pseudonymization is required to perform contractual duties, authorized persons have access to disseminated data about an individual – of course based on a unique username and password that determines the level of authorization – thus ensuring “default data protection”. The default protection of personal data is provided on the basis of organizational and technical measures. Each method of personal data processing has a different content of the individual’s default personal data, so that only data that are strictly necessary for the individual method and purpose of processing are processed.

Article 4

Legality of processing

Only those personal data are processed in the personal data file which have an appropriate legal basis in accordance with the provisions of GDPR and ZVOP-1 and are provable by the controller:

• processing is necessary to fulfill the legal obligation applicable to the controller;

• processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of measures at the request of such an individual before the conclusion of the contract;

• legitimate interest;

• the data subject has consented to the processing of his or her personal data for one or more specific purposes.

III. INDIVIDUAL RIGHTS

Article 5

Transparency of provided information and ways to exercise the rights of the individual

The controller shall provide the individual with the following information in a concise, transparent, comprehensible and easily accessible form and in clear and simple language:

• identity and contact details of the operator,

• the purposes for which the personal data are processed, as well as the legal basis for their processing,

• period of personal data storage or the criteria used to determine the period

• the existence of a right to request access to personal data from the controller and the correction or deletion or restriction of processing in relation to the data subject, or the existence of a right to object to the processing,

• the existence of the right to revoke the consent at any time, without prejudice to the lawfulness of the processing of data carried out on the basis of the consent until its revocation,

• the right to lodge a complaint with the supervisory authority.

Article 6

The right of access of the individual

The data subject shall have the right to obtain confirmation from the controller as to whether personal data are being processed in relation to him or her and, where applicable, access to personal data and the following information:

• processing purposes,

• the types of personal data concerned,

• if possible, the envisaged retention period,

• the existence of a right requires the controller to access personal data and to correct or delete or restrict processing in relation to the data subject, or the existence of a right to object to the processing,

• the right to lodge a complaint with the supervisory authority,

• where personal data are not collected from the data subject, all available information regarding their source.

The controller will provide the requested information without undue delay, and in any case within one month of receiving the request.

The controller shall provide a copy of the personal data being processed and shall be free of charge. For additional copies requested by an individual, the controller may charge a reasonable fee, taking into account legal costs.

Article 7

The process of exercising the rights of the individual

Personal data is provided only to those users who prove themselves with an appropriate legal basis or a written request or with the consent of the data subject.

For each transfer of personal data, the individual must submit a written application, and each transfer is recorded in the records of transfers (which data, to whom, when and on what basis). Originals of documents are never provided, except in the case of a written court order. The original document is replaced by a copy in the company during the absence.

The controller shall inform any user to whom personal data have been disclosed of any corrections or deletions of personal data or restrictions on processing, unless this proves impossible or involves a disproportionate effort.

The controller shall inform the data subject of these users, if such data subject so requests.

7a.

Procedure for providing processing information

Upon oral or written request and identification of the individual, the following information shall be provided to the individual in printed or pdf format: the purpose of the processing of his personal data, the types of personal data concerned, the intended retention period (if possible), the existence of a right to processing or objecting to the processing of personal data, the existence of a right to lodge a complaint with the competent authority. The controller shall provide a copy of the personal data being processed and shall be free of charge. For additional copies requested by an individual, the controller may charge a reasonable fee, taking into account legal costs.

7b.

Procedure for exercising the right of rectification

Upon oral or written request and identification of the individual, the collected inaccurate data of the controller shall be corrected without undue delay. The data subject has the right to supplement incomplete personal data, taking into account the purposes of processing.

7c.

Procedure for exercising the right of erasure (“forgetting”)

Upon oral or written request and identification of the individual, the data collected by the controller shall be deleted without undue delay if:

• the personal data collected are no longer necessary for the purposes for which they were collected or otherwise processed,

• the individual revokes the consent on the basis of which his data are processed and when there is no other legal basis for the processing,

• the individual objects to the processing (according to GDPR Section 4, Article 21 (1) or (2)), there is no other legal basis for the processing,

• they must be deleted in order to fulfill a legal obligation under Union law or national law applicable to the controller.

