Personal Data Protection Policy at Multiverse, Andreja Košir s.p.

Information for the personal data controller:

Multiverse, Andreja Košir s.p., with registered office and management address at Zgornje Jezersko 132A, 4206 Zgornje Jezersko; e-mail: info@exploringforest.com.

Multiverse, Andreja Košir s.p. as the controller of personal data respects your right to confidentiality of your information and data. This policy informs you of the purpose, basis and manner in which we collect, process, store and disclose your personal data in order to preserve your privacy. We therefore ask you to familiarise yourself carefully with its contents.

Our main objective in handling personal data

Multiverse, Andreja Košir s.p. processes your personal data as securely as possible, based on the existing legal obligations and contractual relationships between the company and you arising from the activities carried out.

The security of the data you entrust to us is very important to us. It is of great importance to our success and our public image, which is why we protect your data by using all appropriate technical and organisational means at our disposal and by following the requirements of Regulation (EU) 2016/679. We will not allow unauthorised access, unauthorised or malicious use, loss or premature deletion of information through them.

We only collect and process personal data in accordance with the requirements of local and European law. We understand that the processing of your data is related to a specific reason and cannot be carried out without restriction.

This “Personal Data Protection Policy” aims to explain to you the purposes for which we process your personal data, the categories of personal data that are processed, the categories of recipients to whom your personal data may be disclosed, as well as the rights you have when your personal data is processed. It has been adopted and implemented by the data controller – Multiverse, Andreja Košir s.p., in accordance with its main obligations, namely: adopting instructions for the processing of personal data; prescribing and implementing an adequate level of protection of personal data.

Objectives and scope of the personal data protection policy:

The current policy follows the territorial and material scope of Regulation (EU) 2016/679 and its main objectives. It shall be applied by the Data Protection Manager and all its employees.

Multiverse, Andreja Košir s.p. requires the collection and processing of personal data for the lawful, efficient and complete performance of its activities. This relates to personal data of employees, customers and other entities with whom we have or wish to have a relationship.

Categories of personal data and purposes of processing.

Multiverse, Andreja Košir s.p. processes personal data of various subjects on certain grounds, depending on the objectives pursued. In accordance with the principles of legality, good faith, transparency and information, and for the convenience of the subjects of personal data, the company has integrated a Notice for the processing of personal data when visiting the exploringforest.com website – this document can be consulted electronically on the company’s website.

Multiverse, Andreja Košir s.p. does not collect and does not process for the sole purpose of identifying personal data concerning:

revealing racial or ethnic origin;

disclose political, religious or philosophical beliefs or trade union membership;

genetic data, data concerning sex life or sexual orientation.

The controller shall not collect personal data of persons under the age of 14 without the explicit consent of their parents.

The controller does not carry out “automated individual decision-making, including profiling”.

The Policy does not apply to the processing of personal data of a data subject – a natural person, in the context of his/her purely personal or household-related activities.

Grounds for processing personal data

Multiverse, Andreja Košir s.p. collects and processes personal data only for specified purposes. The basis is specific and varies according to the purpose pursued and may be:

– To comply with our legal obligations under Article 6(1)(C) of Regulation (EU) 2016/679, we process your personal data in order to comply with the obligations imposed by the legal acts governing the activity we carry out, such as: KT, CSR, VAT, etc.;

– for the performance of a contract – employment, civil, labour or other contractual relationship; to act at the request of the data subject prior to the conclusion of the contract; the protection of legitimate interest, pursuant to Article 6, paragraph 1, letters (B) and (E) of Regulation (EU) 2016/679;

– If necessary, where the purpose or a legal obligation so requires – Multiverse, Andreja Košir s.p. will request your explicit and freely given consent for the processing of personal data.

How we protect your personal data

In order to ensure adequate data protection for our employees, customers and partners, we implement all necessary organisational and technical measures required by the Personal Data Protection Act and Regulation (EU) 2016/679 of 27 April 2016, as well as the protection of personal data. data in the planning phase, as well as in the default protection of personal data.

The protection of personal data at the planning stage is expressed in the appropriate technical and organisational measures that we put in place prior to the start of the processing of personal data (at the stage of determining the purposes and means of the processing), and we ensure that they are implemented throughout the data life cycle. Our relevant measures include encryption of data, introduction of functionality for automatic reporting of retention periods and their automatic deletion upon expiry, etc.

We protect personal data by implementing mechanisms that ensure the following requirements are met by default:

Only the minimum amount of personal data strictly necessary to achieve our specific purpose is processed and processing operations are carried out;
Personal data contained in documents on electronic media and in the company’s electronic workflow optimisation system is encrypted and stored on a local file server accessible by individual user name and password;
licensed software and certificates have been used to electronically secure the systems and the website;
Documents containing personal data are stored in drawers and filing cabinets with restricted access;
Employees do not leave documents unattended;
Access to personal data is restricted to employees who need the relevant information to perform their duties;
Personal information is not shared with other employees unless it is necessary for the performance of their duties;
Employees are trained in the correct implementation of Regulation (EU) 2016/679;
The data is kept for a minimum period – strictly necessary to achieve the purposes of the processing, after which it is deleted in accordance with the relevant rules and procedures;
Data for which the reason for collection has ceased to exist shall be irretrievably destroyed by means of an erasure protocol;
Any access, transfer or sharing of data is only permitted if there is a valid legal basis for doing so (for example, the data subject’s consent or our legal obligations).

Multiverse, Andreja Košir s.p. has the possibility, for security reasons, to introduce an additional key in the work of individual employees, if necessary.

In order to ensure maximum security during the processing, transmission and storage of your data, we may use additional protection mechanisms.

