Privacy Policy for the Protection of Personal Data

1. Introduction

 Company Letim, Letim (hereinafter referred to as "Letim") recognizes the responsibility of handling personal data of its clients, potential clients, visitors to Letim websites, and all individuals who disclose their personal data to us during contact (hereinafter referred to as "users"). Therefore, we adopt this Privacy Policy (hereinafter referred to as "Policy"), which transparently, understandably, and simply informs our users about the purposes and legal basis for processing their personal data, as well as their rights related to data processing, as provided to them by the Personal Data Protection Act (ZVOP-1, Ur. l. RS, št. 94/2007) and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "General Data Protection Regulation"). 

Terms such as "controller," "processing," "restriction of processing," "processor," "profiling," "pseudonymization," "third party," and "company," used in this Policy, have the meaning as defined by the General Data Protection Regulation. 

The Policy, in accordance with the General Data Protection Regulation, governs the following areas: 

  • contact information of the controller and contact of the authorized person for data protection,
  • purposes and legal bases for processing different types of users' personal data, including profiling of users' personal data,
  • uporabnike osebnih podatkov, pogodbeno obdelavo in posredovanje podatkov v tretje države,
  • retention period for individual types of personal data, 
  • care for the security of personal data,
  • users' rights regarding the processing of personal data, 
  • procedure for exercising users' rights regarding the processing of personal data,
  • right to lodge a complaint regarding the processing of personal data. 

 

2. Information about the controller and the person authorized for data protection

Controller The controller of users' personal data is Letim,Ulica Brigade Moris 12, 1330 Kočevje. Letim is designated as the authorized person for data protection, who can be contacted at the email address  toni@letim.si.
 

3. Personal data

A personal data is information that identifies you as a specific or identifiable individual. A user is considered identifiable when they can be directly or indirectly identified, especially by reference to an identifier such as a name, identification number, location data, online identifier, or by reference to one or more factors specific to the user's physical, physiological, genetic, mental, economic, cultural, or social identity. The controller collects the following personal data in accordance with the purposes defined in the Policy below:

  • basic data about the user (name and surname, title, address),
  • contact details and information about the user's communication with the controller (email address, telephone number, date, time, and content of postal or email communication, date, time, and duration of telephone calls)
  • information about participation in events organized by the Church of Kočevje (data about the event you attended, location and date of the event),
  • channel and campaign – the method of acquiring the user or the source through which the user came into contact with the controller (website and advertising campaign or action),
  • data about the user's use of the controller's website (dates and times of website visits, visited pages or URLs, time spent on each page, number of pages visited, total time spent on the website, settings made on the website) and data about the use of received messages (email, SMS) from the controller,
  • data from forms voluntarily filled out by the user, e.g., in the context of contests,
  • other data that the user voluntarily provides to the controller upon request for certain services that require such data.


The controller does not collect or process users' personal data unless the user allows it or consents to it, i.e., when ordering products or services, subscribing to newsletters, participating in contests, etc. The processing is also allowed when there is a legal basis for collecting personal data, when the processing is necessary for the fulfillment of contractual obligations, or when the processing is necessary for the legitimate interests pursued by the controller (hereinafter referred to as "legitimate interest").
 

4. Legal bases for processing and purposes of processing

Letim will process your personal data for one of the purposes listed below based on the following legal bases:

  • your consent or approval,
  • fulfillment of the controller's legal obligations,
  • based on legitimate interest,
  • fulfillment of contractual obligations.


Letim will process your personal data solely for the purposes for which it was obtained and will not process it for purposes that are incompatible with the purposes for which it was collected. Letim collects only those personal data from the user that are necessary to achieve each specific purpose. 

Processing for the fulfillment of contractual obligations 

In certain cases, the processing of personal data is necessary for the fulfillment of the controller's contractual obligations. If the user does not provide the necessary data, the controller cannot conclude a contract with the user or perform the service. 

The controller will process your personal data to fulfill contractual obligations for the following purposes:

  • contractual arrangement of business cooperation,
  • execution of activities specified in the cooperation agreement,
  • communication with contractors and other contact persons of the client for the purpose of carrying out activities specified in the cooperation agreement,


Processing based on consent or approval

Letim will process your personal data based on your written consent for the following purposes: 

  • for sending emails to inform about news, services, as well as events at the controller or with third parties,
  • for monitoring the reading of sent emails, specifically which email you opened or did not open, which links you opened or clicked (which content you read or viewed), and how long you read or viewed each piece of content,
  • for segmenting users based on the facts from the previous point and further sending personalized (individualized) emails, meaning that different users may receive emails with different content for the purpose of better (more relevant) communication and achieving a higher response rate to the sent emails,
  • for the purpose of analyzing the user’s journey on the website: where the user came from to the website (traffic source), to monitor the time spent on the website, which web pages they visited, and which content they downloaded or viewed,
  • for segmenting users based on the facts from the previous point and further sending personalized (individualized) messages through multichannel communication, meaning that different users may receive messages with different content for the purpose of better (more relevant) communication with individuals and achieving a higher level of user engagement,
  • for all other purposes for which you specifically consent while engaging with the controller.


