DATENSCHUTZBESTIMMUNGEN
GENERAL PROVISIONS
Data of the Controller
The Controller of the website is the one who manages the personal data and determines the purposes and means for the processing of your personal data. Insofar as these terms and conditions specify several controllers, it means that they jointly determine the purposes and methods of processing your personal data (joint controllers).
The Controller of the users’ personal data and this website is:
Name of the legal entity: SAN MARTIN, turizem in gostinstvo d.o.o.
Address of the legal entity: Kojsko 15A
Postcode and place: 5211 Kojsko, Slovenija
VAT number: SI 59769289
Registration number: 1853783000
Contact e-mail: info@sanmartin.si
Contact telephone number: +386 5 330 56 60
Data on the entry in the register or any other public records: 18.8.2003.
Contact person and contact for providing information related to user’s personal data: Mrs. Vesna Valentinčič, info@sanmartin.si
Data of the Processor
The Processor of personal data is the one who processes personal data on behalf of the Controller. The Processor may only process personal data determined in documented instructions by the Controller and only for the purposes determined in documented instructions by the Controller.
Our Processors process users’ personal data in accordance with the applicable legislation, based on an existing contractual relationship which regulates all areas of processing.
The Processors of personal data who processes personal data on behalf of the Controller are:
- Processor: Editor Spletne komunikacije d.o.o., Velika pot 29, 5250 Solkan, Slovenija
Legislation
Slovenian and European legislations are used for the evaluation of this Privacy policy.
This Privacy policy is prepared according to the Personal Data Protection Act (ZVOP-2, Official Gazette of the RS, no. 163/22 and amend.), the Regulation (EU) 2016/679 of the European Parliament and the Council from 27/04/2016 regarding the protection of individuals in personal information processing and the free flow of such information and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), the Electronic Communications Act (ZEKom-2, Official Gazette of the RS, no. 133/22 and amend.), and other Slovenian and European legislation regulating these fields.
Legal principles
The Controller and their Processors respect the general principles related to the processing of the users’ personal data:
1. We process users’ personal data in a legal, fair, and transparent manner.
2. We collect personal data for purposes which are determined in advance, explicit, and legal, and we do not further process the data for other purposes, except for the purposes of scientific or historical research or statistics under certain conditions.
3. We process personal data in the smallest extent possible and for the purposes of processing.
4. We make sure that the processed personal data are accurate and regularly updated, whereby we rectify or erase the inaccurate data.
5. We only keep personal data for as long as it is necessary for the purposes of processing.
6. We ensure adequate protection of personal data, which includes the prevention of unauthorised or unlawful processing and unintentional loss, destruction, or damage of data, by implementing adequate technical and organisational measures.
Website
The Privacy Policy is intended for the users of the website: www.sanmartin.si/en
Additional warnings of the Controller:
The inquiry does not constitute a binding reservation of services. The offer of the provider is binding on the provider and the client when the offer is confirmed by the client.
DEFINITIONS OF TERMS
Privacy Policy
Privacy Policy is an internal act of the Controller and applies to all legal relationships between them, the Processors, and the users. The act determines the rights and obligations of the Controller and the Processors in managing and processing the users’ personal data.
Personal data
Personal data refers to any information related to an identified or identifiable individual who is a natural person. Identified individual is someone whose personal data are identified and processed according to the purposes determined by the Controller. Identifiable individual is someone who can be directly or indirectly identified and whose personal data can be processed according to the purposes determined by the Controller.
User
User is an individual who is a natural person and whose personal data are processed based on a legal or contractual basis which exists between the Controller and the individual or based on an explicit consent provided to the Controller by the individual.
Controller
The Controller determines the purposes and means of processing within the framework of their registered activity and/or legal authorisations. The user is informed in advance on who the Controller and the Processor of their personal data are.
Processor
The Processor processes personal data of individuals on behalf of the Controller, according to their instructions, and within the framework of legitimate purposes and means of processing. The Controller provides the user with data on the Processors of their personal data in this Privacy Policy.
Subprocessor
The Subrocessor processes personal data of individuals on behalf of and according to the instructions of the Processor within the framework of legitimate purposes and means of processing. The Subprocessor is directly responsible to the Processor and the Processor is directly responsible to the Controller.
Processing
Processing of personal data refers to any action or set of actions performed in relation to personal data or set of personal data with or without automated means, which includes actions such as collection, recording, editing, structuring, saving, adjustment or modification, recovery, inspection, use, disclosure by transfer, dissemination or any other way of providing access, adaptation or combining, restriction, erasure, or destruction.