The data will be permanently removed from the collection. In collections X and Y, there is a “delete” function, which will anonymize personal data at the request of an individual, leaving the ones we need for annual financial or business analysis. The procedure is performed by an authorized person of the operator. Collection Z is a personnel collection that is permanent and data is not deleted. Collections A, B, and C allow data to be deleted. This is taken care of by the authorized person of the operator, who, if necessary, contacts the sub-processor’s contract administrator for cooperation. After 12 months, the video collection deletes the recordings itself, and if a recording needs to be deleted earlier, it is done by an authorized person of the operator.

7d.

Procedure for exercising the right to restrict processing

Upon oral or written request and identification of the individual, the data collected by the controller shall be restricted without undue delay if:

• the individual disputes the accuracy of the data, for a period that allows the controller to verify the accuracy of personal data,

• the individual opposes the deletion of personal data and instead requests a restriction on their processing,

• The controller no longer needs personal data for processing purposes, but the individual needs them for enforcement. Implementation or defense of legal claims,

• The individual has lodged an objection to the processing until it is verified that the legitimate reasons of the controller outweigh the reasons of the individual.

7e.

Procedure for exercising the right to data portability

Upon oral or written request and identification of the individual, the information provided by the customer shall be provided to the competing company designated by the customer. A competing company receives them in a structured, commonly used and machine-readable form (* .pdf). It is his right to pass this information on to another controller without interfering with him when the processing is based on the consent of the individual or on a contract and if the processing is carried out by automated means.

7f.

Procedure for exercising the right to object

Upon oral or written request and identification of the individual, the controller shall stop with the processing of personal data, including the creation of profiles, if any, and direct marketing. The exception is if the controller demonstrates compelling legitimate reasons for the processing that outweigh the interests, rights and freedoms of the individual or for asserting, enforcing or defending legal claims.

If an individual objects to the purpose of direct marketing, his data are no longer processed for this purpose or. for any other purpose that the individual opposes. The individual is explicitly reminded of this right at the latest at the first communication – clearly and separately from other information.

IV. OBLIGATIONS OF THE MANAGER AND THE PROCESSOR

Article 8

Operator responsibility and retention time

The controller shall take technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the applicable regulation.

During the determination of funds and during the processing itself, the controller implements appropriate technical and organizational measures for the effective implementation of data protection principles, such as the principle of minimum data, and include in the processing the necessary safeguards to meet the requirements of the current regulation and to protect the rights of data subjects. In particular, it shall ensure that personal data are not automatically accessible to an indefinite number of individuals without the intervention of the individual concerned.

Personal data will be stored and processed for at least a legally specified period of time depending on the purpose of data collection. Otherwise, feeding will be unlimited or. until the individual’s consent is revoked. Upon revocation of consent, the data will be efficiently and permanently deleted or anonymized.

If the purposes of storing and processing personal data change at the controller, the databases with the changed purpose will be efficiently and permanently deleted or anonymized.

Article 9

Processor responsibilities

Where the processing is carried out on behalf of the controller, the controller shall cooperate only with the processors who provide sufficient guarantees to carry out appropriate technical and organizational measures in such a way that the processing complies with the applicable regulation and ensures the protection of the data subject’s rights.

A processor shall not employ another processor without the prior specific or general written permission of the controller.

The processing by the processor shall be governed by a contract in accordance with Union law, which sets out the content and duration of the processing, the nature and purpose of the processing, the type of personal data and the obligations and rights of the controller.

V. WHAT PERSONAL DATA WE COLLECT AND FOR WHAT PURPOSE

Article 10

For business processes in certain places, we collect the following data on users and employees (sometimes all of the above, but for individual processes only some of the recorded):

• name and surname,

• company

• address,

• telephone number and

• e-mail address,

• notes,

•….