In all cases where you give consent for the processing of your personal data, you can withdraw that consent at any time via the email address toni@letim.si. 

Processing is necessary for the fulfillment of Letim's legal obligations.

We also process your personal data when required by law. An example of the purpose of such processing is the processing of your personal data for judicial or administrative proceedings.  

Processing based on the legitimate interest pursued by Letim

The controller may also process data based on legitimate interest, unless the interests or fundamental rights and freedoms of the user to whom the personal data relates, requiring protection of personal data, prevail over such interests. In the case of using legitimate interest, the controller always conducts an assessment in accordance with  the General Data Protection Regulation

In certain cases, Letim may implement specific safeguards for the protection of your personal data, such as pseudonymization, encryption, processing in aggregated form, and/or deleting certain types of personal data for further processing based on legitimate interest, collected on the basis of one of the aforementioned legal bases (consent, contract). 

Letim will process your personal data based on legitimate interest for the following purposes: 

  • Marketing, business, and other technical analyses, such as analyzing and determining which organizations the event participants come from, keeping records of how many and which events the user has attended, and maintaining records related to the certificates, certifications, and licenses awarded to event participants. 
  • Preventing abuse, ensuring security, enforcing claims, or defending against claims in administrative and judicial proceedings. Thus, the controller may, in the case of suspected abuse, process your personal data to identify and prevent potential fraud or abuse to an appropriate and proportionate extent, and may, if appropriate, also provide this data to the police, the public prosecutor's office, or other competent authorities.
  • Direct marketing, including user profiling, based on previously lawfully obtained personal data. You may object to the aforementioned processing at any time in accordance with the chapter Right to Object in this Policy.  

 

5. Consent of a person under 16 years of age regarding information society services.

A person under the age of 16 may not provide personal data to the Controller or otherwise make it available when consent is required for such processing. On this legal basis, the personal data of a person under the age of 16 may only be processed if consent is given or approved by the holder of parental responsibility for the child (one of the parents or guardians).

The Controller will never knowingly collect personal data from individuals that it is aware are under 16 years of age, nor will it use or disclose such data to any unauthorized third party without the consent of the holder of parental responsibility for the child. The Controller makes reasonable efforts, taking into account available technology, to verify whether the holder of parental responsibility for the child has given or approved consent in such cases.

The rules regarding the validity, formation, or effect of a contract concerning a child are assessed in accordance with applicable Slovenian law.

6. Users of personal data, contractual processing, and data transfer to third countries (countries that are not members of the European Union or the European Economic Area).

Only employees of the company Letim and data processors who are directly authorized for this purpose may access your personal data. 

Letim will never share your personal data with unauthorized third parties. 

By using the websites and other services of Letim, you agree that Letim may delegate certain tasks related to your personal data to the processors listed below. The mentioned processors may process your personal data solely on behalf of and in accordance with the written instructions of Letim, within the limits of the authorization as defined in the contract between Letim and the processor, and in accordance with the purposes outlined in the Policy. The processors of your personal data must not use them under any circumstances to pursue any of their own interests.  

 

7. Retention Period of Personal Data 

The data controller does not process personal data longer than necessary to achieve the purposes for which the personal data was collected and further processed. 

Personal data that Letim processes for the execution of a contract is retained for the period necessary to fulfill the contract and for an additional 5 years after its termination, unless a dispute arises between you and the controller regarding the contract. In such cases, Letim will retain the data for an additional 5 years after the final judgment of a court or arbitration decision, or settlement, or if no court dispute occurred, for 5 years from the date of peaceful resolution of the dispute.

Personal data that Letim processes based on the law is retained for the period prescribed by law. 

Personal data that the controller processes based on your consent or legitimate interest is retained by Letim indefinitely until you revoke your consent or request the cessation of processing. Letim will delete such data before the revocation only if the purpose of processing the personal data has already been achieved or if required by law.

After the retention period expires, the Letim will effectively and permanently delete or anonymize your personal data, ensuring that it can no longer be linked to you.
 

8. Security of Personal Data

Letim is committed to protecting your personal data. It prevents unauthorized access, use, and disclosure of your data through the following measures

  • the data is protected by physical spaces, equipment, and system software, including input-output devices, 
  • the application software that processes personal data protects the data, 
  • Letim prevents unauthorized access to personal data during their transmission, including transmission via telecommunications means and networks, 
  • Letim provides an effective method for blocking, destroying, deleting, or anonymizing personal data when the purpose for which it was collected ceases,
  • This allows for later determination of when specific data was entered into the personal data collection, used, shared, or otherwise processed, and who performed | these actions.


