Protection of personal data

On the basis of Articles 24 and 25 of the Personal Data Protection Act (ZVOP-1) and Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or GDPR), the Director of the company Ham, d.o.o., Gerbičeva ulica 102, 1000 Ljubljana, registered number 5376491000, tax number SI 70000891 (hereinafter referred to as the company), Tomaž Ham, hereby accepts the following:

REGULATIONS

ON PROCEDURES AND MEASURES TO

PROTECTION OF PERSONAL DATA

I. GENERAL PROVISIONS

Article 1

Content and purpose of the Regulations

1. This policy lays down the technical and organisational measures for the protection of personal data in the company in order to protect the rights and freedoms of the data subject. The purpose of the Company is to prevent accidental or intentional unauthorised destruction, alteration or loss of data, as well as unauthorised access, processing, use or disclosure of personal data to third parties.
2. Employees and external contractors who process and use personal data in the course of their work must be familiar with the Personal Data Protection Act (PDPA-1) and the General Data Protection Regulation, as well as with the content of this policy.
3. In matters not covered by these Rules, the provisions of the Personal Data Protection Act (ZVOP-1) and the General Data Protection Regulation shall apply directly.

Article 2

Meaning of terms

(1) As used in this Regulation, the following terms shall have the following meanings:

• “national legislation” means the national legislation currently in force (ZVOP-1 – Personal Data Protection Act (Official Journal of the Republic of Slovenia, No. 86/04, 113/05, 51/2007. 67/2007 and 94/2007);

• EUR General Data Protection Regulation (2016/679) or GDPR;
• ‘personal data’ means any information relating to an identified or identifiable natural or legal person (hereinafter referred to as ‘data subject’); an identifiable natural or legal person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural or legal person;
• “processing” means any operation or set of operations which is performed upon personal data or upon sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• ‘collection’ means any structured set of personal data which are accessible in accordance with specific criteria and which may be centralised, decentralised or dispersed on a functional or geographical basis;
• ‘controller’ means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing; where the purposes and means of the processing are determined by Union law or by the law of a Member State, the controller or the specific criteria for its designation may be determined by Union law or by the law of a Member State;
• ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
• ‘user’ means the natural or legal person, public authority, agency or other body to whom the personal data have been disclosed, whether or not a third party. However, public authorities which may receive personal data in the context of an individual enquiry in accordance with Union or Member State law shall not be considered as users; the processing of those data by those public authorities shall be carried out in accordance with the applicable data protection rules in relation to the purposes of the processing;
• ‘data subject consent’ means any voluntary, explicit, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies his or her agreement to the processing of personal data concerning him or her;
• “data medium” means any type of medium on which data are recorded or reproduced (documents, deeds, papers, files, computer equipment including magnetic, optical or other computer media, photocopies, audio and visual material, microfilms, data transmission devices, etc.).

II. PRINCIPLES

Article 3

Principles relating to the processing of personal data

1. Personal data are:

• processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
• adequate, relevant and limited to what is necessary for the purposes for which they are processed (“minimum data scope”), which means that forms with fields are predefined and we do not collect or store unnecessary personal data;
• kept in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed;
• they are processed in a way that ensures adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by appropriate technical or organisational measures (“integrity and confidentiality”);
• pseudonymised in certain business processes to avoid the risk of disclosure. At points in business processes where decryption of pseudonymisation is necessary for the performance of a contractual duty, authorised persons have access to extended data about the individual – based, of course, on a unique username and password that determines the level of authorisation – thereby ensuring “data protection by default”. We ensure the protection of personal data by default on the basis of organisational and technical measures. Each processing method has a different content of the individual’s personal data by default, so that only the data that is strictly necessary for the specific processing method and purpose is processed.

4. Member
5.  

Article 4

Lawfulness of processing

Only personal data that have a relevant legal basis under the provisions of the GDPR and ZVOP-1 and are demonstrable by the controller are processed in the personal data file:

• the processing is necessary for compliance with a legal obligation to which the controller is subject;
• the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of measures at the request of such data subject prior to the conclusion of the contract;
• legitimate interest;
• the data subject has consented to the processing of his or her personal data for one or more specified purposes.