The above data are used to perform the following activities and purposes in individual business processes:

We collect personal data (name and surname, address, telephone number, e-mail address, in the case of a company also a tax number) in order to enable you to order and deliver the ordered products. We store your personal data and use them exclusively for the purpose of fulfilling the order (sending invoices, delivery of goods) and other necessary communication. We will store your data in the personal data file until the revocation of your consent to the processing of personal data or until it is necessary to achieve the purpose for which they were obtained.

Direct notification on the offer, benefits:

• sending e-news, e-printed materials and promotional content of the company, for informing about products, services and benefits, results of quizzes, prize games, by e-mail.

• conducting direct marketing via telephone calls or regular mail, eg printed matter, for the purpose of informing about benefits, products and services.

You can unsubscribe from direct notification at any time at info@rolljet.com .

Basic personalized communication (via email, SMS, phone calls, mail, notifications via browser, website information, social networks) with discounts, offers and content. As part of basic personalized communication, we try to present you with relevant offers, discounts and other content that may be of interest to you based on your past interactions with us. You can always unsubscribe from the basic customized communication at info@rolljet.com .

Statistical analyzes of customers, their orders and potential customers for the purpose of internal analysis of sales, repurchases, aggregated data on customer behavior, advertising optimization and business optimization:

o we monitor sales through our sales channels (internet, trade),

o we monitor how many customers make repeat purchases, how quickly and in what value,

o we monitor general statistical sales data (average value of the basket, number of products in the order),

o We monitor responses to e-mails, SMS, telephone calls (radio ads, online ads) and on this basis we optimize our advertising in order to offer quality services and products based on legitimate interest.

o Tracking clicks (on the website and in e-mails) and opening e-mails to improve the content of e-mails.

Remarketing: Ham d.o.o. also uses third-party marketing tracking cookies, including Google Ads tracking cookies. This allows us to offer special offers and continue to market our services and products to those who have shown interest in our services and products. We respect your privacy and do not collect any identifiable information using Google or any other third party remarketing system.

Email marketing

If you want to receive e-news, you must fill out the form on the website: www.rolljet.com . By completing this form and confirming, you provide the following contact information: Name and email address. We use Mailerlite to manage the list of email marketing subscribers and to send e-mails to our subscribers. MailerLite is a third-party provider that can process your data using industry-standard technologies to help us monitor and improve our email messages. MailerLite’s privacy policy is available at https://www.mailerlite.com/privacy-policy. You can unsubscribe from our emails by clicking on the unsubscribe link at the end of each newsletter.

You can unsubscribe via the unsubscribe feature in the emails we send you. Withdrawal or change of consent refers only to data processed on the basis of consent. The provider undertakes to permanently protect all personal data of the user.

Access to social networks

Our website may contain links to other websites and sharing buttons (such as Instagram, Facebook, Youtube or Vimeo) that do not operate on behalf of Ham doo Each of these social networks operates in accordance with the terms of use and their privacy policies. Ham d.o.o. does not assume any responsibility for the use of social networks for which it provides access through its website. Questions should be addressed to the individual social network.

Article 11

Cookies

Our website uses cookies for its smooth operation, which are stored on the user’s device. Cookies are small files that we upload to your computer in order to identify the individual devices you used to access them.

The use of web cookies is common and desirable. Namely, it enables a higher level of services, such as storing the registration certificate, using the online store, preventing excessive display of advertising banners and the like. They make the interaction between the web user and the site faster and easier. With their help, browsing websites is more efficient and user-friendly.

We use cookies to:

• count the number of site visitors,

• explore how visitors move around the page to adjust the display of content according to past visits,

• we keep your application where it is needed,

• we recognize your device (mobile phone, computer, tablet) and adapt the display of content to it,

• we enable the operation of the online store.

If you give your consent for cookies and change your mind later, you can change the settings at any time. Instructions for changing settings for web browsers:

Crome

Internet Explorer, Windows 10, Windows 8.1, Windows 7

Firefox

Opera

Safari

The rules of procedure describe all databases of the company, and they present the categories of individuals, types and origin of data, purpose of processing, legal basis for processing, to whom they are transmitted, estimated retention period, how an overview of personal data flow is achieved and where we store the collection. .

