DOVOS, d. o. o. has incorporated the provisions of the General Data Protection Regulation (GDPR) into its internal rules and regulations and operational procedures. Through the adoption of these internal rules and regulations, the rights of individuals and the obligations of persons processing personal data have been defined in greater detail. The company has also adopted a decision appointing a Data Protection Officer (DPO).

For the purpose of enabling individuals to exercise their rights, the rules governing the exercise of individual rights are set out below

i) Fundamental Principles Relating to the Collection and Processing of Personal Data

relation to the data subject (principle of lawfulness, fairness and transparency). Personal data may be collected only for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes (principle of purpose limitation). Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of data minimisation). Personal data must be accurate and, where necessary, kept up to date (principle of accuracy). Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods where they are processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, in accordance with ZVOP-2 and the GDPR, provided that appropriate technical and organisational measures are implemented to safeguard the rights and freedoms of the data subject (principle of storage limitation). Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (principle of integrity and confidentiality).

ii) Personal Data Filing Systems and Their Description in the Register

Where personal data are collected and processed within the company for a specific purpose, such data must be included in one of the company’s personal data filing systems. Each personal data filing system must be described in the register of personal data filing systems. An individual personal data filing system includes all personal data collected and processed for the same purpose, irrespective of the legal basis for their collection and processing. The description of a personal data filing system in the register includes, in particular: its sequential number and title; details of the controller; the legal basis for the collection and processing of personal data; categories of data subjects; types of personal data; the purpose of processing; the retention period; any restrictions applicable to data subjects; whether personal data are disclosed and, if so, to which recipients; whether personal data are transferred to a third country and, if so, where, to whom and on what legal basis; a general description of the technical and organisational measures for the protection of personal data; information on whether the collected personal data are linked with other filing systems from official records or public registers. As a rule, the description of a personal data filing system must be prepared no later than 15 days prior to the establishment of the filing system. Descriptions of personal data filing systems must be updated whenever the types of personal data processed within a particular filing system change. Access to the register of personal data filing systems, including descriptions of individual filing systems, must be provided to any person who so requests, no later than 15 days from receipt of the request. The register of personal data filing systems, together with descriptions of individual filing systems, is publicly available on the website of DOVOS, d. o. o.

In order to comply with the principle of lawful processing, the company may process personal data within a personal data filing system only where:

  • the processing of such personal data is laid down by law, or
  • the processing is necessary for the performance of a contract to which the data subject is a party, or
  • the data subject has given consent to the processing of specific personal data, or
  • the processing is carried out for other purposes permitted under the GDPR or applicable legislation.

Personal data may be collected only for specified and lawful purposes and must not be further processed in a manner incompatible with those purposes, unless otherwise provided by law. Special categories of personal data may be processed only where conditions for enhanced protection are ensured within the company and appropriate additional measures are in place to safeguard the rights, freedoms and legitimate interests of the data subject. Whether the conditions for enhanced protection and additional measures are fulfilled is assessed by the sector director and the Data Protection Officer, who also determine the manner in which additional security measures are to be implemented. Where the collection and processing of personal data are prescribed by law, such law must also define the purpose of processing, the types of personal data processed, the categories of data subjects and the retention period. Where the collection and processing of personal data are based on the consent of the data subject, the person responsible for the personal data filing system must ensure that the data subject is informed, at the time consent is given, of the rights conferred upon them under the GDPR and applicable legislation. For the purpose of demonstrating the lawfulness of processing, the responsible person must also ensure that the data subject’s consent, in written or electronic form, is included in the relevant filing system or an annex thereto.

iv) Rights of the Data Subject

Data subjects are entitled to exercise all rights conferred upon them under Chapter III of the General Data Protection Regulation (GDPR) and applicable legislation. The data subject has the right to be informed of all personal data collected and processed about them by the company, including information on the sources of such data, the methods of processing, the purposes of processing, the types of personal data processed, and all related explanations. Information on the manner in which data subjects may exercise their rights is available on the website of DOVOS, d. o. o. For communication purposes, data subjects may use the email address info@dovos.si,to which they may also submit their requests. Upon receipt of a formal request, DOVOS, d. o. o. shall, within 15 days, provide confirmation either that the data subject’s personal data are not being processed or that such processing is taking place. Where processing is confirmed, DOVOS, d. o. o. shall inform the data subject of the personal data filing system in which the data are recorded. The specific content of the personal data is not disclosed at this stage. If a data subject wishes to access specific personal data or the content of personal data relating to them or to a person under their guardianship, the data subject shall, after obtaining information on the number and title of the relevant filing system in which such data are contained, submit an additional formal request to info@dovos.si. Data subjects may also exercise their rights to erasure, rectification or restriction of processing, or object to processing, by submitting a request to the same contact address.