PERSONAL DATA
Processing of personal data
The Controller may process personal data of the website’s users, clients, and individuals of legal entities with which they have a business collaboration.The Privacy Policy determines the manner of the processing of the personal data of such individuals who have concluded a contract or ordered a service, if the processing of personal data is necessary and appropriate for the conclusion of the contract or the order or for fulfilling contractual obligations.
The Privacy Policy also determines the manner of the processing of personal data for which the Controller has a legal basis or for which they have acquired a written consent from the user if the data is entered directly at the Controller’s website.
Legal basis for processing
Legal basis means that the Controller processes personal data of users because the legislation requires them to do so in order to fulfil the legal obligations imposed on the Controller.
In the Republic of Slovenia, legal obligations of processing of certain personal data are mainly determined by:
1. the Value Added Tax Act ZDDV-1;
2. the Rules on the implementation of the Value Added Tax Act;
3. the Tax Procedure Act;
4. the Companies Act,
5. the Slovenian Accounting Standards;
6. the Accounting Act.
If the Processor is processing personal data of the user because the user performed an online purchase or ordered a service from the Controller, they shall keep the invoice for 10 years (as well as the data of the user/buyer on the invoice).
Contractual basis for processing
Contractual basis for processing of personal data of users means that the processing is necessary for:
1. fulfilling the contract whose contracting party is the user to whom the personal data relate; or
2. implementing measures at the request of such user before concluding the contract.
The Controller provides the user with information on the processing of their personal data in this Privacy Policy and, when needed, with notifications on their website.
The Controller does not require an explicit consent for contractual processing of the user’s personal data.
If the user fails to provide all the personal data that the Controller needs to fulfil the contractual obligation, the Controller is unable to complete the user’s order. The Controller undertakes to only collect and process personal data from the user in the scope needed to fulfil the contract.
Explicit consent as legal basis
Explicit consent is the basis for the processing of the personal data for processing of which the Controller has no legal or contractual basis.The Controller provides the user with an option to submit explicit consent, when needed, whereby the confirmation box is not checked in advance. The user’s personal consent is their voluntary expression of will that their personal data can be processed in a certain manner and is given based on the information that the Controller provides them with this Privacy Policy and directly at the website, before the user explicitly consents to the processing.
The individual purposes for such processing of personal data are stated by the Controller at the website, where the user can submit their consent. The Controller shall inform the user on the purposes of processing in an accessible form and in a clear and simple language and shall give the user the option of explicit consent for each individual purpose.
The Controller shall ensure the user the right to withdraw their explicit consent at any time and in a simple manner. Cancellation of the consent does not affect the lawfulness of the processing on the basis of the consent before its cancellation.
Public interest
The Controller may process personal data of users if the processing is necessary for:
1. performing tasks in the public interest, or
2. exercising public authority given to the Controller.
Legitimate interest
If the processing is necessary due to a legitimate interest of the Controller or a third party, the Controller can process the personal data of users in the extent strictly necessary to fulfil these legitimate interests, provided that these interests are not overruled by the interests and fundamental rights and freedoms of the user to whom the personal data relate, particularly when the processing involves personal data of individuals under 16 years of age.
Protection of the interests of natural persons
The Controller can process personal data if the processing is necessary for the protection of vital interests of the user or other natural person.
Type of personal data
Types of users’ personal data processed for the purposes determined in advance include:
- name and surname
- address of permanent or temporary residence
- post name and place
- e-mail address
- telephone number
- IP address
- cookie ID
- other: In the case of confirmed reservations, the provider (controller) also processes personal data necessary for the provision of services: gender, credit card number or bank account number, personal identification number (EMŠO) and date of birth.
Purpose of collection of personal data
The Controller processes personal data of users for the following purposes and, at the same time, defines the legal basis for the processing of these data and determines whether the user’s explicit consent is necessary or not:
- Fulfilment of contractual obligation (the user’s order of a product or service), contractual basis, explicit consent is NOT necessary.
- Sending of information and notifications arising from contractual obligation (subscription to online news without marketing content), contractual basis and legitimate interest, explicit consent is NOT necessary.
- Replying to users’ enquiries (fulfilling an enquiry form and/or a contact form), contractual basis and legitimate interest, explicit consent is NOT necessary.
- Sending advertising messages, advertisements, and promotions not arising from contractual obligation (subscription to online news with marketing content), explicit consent IS necessary.
- Profiling users for the purposes of targeted advertisement, including remarketing (non-anonymous profiling, use of Google Analytics, Facebook tools, etc.), explicit consent for installing cookies which enable such profiling, explicit consent IS necessary.