The rules of procedure provide a list of all websites on websites where data is collected, such as:

• news subscription;

• ordering catalogs;

• submission of demand;

• ordering products;

• etc. ….

VI. LIST OF BUSINESS PROCESSES IN CONTACT WITH PERSONAL DATA

Article 12

Due to the nature of their work, employees in the company come into contact with individual personal data of individuals. By areas and business processes, contact is divided into rules of procedure.

VII. SYSTEM DESCRIPTION

Article 13

System infrastructure

The infrastructure of an information system consists of the following elements: hardware, network equipment and connections between them.

The hardware consists of a local server, a communication node, and individual computers in the offices.

The network equipment consists of a local server, a provider router, and a wireless Internet router. The data is stored centrally on the local server in encrypted form – backups are performed on it and also in encrypted form.

Maintenance, upgrades and other necessary interventions in the information system are regular and traceable (from the minutes). Only authorized service technicians, organizations or individuals who have a relevant contract with the company. Contractors must properly document changes and additions to system or application software. Also, an authorized employee of the company must be present at all times during the service, who ensures that unauthorized handling of personal data does not occur.

Article 14

Information security policy

The company has adopted an information security policy. For this purpose, two rules have been prepared, which are read and signed by each existing and new employee to agree with them:

• Rules on conduct in the company,

• Rules on the protection of personal data.

VIII. SYSTEM ACCESS

Article 15

User authentication

The company uses user authentication with a username combined with a password.

Identification to different databases is different, the user must log in to each one with their unique username and password. The username is assigned to the individuals and the password is determined by the individual.

There are rules for choosing a password that the password is strong enough and not easy to guess. The length of passwords with at least 6 characters is prescribed, as well as the structure so that there is at least one number and one character in the password. In addition, we encourage employees to use uppercase and lowercase letters. Passwords cannot be repeated.

The password remains the same until the responsible person determines to change the passwords. Passwords do not expire on their own and we do not use automatic system password changes.

Article 16

User authorization

Duties and responsibilities of employees are assigned and established at the beginning of work and at the time of introduction.

In the case of individual personal data files, a responsible person and users have the right to access the individual personal data file.

When accessing the system, there is a division of roles into users and administrators, where the latter have different authorizations from users.

Assigning, modifying, and revoking user privileges is the responsibility of administrators. Upon the arrival of a new employee and the completion of the introduction, the individual receives his / her user authorization, which is actively changed during the work when the user’s access needs change. This also includes the revocation of user rights and their locking from the departure of the employee.

In many cases, the review of user credentials is already set by default for an individual collection of add-ons, so the review is not demanding and can be performed quickly.

Article 17

Traceability of data access

Any access to the data is recorded, both user and administrator, even if it was only a matter of logging in and viewing the data. It is also possible to trace the changes made to the data, ie what has changed and which user has done so.

Audit traces of data access are stored in an individual database and are not accessible to all users, but only to administrators. Modifying, deleting, and disabling the recording of audit trails in individual collections is not possible – not even for administrators.

Access to audit trails is also recorded, like all other accesses. Regular inspections are not on our schedule, but we have the option of inspection and internal investigation in case of any problem or suspicion. As these are smaller and not frequently used databases of personal data, we do not use special tools to manage audit trails.

The control of access to data and even earlier to the system is regulated in such a way that it is possible to log in to the collections only on office computers. Remote access of employed users on office computers is performed using VPN technology, which applies exclusively to the technical sector of the company.

IX. PHYSICAL AND TECHNICAL PROTECTION OF PREMISES AND ENVIRONMENTAL PROTECTION

Article 18

Physical access

Premises in which personal data carriers, hardware and software are located are protected by technical and organizational measures that prevent access to data by unauthorized persons. Access is possible only during regular working hours, and outside this time only with the permission of the legal representative. Protected areas must not remain unattended and must be locked in the absence of workers who are otherwise supervised.