III. INDIVIDUAL RIGHTS

Article 5

Transparency of the information provided and of the means of exercising individual rights

The controller shall provide the following information to the individual in a concise, transparent, comprehensible and easily accessible form and in clear and plain language:

• the identity and contact details of the controller,
• the purposes for which the personal data are processed, as well as the legal basis for the processing,
• the period of retention of the personal data or the criteria used to determine the period,
• the existence of a right to obtain from the controller access to personal data and to have personal data concerning the data subject rectified or erased or to have processing restricted, or the existence of a right to object to processing,
• the existence of a right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until its withdrawal,
• the right to lodge a complaint with the supervisory authority.

Article 6

Right of access of the individual

The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him or her are being processed and, where this is the case, access to the personal data and the following information:

• the purposes of the processing,
• the type of personal data concerned,
• if possible, the intended retention period of the data,
• the existence of a right to require the controller to access and rectify or erase personal data or to restrict processing in relation to the data subject, or the existence of a right to object to processing,
• the right to lodge a complaint with the supervisory authority,
• where the personal data are not collected from the data subject, any available information concerning their source.

The controller will provide the requested information without undue delay and in any event within one month of receipt of the request.

The controller shall provide a copy of the personal data processed free of charge. For additional copies requested by the data subject, the controller may charge a reasonable fee, taking into account legal costs.

Article 7

Procedure for exercising your rights

Personal data shall only be disclosed to those users who provide the relevant legal basis or the written request or consent of the data subject.

For each transfer of personal data, the individual must submit a written application and each transfer is recorded in a transfer register (which data, to whom, when and on what basis). Original documents shall never be disclosed, except in the case of a written order from a court. The original document shall be replaced by a copy in the Company’s absence.

The controller shall communicate to each user to whom personal data have been disclosed any rectification or erasure of personal data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

The controller shall inform the data subject of these users if the data subject so requests.

Article 7a

Procedure for providing information on processing

Upon oral or written request and identification of the data subject, the following information shall be provided to the data subject in printed or pdf form: the purpose of the processing of his/her personal data, the types of personal data concerned, the envisaged retention period (if possible), the existence of the right to request rectification or erasure or restriction of processing or to object to the processing of personal data, the existence of the right to lodge a complaint with a competent authority. The controller shall provide a copy of the personal data processed free of charge. For additional copies requested by the data subject, the controller may charge a reasonable fee, taking into account legal costs.

Article 7b

Procedure for exercising the right of rectification

Following an oral or written request and identification of the data subject, inaccurate data collected by the controller shall be rectified without undue delay. The data subject shall have the right, having regard to the purposes of the processing, to have incomplete personal data completed.

Article 7c

Procedure for exercising the right to erasure (“oblivion”)

Upon oral or written request and identification of the data subject, the data collected by the controller shall be deleted without undue delay if:

• the personal data collected is no longer necessary for the purposes for which it was collected or otherwise processed,
• the individual withdraws the consent on the basis of which his or her data are processed and where there is no other legal basis for the processing,
• the data subject objects to the processing (under GDPR Section 4, Article 21 (1) or (2)), no other legal basis exists for the processing,
• they must be erased in order to comply with a legal obligation under Union or national law to which the controller is subject.

The data will be permanently removed from the database. In the X and Y collections  a “delete” function that will anonymise personal data at the request of the individual, leaving the data we need for annual financial or business analysis. The process is carried out by an authorised person of the controller. The Z file is a personnel file which is permanent and the data is not deleted. Collections A, B and C allow the deletion of data. This shall be carried out by an authorised person of the controller, who shall, if necessary, seek the cooperation of the contract administrator of the sub-processor. The video file shall delete the recordings after 12 months, but if a recording needs to be deleted earlier, the controller’s authorised person shall do so.