- Market researches and statistics for the purposes of performing the Controller’s activity (anonymous, without the processing of the users’ personal data), legitimate interest, explicit consent is NOT necessary.
New purposes for the processing of personal data
The Controller can only process personal data for new purposes for which they do not have an adequate legal basis nor an explicit consent, if they provide the user with all the necessary information for the processing of their personal data for new purposes and obtain from the user a new explicit consent for the processing of personal data.
The Controller may transfer personal data of users to third parties only in case of criminal and civil proceedings in the extent permitted by the legislation.
Cookies
When the user visits the Controller’s website, the Controller informs them on the use of cookies by providing a visible notification on the website. In the notification, the Controller provides updated data on cookies, mainly:
1. types and names of cookies
2. purpose of their use and
3. duration of each individual cookie.
The Controller shall provide the notification without consent when using the following cookies:
1. cookies necessary solely for transferring messages through the electronic communication network and
2. cookies which are essential to ensure the information society service explicitly requested by the client or user.
In all other cases, the Controller shall provide the notification with user consent and inform the user on the possibility to change the settings of cookies. The Controller shall not use cookies that require user’s consent to install without the explicit consent of the user. The Controller shall ensure the possibility of subsequent change of user’s consent by keeping the notification at the website visible.
The Controller shall provide the notification at a special link on the website.
USER RIGHTS
General information on rights
The user may request form the Controller the following:
1. access to personal data;
2. rectification of personal data;
3. erasure of personal data (right to be “forgotten”);
4. restriction of processing of personal data;
5. objection to processing of personal data; and6. portability of personal data.
The Controller shall respond to the user’s request within no later than 30 days after receiving the request.
Right to access data
The user has the right to receive confirmation from the Controller on whether or not personal data related to them are being processed.
The Controller shall provide the information on:
1. the purposes of processing;
2. the categories of personal data that they process;
3. the processors to whom personal data were transferred for processing or disclosed;
4. the anticipated time of retention of personal data;
5. the user rights to erasure and rectification of data, and to restriction of processing or objection to processing;
6. the right to lodge a complaint with a supervisory body;
7. the sources from which the Controller received the data, provided that they were not submitted for processing by the user; and
8. the existence of automated decision-making, including profiling.
The user may exercise this right through this form: EN - Exercising_rights_form
Right of rectification
The user may request from the Controller to without undue delay:
1. rectify inaccurate data concerning the user which are processed by the Controller (or their processors) or
2. complete incomplete personal data.
The Controller provides the following form for submitting a supplementary statement: EN - Exercising_rights_form
Right of erasure
The user may request from the Controller to erase the user’s personal data without undue delay if at least one of the following conditions is met:
1. The personal data is no longer required for the purpose for which they were collected or otherwise processed.
2. The user withdraws the consent given to the Controller for the processing, whereby there is no other legal basis for the processing.
3. The user objects to the processing of their personal data for the following reasons:
3.1. Personal data are processed for the purposes of the public interest.
3.2. Personal data are processed for legitimate interests of the Controller.
3.3. Personal data are processed for the purposes of direct marketing and/or profiling.
4. The personal data have been unlawfully processed.
5. The personal data must be erased to comply with a legal obligation imposed to the Controller by the legislation.6. The personal data was collected in connection with offering information society services to a person younger than 16.
The user may exercise their right to erasure of personal data through this form: EN - Exercising_rights_form
Right to restriction of processing
The user may request from the Controller the restriction of processing in one of the following cases:
1. The accuracy of the personal data is contested by the user, for a period enabling the Controller to verify the accuracy of the personal data.
2. The processing of the user’s personal data is unlawful, and the user opposes the erasure of the personal data and requests the restriction of their processing or use instead.
3. The controller no longer needs the personal data for the purposes of the processing for which they had a legal basis or the explicit consent of the user, but they are required for the establishment, exercise, or defence of legal claims.
4. The user has submitted an objection (right to object) pending the verification whether the legitimate grounds of the Controller override those of the user to whom the personal data relate.
When the user is exercising this right, the Controller may only save their data and only process them if:
1. the user provided (subsequent) explicit consent;
2. required for the establishment, exercise, or defence of legal claims;
3. required for the protection of rights of other users (natural or legal persons); and
4. required for an important public interest of the European Union or the Republic of Slovenia.
The user may exercise this right through this form: EN - Exercising_rights_form
Right to data portability
The user has the right to receive from the Controller the personal data concerning them which are being processed by the Controller. The Controller must provide the user these data in:
1. a structured format;
2. commonly used format;
3. machine-readable format, which allows the user to read the information without any problems.