The most important works, the server and the communication node, are under lock and key. They can only be accessed by an authorized person for hardware maintenance and hired services in case of updates and troubleshooting.

The keys to the protected areas are used and kept in accordance with the house rules, we do not leave them in the lock.

We use an alarm system, security locks, mechanical barriers on the windows and video surveillance to control access (see the Rules on the implementation of video surveillance). Employee access control is managed through an alarm system, as each of them has their own personal password.

The mentioned anti-burglary and security-control systems are maintained by external maintainers who are aware of their duties and responsibilities regarding the protection of our data and have concluded an appropriate contract with the company. Any interference with them is allowed only in the presence of a legal representative.

Outside working hours, cabinets and desks with personal data carriers must be locked and computers and other hardware must be switched off and physically or programmatically locked. Outside working hours, no one has access to business premises, much less to personal data collections.

In premises intended for business with clients, data carriers and computer displays must be placed in such a way that clients and other unauthorized persons cannot have access to them.

Article 19

Protection against environmental influences

We also protect personal data collections through mechanisms against environmental influences. We use a fire protection system and smoke detectors.

X. DATA PROTECTION

Article 20

Anti-malware controls

We use the antivirus program and ESET ENDPOINT ANTIVIRUS + FILE SECURITY firewall on all computers in the company, which we update regularly. Installation of new versions is on an annual basis, and licenses are renewed annually.

A password intrusion detection system is used, where all login attempts are logged and intrusion attempts are blocked.

The contents of the network system disks and local workstations where personal data is located are checked daily for the presence of computer viruses. In the event of a computer virus, it would be eliminated as soon as possible with the help of an appropriate professional service, and at the same time the cause of the virus in the computer information system would be determined.

All personal data and software intended for use in a computer information system and arriving at the company on media for the transmission of computer data or via telecommunications channels must be checked and tested for the presence of computer viruses before use.

Employees may not install software without the knowledge of the person in charge of the operation of the computer information system. They may also not remove software from the company’s premises without the approval of the head of the organizational unit and the responsible person.

Article 21

Backups

All databases and the content of the network server and local stations are backed up for the needs of uninterrupted and uninterrupted operation of the company and the needs of restoring the computer system, if the data is located there. Backups are done daily at night when the system in the company is free and not updated. Copies are made in triplicate and are located in three different, geographically separate locations that are fireproof, protected against floods, electromagnetic interference, temperature changes, and are securely locked.

Copying is automatic and takes place locally on the server and via cloud connections, so no personal transfer is required. Backups are kept on disks, and their administrator is an authorized person, who is always only one. The original copy is updated every day and does not become obsolete, so we do not have a destruction process for the elderly, as the copy is one and always updated.

Article 22

Handling of data carriers

After each use, the data carriers are securely formatted by employees so that no personal data remains on them. They should also be kept safe as long as they contain information so that there is no possibility of unauthorized access to them at all. Safe storage means in the closet and under lock and key.

Article 23

Data destruction

Before the data carrier is destroyed, it is necessary to permanently destroy all the data that was on it. With digital, we take care of permanent deletion, so that it is impossible to restore all or part of the data on it. Data on traditional print media (documents, files, list, register…) are destroyed by means of a document shredder, which makes it impossible to read all or part of the data. Auxiliary material is destroyed in the same way.

It is forbidden to dispose of waste data carriers with personal data in rubbish bins. When transferring personal data carriers to the place of destruction and destruction, it is supervised by a special internal commission, which draws up an appropriate report on the destruction.

Article 24

Handling sensitive personal data

We do not collect data that fall into the category of sensitive personal data. Thus, we do not collect data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs or union membership, nor do we process genetic and biometric data for the purpose of uniquely identifying an individual, or health or sexual data. life or sexual orientation.