When we delete your personal data

We delete your personal data once we no longer need to process it or once the retention period has expired.

For more detailed information on the different time limits, please refer to section III of the Notice.

When and why we share personal data with third parties

We may share your personal data with third parties, but our main aim is to provide protection of your interests and security in the performance of certain tasks and contractual obligations. We do not share your personal data with third parties until we are satisfied that all technical and organisational measures have been implemented to protect that data and we endeavour to implement strict controls to fulfil this purpose. Please note that, where appropriate, your data is only processed in accordance with instructions given on behalf of the data controller – Multiverse, Andreja Košir s.p. In this case, we remain responsible for the confidentiality and security of your data.

We provide personal data to the following categories of recipients:

Persons who process data on behalf of:

Persons who deal with the management of the overall documentation of the company;
Persons who, under orders, maintain the equipment, software and hardware used for the processing of personal data and necessary for the performance of the company’s activities and for the performance of various reporting, payment activities, etc.;
persons who carry out audits on their behalf;
banking institutions, for the purpose of payment of amounts due in the event of the need to verify your identity;
authorities, institutions and persons to whom we are obliged to provide personal data under applicable law or in connection with the performance of our contractual relations (notaries, PSI, DSI, experts, lawyers – counterparty’s representatives).

Persons who process data on their own behalf:

Competent authorities authorised by a normative act to request the provision of information, including personal data, such as – courts, prosecutors’ offices, embassies, various regulatory authorities such as the National Revenue Agency (NAR), Regional Health Authority. Inspectorate (RZI), Health Insurance Fund (ZZZS), Labour Inspectorate, Consumer Protection Commission (CPC), Commission for the Protection of Personal Data (CPC), Registration Agency, authorities with powers to protect national security and public order;

The controller shall take appropriate measures to ensure that the processor of personal data and any natural person acting under his authority processes such data only on his instructions.

In the event of a breach of the security of personal data, the Controller will notify the competent supervisory authority – CPLD as soon as possible.

Your rights in relation to the processing of your personal data:

Right to information and access:

You have the right to request:

Information on whether data relating to you is being processed, information on the purpose of this processing, on the categories of data and on the recipients or categories of recipients to whom the data is disclosed;
a communication in plain language

a form containing your personal data being processed and any available information on their source;

information about the logic of any automated processing of personal data relating to you, at least in the case of automated decisions.

Right to rectification:

In the event that we process incomplete or incorrect/inaccurate data, you have the right to request at any time:

to erase, correct or block your personal data the processing of which does not comply with the requirements of the law;
notify third parties to whom his/her personal data has been disclosed of any erasure, rectification or blocking, except in cases where this is impossible or requires excessive effort.

Right to be forgotten:

The right to erasure (or “right to be forgotten”) allows you to request erasure on one of the following grounds in the event that you do not wish your data to be processed and there is no legal basis for retaining it:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
you withdraw the consent on which the processing is based;
You object to the processing and there is no overriding legal basis for continuing the processing;
the personal data have been unlawfully processed;
the personal data must be erased in order to comply with a legal obligation;

The “right to be forgotten” is not an absolute right. There are situations in which the controller has the possibility to refuse erasure, namely where the processing of specific data is necessary for one of the following purposes:

the exercise of the right to freedom of expression and information;
archiving for purposes of public interest, historical research or statistical purposes;
for the establishment, exercise or defence of legal claims.

‍

Right to object:

You have the right to object at any time to processing of your personal data, provided that there is a legal basis for doing so; where the objection is well-founded, the personal data of the data subject may no longer be processed;

Right to restriction of processing:

You may request restriction of the processing of your personal data if:

you contest the accuracy of the data for a period during which we need to verify its accuracy; or
the processing of the data is without legal basis but you want to restrict processing instead of erasure; or
we no longer need the data (for the stated purpose) but you need it to assert, exercise or defend legal claims; or
you have lodged an objection to the processing of the data pending verification of the controller’s legitimate grounds.

Right to data portability:

You may request us to transfer the personal data you have entrusted to us for protection to another controller in an organised, tidy, structured, commonly accepted electronic format if:

we are processing the data in accordance with a contract and on the basis of a revocable declaration of consent or on the basis of a contractual obligation; and
the processing is carried out automatically.

Right to complain:

If you believe that we are in breach of applicable law, please contact us to clarify the matter. You have, of course, the right to lodge a complaint with the Data Protection Commission or with the competent court under the Administrative Procedure Code. From 25 May 2018, you can also lodge a complaint with a regulatory authority within the EU.

Right to compensation:

According to Article 39(2) of the Labour Code and Article 82(1) of Regulation (EU) 2016/679, any person who has suffered damage as a result of a breach of the provisions of Regulation (EU) 2016/679 has the right to seek redress by bringing an action before the relevant judicial authority.

Exercising your rights

Requests for access to information or for rectification shall be made in person. We will decide on your request within one month of its submission. If a longer period is objectively necessary – to collect all the information requested and where this seriously impedes our operation, this period may be extended to 30 days. Our decision will grant or refuse access and/or the information requested by the applicant, but we will always give reasons for our response.

The minimum information contained in the application (in accordance with Article 37c of the Labour Code) must be as follows: name, address, TIN/LNC/passport number, description of the request, signature and date of submission, correspondence/email address (depending on the form of retrieval desired), authorisation.

With regard to the rights described above: to information, to rectification, to the ‘right to be forgotten’, to object, to restriction of processing, to lodge a complaint, as well as with regard to the controller’s conduct in relation to these rights, a specific register shall be created in which all the actions carried out shall be recorded.

The first transmission of a reply to a request shall be free of charge.