Article 7c

Procedure for exercising the right to restriction of processing

Upon oral or written request and identification of the data subject, the processing of the data collected by the controller shall be restricted without undue delay if:

• the data subject contests the accuracy of the data for a period which allows the controller to verify the accuracy of the personal data,
• the data subject objects to the erasure of personal data and requests instead the restriction of processing,
• the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the exercise of. Exercise or defence of legal claims,
• the data subject has lodged an objection to the processing, pending verification whether the legitimate grounds of the controller override those of the data subject.

Article 7d

Procedure for exercising the right to data portability

Upon oral or written request and identification of the individual, the information provided to the controller shall be provided to the competing company designated by the client. The competing company shall receive it in a structured, commonly used and machine-readable format (*.pdf). It has the right to transmit this information to another controller without hindrance, where the processing is based on the consent of the data subject or on a contract and where the processing is carried out by automated means.

Article 7e

Procedure for exercising the right to object

Upon oral or written request and identification of the data subject, the controller shall terminate the processing of personal data, including profiling, if any, and direct marketing. An exception shall be made where the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If the data subject objects to the purpose of direct marketing, his or her data shall no longer be processed for that purpose or for any other purpose to which the data subject objects. The individual shall be explicitly reminded of this right at the latest at the time of the first communication – clearly and separately from other information.

IV. OBLIGATIONS OF THE CONTROLLER AND THE PROCESSOR

Article 8

Controller’s responsibility and retention period

The controller shall take technical and organisational measures to ensure and be able to demonstrate that processing is carried out in accordance with the applicable Regulation.

At the time of determining the means and at the time of the processing itself, the controller shall implement appropriate technical and organisational measures for the effective implementation of the data protection principles, such as the principle of data minimisation, and shall include in the processing the necessary safeguards to meet the requirements of the applicable Regulation and to protect the rights of data subjects. In particular, it shall ensure that personal data are not automatically accessible to an indeterminate number of individuals without the intervention of the individual concerned.

Personal data will be stored and processed for a minimum period of time determined by law according to the purpose for which the data were collected. Otherwise, the storage will be indefinite or until the consent of the data subject is withdrawn. After withdrawal of consent, the data will be effectively and permanently deleted or anonymised.

If the purposes for which personal data are stored and processed by the controller change, the databases with the changed purposes will be effectively and permanently erased or anonymised.

Article 9

Responsibilities of the processor

Where processing is carried out on behalf of the controller, the controller shall only cooperate with processors who provide sufficient guarantees to implement the appropriate technical and organisational measures in such a way that the processing satisfies the requirements of the applicable Regulation and ensures the protection of the data subject’s rights.

The processor shall not employ another processor without the prior specific or general written consent of the controller.

The processing by the processor shall be governed by a contract in accordance with Union law, which shall specify the content and duration of the processing, the nature and purpose of the processing, the type of personal data and the obligations and rights of the controller.

V. WHAT PERSONAL DATA WE COLLECT AND FOR WHAT PURPOSE

Article 10

For business processes, we collect the following information about users and employees at specific points (sometimes all of them, but for individual processes only some of the information recorded):

• name and surname,
• Company
• Title,
• a telephone number, and
• e-mail address,
• Notes,
• … .

This data is used to perform the following activities for each business process:

• communication about the purchase,
• sending newsletters and promotional content from the company,
• direct marketing,
• sending out ordered e-print, physical print or quiz results,
• keeping you informed about events,
• Statistical analysis: tracking clicks (on the website and in emails) and email opens to improve the content of emails,
• sending emails with offers, information about news, promotions and benefits from the Company and its partners,
• phone calls, SMS messages and regular mail.

Annex 1 describes each of the Company’s data collections, outlining the categories of individuals, the types and origin of the data, the purpose of the processing, the legal basis for the processing, to whom they are disclosed, the intended retention period, how the overview of the flow of personal data is achieved and where the collection is kept.

