This Personal Data Protection Policy aims to inform individuals, service users, partners, employees and other people (hereinafter referred to as »individual«) working with ORA Krasa in Brkinov d.o.o. (hereinafter referred to as »organization«) about the purpose and legal basis of, and security measures and individuals’ rights in the processing of their personal data carried out by our organization.
We value your privacy and always carefully protect your data.
We process personal data in accordance with the European legislation (Regulation (EU) 2016/697 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; hereinafter referred to as General Regulation – GDPR), the national personal data protection legislation, and other regulations that provide us with the legal basis for the processing of personal data.
The Personal Data Protection Policy contains information on how our organization, as the controller, processes personal data received from an individual on the basis of legal grounds.
Personal data is any information about a specific or identifiable individual; an individual is deemed identifiable when they can be identified, directly or indirectly, in particular by reference to an identifier, such as name, ID number, location data, online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
The organization collects and processes your personal data on the basis of the following legal grounds:
Under the provisions of the law, the organization mainly processes data about its employees, which it is permitted to do by the labour and social welfare legislation. In compliance with its legal obligation, the organization mainly processes the following types of personal data: name and surname, sex, date of birth, citizen personal identification number (EMŠO), tax number, place, municipality and country of birth, nationality, place of residence etc., for employment purposes. The legal basis for processing personal data of individuals also comprises the Promotion of Tourism Development Act, the Identity Card Act, the Residence Registration Act, the Protection of Documentary and Archival Materials and Archives Act, and other legislation from relevant fields. In limited cases, processing of personal data by the organization is also permissible on the grounds of public interest. All the sectoral regulations in force in the field are collected on the website of the competent ministry: www.gov.si/drzavni-organi/ministrstva/ministrstvo-za-kulturo/zakonodaja
Any contract that you conclude with the organization represents a legal basis for processing personal data. We are permitted to process your personal data for the purpose of concluding and performing contracts, e.g. rental of business premises, consignment sale of products, organization of events and shows, preparation and implementation of tourist programs and other development and promotional projects, etc. If an individual fails to provide personal data, the organization will be unable to conclude the contract, and subsequently provide a service or deliver goods or other products pursuant to that contract due to not having the information necessary for its implementation. The organization can also use e-mail addresses of individuals and users of its services to inform them about its services, events, training courses, promotions and other news in the course of its legitimate activities. An individual may at any time request that such communication and personal data processing be terminated, and unsubscribe from messages through the link in the received message, or by sending a request by email to firstname.lastname@example.org or regular mail to ORA Krasa in Brkinov d.o.o., Partizanska 4, 6210 Sežana.
The organization may also process personal data on the grounds of the legitimate interest, which the organization strives to pursue. The latter is not permissible when the interests and fundamental rights of the data subject override the interest of the data controller. In the event of exercising legitimate interest, the organization shall always carry out a careful assessment under the General Regulation (GDPR). The processing of personal data of individuals for the purposes of direct marketing is considered to be done in the legitimate interest. The organization may process personal data of individuals collected from publicly available sources or in the course of lawful activities, also for the purposes of offering goods, services, employment, information about benefits, events, etc. To achieve these goals, the organization may use ordinary mail, telephone calls, e-mail, and other means of telecommunications. For the purposes of direct marketing, the organization may process the following personal data of individuals: name and surname of the individual, address of permanent or temporary residence, telephone number and e-mail address. The above listed personal data may also be processed by the organization for the purposes of direct marketing without the express consent of the individual. An individual may at any time request that such communication and personal data processing be terminated, and unsubscribe from messages through the link in the received message, or by sending a request by email to email@example.com or regular mail to ORA Krasa in Brkinov d.o.o., Partizanska cesta 4, 6210 Sežana.
If the organization’s processing of the data is not based on the law, a contractual obligation or legitimate interests, it may ask an individual for their consent. With the individual’s consent, the organization may process certain personal data for the following purposes:
If an individual who gave their consent does not want their personal data to be further processed, they may at any time withdraw their consent by sending a request by email to firstname.lastname@example.org or by regular mail to ORA Krasa in Brkinov d.o.o., Partizanska cesta 4, 6210 Sežana. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.
The organization may process the personal data of the individual, when this is necessary to protect the vital interest of the data subject. This means that in case of emergency the organization may inspect the data subject’s identity document, check whether the data subject is entered in the organization’s database, study the data subject’s medical history and get in contact with the data subject’s relatives, for which the organization requires no further consent. The above only applies when such processing is crucial to protect the vital interests of the individual.