XI. SECURITY INCIDENT MANAGEMENT

Article 25

It refers to the management of security incidents that have an impact on the level of protection of personal data. The reporting protocol for employees is:

• the method of reporting is primarily oral,

• that the information reaches the responsible person in the company as soon as possible,

• reported by the person who detected the security incident,

• it is necessary to report as soon as the employee is aware that there is a possibility of unauthorized access to the personal data file or. it has already occurred when it detects unauthorized destruction, appropriation, alteration or damage to the database or individual data in it,

• he does everything in his power to prevent such activity,

• when reporting, it is necessary to inform the responsible person to which personal data file the incident relates, how it occurred, when it occurred and all other important data that could help to resolve the incident faster,

• the responsible person immediately reports the incident to the Information Commissioner.

XII. HUMAN SOURCES

Article 26

Employees

Employees must follow and comply with these rules on procedures and measures for the protection of personal data, which is adapted to the actual situation in the company.

Each employee is aware of the provisions and signs a statement of familiarity for this purpose. The policy is published and always available on the shared disk, and in the printed version at the parent.

We include education on personal data protection in regular meetings of the company (meetings) and we talk about them so that information and rules are not forgotten and are regularly implemented.

Everyone who processes personal data is obliged to implement the prescribed procedures and measures for data protection and to protect the data that he has carried out or. was acquainted with them in the performance of his work. The obligation of data protection does not end with the termination of the employment relationship.

Employees are subject to disciplinary action for breach of the provisions, former employees are criminally liable, and external contractors are liable under contractual obligations.

Article 27

Clean table politics

The clean table policy is very important in society, but it means that documents with personal data (printed, data carriers…) are never “on display” on the table, but are in locked drawers / cupboards whenever we are not around.

Article 28

Clean screen policy

A clean screen policy is another rule that we consistently follow in society. We regularly close open databases when we no longer need them. Computers are locked whenever there are no employees. The computer is easily locked with the WIN + L key. For additional protection, after a certain period of inactivity, the screen saver is turned on, which is not only removed by moving the mouse, but we also need the right password, which only the user has.

Article 29

Use of official electronic means

It is forbidden to store company data, business secrets and especially any personal data on official electronic means. Official electronic means may only be used for the processing of such data on the company’s premises and on a common secure local network.

If any official electronic device is lost, stolen or damaged, a personal data incident cannot occur, as the device does not contain any data, nor does it have direct access to databases without a proper internal network, programs, unique usernames and passwords. .

Article 30

External contractors – contractual processors of personal data

External contractors change over the years and are not permanent. At any time, the company prepares a list of all contractual processors of personal data, which will always be updated. A list of current contract processors is attached to the policy.

We have a contract on cooperation and processing of personal data with each of the external contractors, which sets out procedures and measures for the protection of personal data in order to ensure the highest possible level of information security. Services are also defined or. types of processing of personal data provided by an individual provider. They may always act only in accordance with our authority and may not process or otherwise use the data for any other purpose. They must have at least the same strict way of protecting personal data as provided by these rules and the signed contract.

The same applies to external persons who maintain hardware and software and create or install new hardware or software.

The company follows the following policies when choosing a contract processor:

• careful selection of the processor, in particular with regard to data protection,

• preliminary review and documentation of security measures taken by the processor,

• written instructions to the processor (contract),

• the duty of the employees of the processor not to disclose data,

• the processor has established the function of data protection officer,

• ensuring the return / destruction of data after the termination of the contract,

• a certain right of the controller to control the processor (verification of the processor and its activities),

• contractual penalties for breaches.

XIII. RESPONSIBILITY FOR THE IMPLEMENTATION OF SECURITY MEASURES AND PROCEDURES

Article 31

Authorized persons appointed by the legal representative are responsible for the implementation of procedures and measures for the protection of personal data and these Rules.

XIV. FINAL PROVISIONS

Article 32

The policy is a business secret.

The rules are available to all employees in physical form from the director.

The rules come into force on October 1, 2020. The information is published in the usual way for the employer.

This document is an English translation of the original Slovenian Protection of personal data document, which is legally binding. Ljubljana, 20 September, 2020                                                                       Director Tomaž Ham