Annex 2 lists all the sites on the websites where data is collected, such as:

• sign up for the newsletter;
• order catalogues;
• Submitting a request for quotation;
• order products;
• etc. … … .

VI. INVENTORY OF BUSINESS PROCESSES THAT ARE IN CONTACT WITH PERSONAL DATA

Article 11

The nature of our work brings us into contact with individuals’ personal data. By business area and business process, the contact is broken down into  Annex 3.

VII. DESCRIPTION OF THE SYSTEM

Article 12

System infrastructure

The infrastructure of an IT system consists of the following elements: hardware, network equipment and the connections between them.

The hardware consists of a local server, a communication hub and individual computers in the offices.

The network equipment consists of a local server, a provider router and a wireless router for the internet. Data is stored centrally on the local server in encrypted format –  backups are made on it and in encrypted form.

Maintenance, upgrades and other necessary interventions in the information system are regular and traceable (from the records). Only authorised repairers, organisations or individuals who have a contract with the company are allowed. Contractors must document changes and additions to system or application software. An authorised employee of the Company must also be present at all times during the servicing to ensure that no unauthorised handling of personal data takes place.

Article 13

Information Security Policy

We have an Information Security Policy. To this end, two policies have been drawn up, which each existing and new employee reads and signs to agree to:

• Code of Conduct,
• Privacy Policy.

VIII. ACCESS TO THE SYSTEM

Article 14

User authentication

The company uses user authentication with a username in combination with a password.

Identification to the different databases varies, and users must log in to each one with their own unique username and password. The username is assigned to individuals and the password is set by the individual.

There are rules for choosing a password, so that it is strong enough and not easily guessed. Passwords must be at least 6 characters long, and there must be a structure so that the password contains at least one number and one character. In addition, employees are encouraged to use upper and lower case letters. Passwords cannot be repeated.

The password remains the same until the responsible person decides to change the password. Passwords themselves do not expire and we do not use automatic system password changes.

Article 15

Authorisation of users

Staff duties and responsibilities are assigned and established at the start of the job and at induction.

For each personal data collection, a responsible person and the users who have the right of access to each personal data collection are identified.

When accessing the system, there is a division of roles between users and administrators, where the latter have different authorisations from the users.

The granting, modification and revocation of user authorisations is the responsibility of the administrators. When a new employee joins and the onboarding process is completed, the individual receives their own user authorisation, which is actively changed during the course of the work when the user’s access needs change. This includes removing user privileges and locking them when the employee leaves.

In many cases, the checking of user authorisations is already set by default for each add-on collection, so the checking is not difficult and can be done quickly.

Article 16

Traceability of data access

Every access to data is logged, both user and administrator, even if it was just to log in and view the data. It is also possible to trace changes made to the data, i.e. what was changed and by which user.

Audit trails of data accesses are stored in the individual database and are not accessible to all users, but only to administrators. Modification, deletion and deactivation of audit trails in individual collections are not possible – not even for administrators.

Accesses to audit trails are also recorded like all other accesses. Regular audits are not on our schedule, but we have the possibility to review and investigate internally if any problem or suspicion arises. As these are small and not frequently used personal data collections, we do not use specific tools to manage audit trails.

Access control to the data and, more importantly, to the system, is arranged so that access to the databases can only be logged on company computers. Remote access by staff users on company computers is done using VPN technology, which applies exclusively to the company’s technical sector.

IX. PHYSICAL AND TECHNICAL SECURITY OF PREMISES AND PROTECTION AGAINST ENVIRONMENTAL INFLUENCES

Article 17

Physical access

The premises where the personal data media, hardware and software are located are protected by technical and organisational measures to prevent unauthorised access to the data. Access is only possible during regular working hours and outside these hours only with the authorisation of the legal representative. Secured areas must not be left unattended and must be locked in the absence of the employees who otherwise supervise them.

The most important parts, the server and the communication hub, are under lock and key. They can only be accessed by an authorised hardware maintenance person and by contracted service technicians in case of updates and troubleshooting.