The user also has the right to transmit the obtained data to another controller without hindrance from us, the Controller, if:
1. the data was processed based on an explicit consent and
2. the processing is carried out by automated means.
The user has the right to have their data transmitted from one controller to another, where technically feasible.
The user may exercise this right through this form: EN - Exercising_rights_form
Right to object
The user may at any time object to the processing of personal data concerning them, when the Controller processes their personal data:
1. in public interest or
2. for legitimate interests of the Controller, including profiling of this user.
The Controller shall not cease to process the user’s personal data at the request of the user if:
1. they can prove the existence of necessary legitimate reasons for processing which overrule the interests, rights, and freedoms of the user; or
2. the data are required for the establishment, exercise, or defence of legal claims.
The Controller shall always grant the user’s request when the user objects to the processing of their personal data for the purposes of direct marketing, including profiling to the extent that it is related to direct marketing. The Controller is obliged to stop the processing of such personal data for the purposes of direct marketing.
For this purpose, the Controller shall, at places where they ask the user to consent to processing of their data for the purposes of direct marketing, provide the user with a clear and separate information on the possibility that the user may at any time withdraw their consent and object to the processing of their data for these purposes.
The user may exercise their right to object through this form: EN - Exercising_rights_form
Automated processing and user profiling
The user has the right to not be subject to a decision based solely on automated processing of their data, including profiling, which produces legal effects concerning them or similarly significantly affects them.
The user may not exercise their right to prevent the automated processing of their data, including profiling, if such decision (automated processing) is:
1. necessary for concluding or implementing a contract between the user and the Controller (e.g. online shopping cart);
2. authorised by the law of the European Union or the Republic of Slovenia and which also lays down suitable measures to safeguard the user’s rights and freedoms and legitimate interests (e.g. processing of FURS data); or
3. justified by the user’s explicit consent (e.g. for direct marketing through systems for automated sending of marketing messages).
Where explicit consent is required, the Controller shall provide the user with suitable notifications and a confirmation window for explicit consent.
Right to exemption
In any form of direct marketing, the Controller is bound to provide the user with the possibility to enforce their right to exemption, given to them by the legislation, with an e-mail notification.
The Controller shall within 15 days stop the use of personal data for the purposes of direct marketing and inform that to the user who submitted this request in a written form within the following five days or in an otherwise agreed manner.
Right to file a complaint
If the user believes that their rights from this Privacy Policy have been violated, they may file a complaint with the competent supervisory authority, which in the Republic of Slovenia is: the Office of the Information Commissioner.
COPYRIGHT
Texts on the website
It is prohibited to copy or otherwise use the content and texts on the Controller’s website outside the needs of the collaboration between the Controller and the user, unless otherwise stated on the website. Any copyright interference is considered as violation of intellectual property rights and may be subject to suitable legal procedures initiated by the Controller.
Photos and audiovisual works at the website
All photos, videos, and other audiovisual works published on the website are copyright work and property and/or in possession of the Controller and they must not be copied or otherwise used outside the needs of the collaboration between the Controller and the user, unless otherwise stated on the website.
Any copyright interference is considered as violation of intellectual property rights and may be subject to suitable legal procedures initiated by the Controller.
FINAL PROVISIONS
Binding nature of legal conditions
1. The Privacy Policy applies to all those who use the website and provide the Controller with personal data so that the Controller can manage and further process them.
2. The Privacy Policy is binding for the Controller, the Processors, and the users in the area of submitting, managing, and processing the user’s personal data as well as in enforcing the rights of the users and the obligations of the Controller and the Processors.
3. Privacy Policy is an integral part of any processing of personal data in accordance with the priorly determined purposes, bases for processing, the user’s consent, and the categories of personal data subject to future processing.
4. The user is informed in advanced with this Privacy Policy, which is available at the Controller’s website and at all the forms and actions where the user may submit their personal data to processing.
Changes to the Privacy Policy
1. The Controller shall regularly update the Privacy Policy according to the changes in the legislation.
2. The Controller shall inform the users on any changes regularly and timely, in a written form with an electronic message.
3. The Controller shall provide an archive of changes to the Privacy Policy which will be made available to every user upon their prior written request submitted at the Controller’s contact e-mail address.
Settlement of disputes
The Controller and the user shall strive to solve any potential disagreements and disputes peacefully and by mutual agreement. If mutual agreement is not possible, disputes shall be resolved by the competent court of the Controller’s headquarters in the Republic of Slovenia.
Territorial validity
The Privacy Policy applies to all users regardless of the country of access and to all types of personal data processing regardless of the user’s headquarters.
Temporal validity
The legal conditions apply from: 05.01.2024 10:41