Unauthorized access to personal data, their use, and disclosure is prevented by Letim through the following security technologies and procedures:

  • control of physical access,
  • locking of rooms, cabinets, computers,
  • storing personal data carriers in secure premises,
  • preventing access to personal data by maintenance personnel, clients, and other visitors to the premises of the contractual processor,
  • preventing the use of passwords by individuals to whom the password has not been directly assigned or for purposes other than those specified,
  • limiting the export of data by employees,
  • controlling copies and exports of data,
  • limited, recorded, and secured transmission of data over telecommunications networks,
  • revoking data from individuals whose contract with the contractual processor has ended,
  • strict separation from the data of other potential controllers.

 

9. User rights related to personal data protection

In accordance with the General Data Protection Regulation, Letim ensures the following rights related to personal data protection, which are further detailed in the subsequent sections of the Policy:

  • the right of access to data,
  • the right to rectification, 
  • the right to erasure (»right to be forgotten«), 
  • the right to restrict processing,
  • the right to data portability, 
  • the right to object. 

the right of access to data. 

From Letim, you have the right to obtain confirmation of whether Letim is processing your personal data. If this is the case, you have the right to access your personal data and the following information related to the processing of personal data: 

  • purposes of processing,
  • types of personal data,
  • users or categories of users to whom your personal data have been or will be disclosed, especially users in third countries or international organizations,
  • whenever possible, the intended period for the retention of personal data or, if this is not possible, the criteria used to determine this period,
  • the existence of the right to request from the controller the rectification or erasure of personal data, or the restriction of the processing of personal data concerning the user to whom the personal data relates, or the existence of the right to object to such processing, 
  • the right to lodge a complaint with a supervisory authority, 
  • when personal data is not collected from the user, all available information regarding its source, 
  • the existence of automated decision-making, including profiling, as well as meaningful information about the logic involved, and the significance and intended consequences of such processing for the user. 

The right to erasure ("right to be forgotten"). 

You have the right to request from Letim the erasure of your personal data without undue delay, and Letim is obliged to erase your personal data without undue delay in the following cases: 

  • when the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, 
  • when you withdraw the consent on which the processing of your personal data is based, and there is no other legal basis for the processing, 
  • when you object to the processing based on the legitimate interests of the controller, and there are no overriding legitimate grounds for the processing, 
  • when you object to the processing for the purposes of direct marketing,
  • when the personal data needs to be erased to comply with a legal obligation under EU law or Slovenian law.


When Letim publishes your personal data in accordance with the Policy, Letim takes reasonable measures, including technical ones, to inform controllers processing your personal data that the user to whom the personal data relates requests them to delete any links to that personal data or their copies. 

The right to restriction of processing. 

You have the right to request that Letim restrict the processing of your personal data when one of the following applies: 

  • when you contest the accuracy of the data, for a period that allows the controller to verify the accuracy of your personal data,
  • when the processing is unlawful and you oppose the erasure of personal data and instead request the restriction of its use,
  • when Letim no longer needs the personal data for processing purposes, but you require it for the establishment, exercise, or defense of legal claims,
  • when you have lodged an objection to the processing, pending the verification of whether the legitimate grounds of the controller override your reasons. 


The right to data portability. 

You have the right to receive personal data concerning you that Letim holds in a structured, commonly used, and machine-readable format, and the right to transmit that data to another controller without Letim, to whom the personal data was provided, hindering you when: 

  • the processing is based on your consent or a contract, and
  • the processing is carried out by automated means. 


The right to object. 

Based on reasons related to your particular situation, you have the right to object to the processing of personal data at any time if it is based on the legitimate interests pursued by Letim or a third party. Letim will cease processing the personal data unless it demonstrates compelling reasons for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. When personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes, including profiling, if it is related to such direct marketing. If direct marketing is based on consent, the right to object can be exercised by withdrawing the given consent. 

10. The procedure for exercising rights

All the above-mentioned requests regarding the exercise of rights related to your personal data can be addressed in writing to the controller at the following email address:  toni@letim.si 

If you submit a request in accordance with the above paragraph by electronic means, the information will be provided to you electronically, if possible. 

The controller may request additional information necessary for reliable identification when exercising your rights related to personal data, and may only refuse to act in accordance with this chapter if it demonstrates that it cannot reliably identify you.

The controller will respond to your request to exercise your rights related to your personal data without undue delay and no later than one month from the receipt of the request. Letim may extend the period for exercising rights by up to two additional months, taking into account the complexity and number of requests. If Letim extends the period, it will inform you of each such extension within one month of receiving the request, along with the reasons for the delay. 

11. The right to lodge  a complaint regarding the processing of personal data 

Any complaint regarding the processing of your personal data can be sent to the email address toni@letim.si. 

You have the right to lodge a complaint directly with the Information Commissioner if you believe that the processing of personal data concerning you violates Slovenian regulations or EU regulations in the field of data protection.
 

12. The validity of the Policy

The Policy is effective from July 25, 2024, and may be amended or supplemented at any time.