Keys to secure rooms are used and stored in accordance with the house rules and are not left in the lock.

We use an alarm system, security locks, mechanical barriers on windows and video surveillance to control access (see Video surveillance rules). Employee access is controlled by an alarm system, each of whom has their own personal password.

The aforementioned burglar and security surveillance systems are maintained by external maintenance personnel who are aware of their duties and responsibilities with regard to the protection of our data and have an appropriate contract with the Company. Any interference with them is only permitted in the presence of a legal representative.

Outside working hours, cabinets and desks with personal data carriers must be locked and computers and other hardware must be switched off and physically or programmatically locked. No one shall have access to the premises outside working hours, much less to the personal data files.

In customer-facing areas, data carriers and computer displays must be installed in such a way that they cannot be accessed by customers and other unauthorised persons.

Article 18

Protection against environmental impacts

We also protect personal data collections with mechanisms to counteract the impact of the environment. We use a fire alarm system and smoke detectors.

X. DATA PROTECTION

Article 19

Controls against malicious code

We use ESET ENDPOINT ANTIVIRUS + FILE SECURITY antivirus and firewall software on all computers in the company, which is regularly updated. New versions are installed on an annual basis and licences are renewed annually.

A password-based intrusion detection system is used, where all login attempts are logged and intrusion attempts are blocked.

The contents of network drives and local workstations containing personal data are checked daily for the presence of computer viruses. If a computer virus is detected, it should be eliminated as quickly as possible with the help of the appropriate professional service, while at the same time identifying the cause of the virus in the computer information system.

All personal data and software intended for use in a computer information system and arriving at the Company on computer data transmission media or through telecommunications channels must be checked and tested for the presence of computer viruses before use.

Staff members must not install software without the knowledge of the person responsible for the operation of the computer information system. Nor shall they remove software from the Company’s premises without the approval of the head of the organisational unit and the person responsible.

Article 20

Backups

All databases and the contents of the network server and local stations shall be backed up, if the data is located there, for the purposes of the continuity and uninterrupted operation of the Company and for the purposes of restoring the computer system. Backups shall be made daily during night-time hours when the Company’s system is idle and not being updated. Copies shall be made in triplicate and shall be located in three different, geographically separated locations that are fireproof, floodproof, EMI-proof, temperature-proof and securely locked.

Copying is automatic and takes place locally on the server and via cloud connections, so no personal transfer is necessary. Backups are stored on disks and are managed by an authorised person, who is always only one. The original copy is updated daily and does not become outdated, so there is no destruction process for old copies, as there is one copy and it is always up-to-date.

Article 21

Handling of data media

After each use, employees securely format the media to ensure that no personal data remains on it. They should also be stored securely for as long as the data is on them, so that unauthorised access is not possible. Secure storage means in a cabinet and under lock and key.

Article 22

Data destruction

Before a data medium is destroyed, all data on it must be permanently destroyed. In the case of digital media, we ensure that it is permanently erased so that restoration of all or part of the data on it is impossible. Data on traditional printed media (documents, files, lists, registers, etc.) shall be destroyed by means of a document shredder which makes all or part of the data unreadable. Ancillary material shall be destroyed in the same way.

It is forbidden to dispose of waste data carriers containing personal data in the bins. The transfer of personal data carriers to the destruction site and their destruction shall be supervised by a special internal committee, which shall draw up an appropriate record of the destruction.

Article 23

Handling sensitive personal data

We do not collect data that falls under the category of sensitive personal data. Therefore, we do not collect data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, nor do we process genetic or biometric data for the purpose of uniquely identifying an individual, or data relating to health or data relating to an individual’s sex life or sexual orientation.