Upon prior arrangement, data subjects may inspect, copy or obtain photocopies of their personal data at the company’s premises, within 15 days of submitting a request. In such cases, identity will be verified by means of an official identity document. Requests to inspect, copy or obtain photocopies may be refused where the legal conditions for access are not fulfilled. In such cases, the data subject will be informed in writing of the reasons for refusal within 15 days, together with information on available legal remedies. Data subjects are entitled to obtain an extract of their personal data, a list of recipients to whom the data have been disclosed, information on the timing, legal basis and purpose of such disclosures, and details of data sources, processing purposes and categories of personal data, together with any explanations required. Such information shall be provided within 30 days of receipt of the request, either on an appropriate data medium or via an information system. The manager of the relevant personal data filing system is responsible for ensuring lawful handling of requests, accurate record-keeping of disclosures, and documentation of the legal basis for each disclosure. Where a data subject believes that their personal data are inaccurate, incomplete, outdated, unlawfully processed, or objects to processing based on prior consent, they may request rectification, completion, erasure, restriction or object to processing. The filing system manager shall decide on requests for erasure, completion, rectification or blocking within 15 days of receipt of the request. If a request is refused, the filing system manager shall notify the applicant in writing of the reasons for the refusal within 15 days of receipt of the request and inform them of the possibility of judicial protection. All responses to requests relating to the content of personal data shall be prepared by the manager of the relevant filing system. Prior to providing a response or disclosing specific personal data to a data subject, the filing system manager shall obtain the prior written approval of the Data Protection Officer. The filing system managers shall inform the Data Protection Officer of all communications relating to the exercise of data subjects’ rights. The Data Protection Officer shall maintain a central register of all requests submitted by data subjects and all responses provided.

v) Retention and Deletion of Personal Data

Personal data are retained only for as long as necessary to fulfil the purposes for which they are collected, or for such longer period as may be required by law. The applicable retention period for each personal data filing system is set out in the relevant description contained in the annex. Once the retention period has expired, personal data are deleted, destroyed, restricted or anonymised, unless applicable legislation provides otherwise for specific categories of personal data (for example, archival material). Where personal data are deleted either following the expiry of the retention period or at the request of the data subject, deletion is carried out using methods that prevent the reconstruction of the deleted data, in whole or in part. Data storage media containing personal data are destroyed in a manner that ensures the data are rendered unidentifiable and irrecoverable. Only the manager of the relevant personal data filing system is authorised to delete personal data or to order their deletion in accordance with the procedures described above. The manager of the personal data filing system is responsible for ensuring the lawful retention and timely, appropriate deletion of personal data.

vi) Response to Suspicious Activities, Risks and Personal Data Incidents

Any activity that may indicate unauthorised disclosure or destruction of personal data, unauthorised or malicious use, misappropriation, alteration or damage of personal data or data storage media (suspicious activity) must be reported immediately to the manager of the relevant personal data filing system and to the Data Protection Officer (DPO).

Any identified risk resulting from deficiencies in the personal data protection system, or from organisational, technical or logical security measures or procedures that fail to ensure an adequate level of personal data protection, must likewise be reported without delay to the manager of the personal data filing system concerned. Where a risk arises from deficiencies in the information system, the sector director must be notified immediately and is responsible for ensuring that appropriate remedial action is taken without delay. Any person who becomes aware of a personal data breach must immediately inform both the manager of the relevant personal data filing system and the Data Protection Officer (DPO) of the nature of the breach and, where known, the person responsible for the breach. If the breach is attributable to the filing system manager, the matter must be reported directly to the DPO. The filing system manager and/or the DPO shall take immediate action to ensure that the breach is brought to an end. Any person who becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that are transmitted, stored or otherwise processed is required to notify the sector director and the Data Protection Officer (DPO) without delay. In cooperation with the manager of the relevant personal data filing system, the sector director and the DPO shall assess the incident and take all necessary urgent measures to prevent its escalation. The DPO shall immediately inform the company’s management of the incident. In such cases, the DPO shall ensure that the Information Commissioner is formally notified of the personal data breach in accordance with Article 33 of the GDPR, no later than 72 hours after becoming aware of it. Where required, the DPO shall also ensure that the data subject whose personal data were affected by the incident is informed without undue delay.

Any questions or requests regarding the exercise of data-subject rights may be submitted to info@dovos.si