The organization will retain your personal data only for as long as necessary for the realization of the purpose for which the personal data was collected and processes. The personal data which the provider processes on the basis of the law will be retained by the organization for the period provided by the law. In this respect, certain data will be retained for the duration of cooperation with the organization, while certain data must be retained permanently. Personal data which the organization processes on the basis of a contractual relationship with the individual will be retained for the term of the contract and for 6 years after its termination, except in the event of a dispute arising between the organization and the individual in relation to the contract. In this event, the organization will retain the data for a period of 10 years from the date of finality of the court decision, or, in the absence of litigation proceedings, for 5 years from the date of amicable settlement of the dispute. Those personal data which the organization processes on the basis of the individual’s personal consent or legitimate interest will be retained by the organization until the individual’s revocation of this consent or until his request for erasure. The organization will erase the data within 15 days from the date of receipt of the revocation of consent or the request for erasure. The organization may erase the data before receiving the revocation if the purpose of processing has been met or when so stipulated by the law.
Exceptionally, the organization may reject the request for erasure for the following reasons listed in the General Regulation (GDPR): for exercising the right of freedom of expression and information, for compliance with a legal obligation, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims. After the expiry of the retention period, the organization must erase the personal data efficiently and permanently, and render them anonymous so they can no longer be linked to a certain individual.
The contractual data processors with whom the provider collaborates are:
The organization collects and processes personal data of individuals based on its legitimate interest (Article 6 (1f) of the General Regulation (GDPR) in case an individual completes the following form: Enquiry concerning the reserving of programmes of experiences, trips, accommodation and conference halls etc. The data submitted as part of the enquiry will be forwarded to the selected provider with the purpose of preparing an offer, and to the organization, for information. The request will be forwarded to the organization, for information, with the purpose of assistance and possible additional adjustments in case of questions, ambiguities or desire to change the offer. Your personal data, obtained by the organization if you complete the form: Enquiry concerning the reserving of programmes of experiences, trips, accommodation and conference halls will not be used for purposes of further direct marketing without your explicit consent. Under no circumstances will the organization forward the individual’s personal data to other unauthorized third parties.
The contractual processors may only process personal data in accordance with the instructions of the organization, and they shall not use personal data to fulfil any of their own interests.
The organization as the data controller and its employees will not transfer personal data to third countries (outside the countries of the European Economic Area – EU member states, Iceland, Norway and Liechtenstein) or international organizations, with the exception of the USA, wherein the relations with contractual processors from the US are governed by standard contract clauses (model contracts adopted by the European Commission) and/or binding corporate rules (adopted by the organization and approved by supervisory authorities in the EU).
For the purpose of a better overview and control over contractual data processors, and orderliness of mutual contractual relations, the organization keeps a list of contractual data processors, which contains all specific contractual processors with whom the organization cooperates.
Cookies are essential for providing a user-friendly online service. They are used to save data on the website’s status, collect statistics about users and visits, etc. Cookies also help us evaluate the effectiveness of our website’s design
Our organization’s website uses the following cookies:
Name of cookie
_ga, _gid, _gat
Website visit statistics
Cookies are set by the Facebook Pixel tool (analytical tool that can be used to measure the effectiveness of Facebook advertising)
up to 2 years
Cookies saved by the browser can be disabled by the individual (instructions can be found on the web pages of each browser).
The organization shall ensure the information security and the safety of infrastructure (spaces and application system software). Our information systems are protected, inter alia, with antivirus software and firewall systems. Several technical and organizational security measures were put in place that are aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of processing. As regards the transfer of special categories of personal data, these data are communicated in coded and password-protected format.
It is the individual’s responsibility to ensure that the data is communicated to us securely and that the data is accurate and authentic. The organization will strive to ensure that the individual’s personal data being processed is accurate and updated, if necessary, and will turn to the individual to confirm the accuracy of the given personal data.
In accordance with the General Regulation (GDPR), an individual has the following rights regarding their personal data protection:
In order to exercise any of the rights stated above, the individual may send a request by e-mail to email@example.com or by regular mail to ORA Krasa in Brkinov d.o.o., Partizanska 4, 6210 Sežana. The organization will respond to a request relating to an individual's rights without undue delay and in any case within one month of receiving the request. In the event that this deadline is extended (by a maximum of two additional months), taking into account the complexity and number of requirements, you will be notified.
Access to the individual's personal data or exercising your rights is free of charge for the individual. However, the organization may charge a reasonable fee if the data subject's request is manifestly unfounded or excessive, especially if repeated. In such a case, the organization may also reject the individual’s request. In the event of exercising the individual’s corresponding rights, the organization may have to request certain information from the individual which will help in confirming their identity, which is just a precautionary measure that ensures that personal data are not disclosed to unauthorized persons.
In order to exercise the rights under this title or if the individual believes that their rights have been violated, the individual can contact the supervisory body, i.e. the Information Commissioner, for support or assistance on the website: www.ip‑rs.si.
If an individual has any queries regarding the processing of their personal data, they can always contact our organization via e-mail at firstname.lastname@example.org or by regular mail to ORA Krasa and Brkinov d.o.o., Partizanska 4, 6210 Sežana.
Any amendment to the Personal Data Protection Policy will be published on the organization’s website: www.visitkras.info. By using the website, the individual confirms that they accept and agree to the full content of this Personal Data Protection Policy.
The Personal Data Protection Policy was adopted by Aleš Vodičar, director of the organization, on 13 January 2022.