XI. SECURITY INCIDENT MANAGEMENT

Article 24

It concerns the management of security incidents that have an impact on the level of protection of personal data. The reporting protocol for employees is:

• the reporting method is primarily oral,
• information reaches the responsible person in the company as soon as possible,
• reported by the person who detected the security incident,
• a report must be made as soon as an employee becomes aware of the possibility of unauthorised access to a personal data collection or when he or she discovers the unauthorised destruction, appropriation, alteration or corruption of a personal data collection or of individual data contained therein,
• doing everything in its power to prevent such activity,
• When reporting, you should tell the person responsible which personal data set the incident relates to, how it occurred, when it occurred and any other relevant information that could help to resolve the incident more quickly,
• the responsible person immediately reports the incident to the Information Commissioner after becoming aware of it.

XII. HUMAN RESOURCES

Article 25

Staff

Employees are required to follow and comply with this Policy on Procedures and Measures for the Protection of Personal Data, which is adapted to the realities of the Company.

Each staff member shall be made aware of the provisions and shall sign a declaration to that effect, which shall form part of this policy(Annex 4). The policy shall be published and available at all times on the common drive and in hard copy from the line manager.

We include and discuss personal data protection education in regular company meetings (briefings) so that the information and rules are not forgotten and are regularly implemented.

Anyone processing personal data is obliged to implement the procedures and measures prescribed for data protection and to protect the data which he/she has learned or become aware of in the course of his/her work. The obligation to protect data shall not cease upon termination of the employment relationship.

Staff members are liable for disciplinary action for breaches of the provisions, former staff members are liable for criminal action, and external contractors are liable on the basis of their contractual obligations.

Article 26

Clean desk policy

A clean desk policy is very important in society and means that documents with personal data (printed, data media, etc.) are never “on display” on the desk, but are always in locked drawers/cabinets when we are not around.

Article 27

Clean screen policy

The Clean Screen Policy is another rule that we follow consistently in the company. We regularly close open databases when we no longer need them. Computers are locked whenever employees are not present. To provide additional protection, after a certain period of inactivity, a screen saver is activated, which is not only removed by moving the mouse, but also requires a real password that only the user has.

Article 28

Use of official electronic means

The storage of company data, trade secrets and, in particular, any personal data on company electronic devices is prohibited. Company electronic means may only be used for the processing of such data on the Company’s premises and on a shared protected local area network.

If any corporate electronic device is lost, stolen or damaged, a personal data incident cannot occur as the device does not contain any data, nor does it have direct access to databases without a corresponding internal network, programs, unique usernames and passwords.

Article 29

External contractors – contract processors of personal data

Outsourcers change over the years and are not permanent. At any given time, the Company will compile a list of all contractual processors of personal data, which will always be up to date. A list of current contract processors is attached to the Policy in  Annex 5.

We have a cooperation and personal data processing agreement with each of our external contractors, which sets out the procedures and measures to be taken to protect personal data in order to ensure the highest possible level of information security. It also defines the services or types of processing of personal data provided by each contractor. They may only ever act in accordance with our mandate and may not process or otherwise use the data for any other purpose. They must have at least the same level of protection of personal data as provided for in this Policy and the signed contract.

The same applies to external parties who maintain hardware and software and build or install new hardware or software.

We follow the following policies when choosing a contract processor:

• Careful choice of processor, in particular with regard to data protection,
• a prior review and documentation of the security measures taken by the processor,
• written instructions to the processor (contract),
• the non-disclosure obligation of the processor’s employees,
• the processor has established a Data Protection Officer,
• ensuring the return/destruction of data after termination of the contract,
• a specific right of the controller to control the processor (checking the processor and its activities),
• contractual penalties for infringements.

XIII. RESPONSIBILITY FOR THE IMPLEMENTATION OF SECURITY MEASURES AND PROCEDURES

Article 30

The implementation of the procedures and measures for the protection of personal data and of this Policy shall be the responsibility of the authorised persons designated by the legal representative.

XIV. FINAL PROVISIONS

Article 31

The Rules are a business secret.

The Regulations are available to all staff in physical form from the Director.

The Regulations shall enter into force on 1 October 2020. The information shall be published in the employer’s usual manner.

Ljubljana, 20 September, 2020                                                                         Director Tomaž Ham