The purpose of this Privacy Policy is to inform individuals, customers, service users, colleagues, employees and other persons (hereinafter referred to as “the individual”) who interact with SETRANS, d.o.o. (hereinafter referred to as “the company”) about the purposes, legal bases, safeguards and rights of individuals with regard to the processing of personal data carried out by the company.

We value your privacy and therefore always protect your data carefully.

We process personal data in accordance with applicable data protection legislation and other legislation that provides us with a legal basis for processing personal data.

Any changes to this document will be published on our website. By using the website, you acknowledge that you have read and understood the entire contents of this Privacy Policy.

Data Controller:

SETRANS Transportni inženiring, trgovina in storitve d.o.o.

Pesnica pri Maribor 44/a,

 PE SPODNJE DOBRENJE Spodnje Dobrenje 42a, 2211 Pesnica pri Maribor

Data Protection Officer:

In accordance with Article 37 of the General Regulation, we have not appointed a Data Protection Officer, but if you have any questions regarding the processing of your personal data, you can always contact us at info@setrans.si.

1) Personal data

Personal data means any information relating to an identified or identifiable individual; an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as: a name, an identification number, location data, an online identifier, or by reference to one or more factors specific to that individual’s physical, physiological, genetic, mental, economic, cultural or social identity.

2) Purposes of processing and grounds for processing

The company collects and processes personal data on the following legal bases:

processing is necessary for compliance with a legal obligation to which the controller is subject;the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of measures at the request of such data subject prior to the conclusion of the contract;

processing is necessary for the legitimate interests pursued by the controller or by a third party; the data subject has consented to the processing of his or her personal data for one or more specified purposes;processing is necessary for the protection of the vital interests of the data subject or of another natural person.

2.1 Implementation of the contract

Where an individual enters into a contract with a company, the contract constitutes the legal basis for the processing of personal data. Thus, the company may process personal data for the purpose of concluding and performing the contract, such as selling goods and services, preparing offers, participating in various programmes, etc. If the data subject does not provide personal data, the company cannot conclude the contract, nor can the company perform the service or deliver the goods or other products in accordance with the contract, as it does not have the necessary data to perform the contract. On this basis, the company processes only and exclusively those personal data necessary for the conclusion and proper performance of the contractual obligations.

The legal basis for the processing of data is the contract. The retention period is until the purpose of the contract has been fulfilled or until 6 years after the termination of the contract, except in cases where there is a dispute between the individual and the company in relation to the contract. In such a case, the company shall keep the data for 10 years after the final decision of a court, arbitration or court settlement or, in the absence of litigation, for 6 years from the date of amicable settlement of the dispute.

2.2 Legitimate interest

The company may also process personal data on the basis of a legitimate interest pursued by the company. The latter shall not be admissible where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. In the case of the application of legitimate interest, the company shall carry out an assessment in accordance with the law. The processing of personal data of individuals for direct marketing purposes shall be deemed to be carried out in the legitimate interest.

The company may also process personal data of individuals which it has collected from publicly available sources or in the course of the lawful exercise of its business for the purposes of offering goods, services, employment, information about benefits, events, etc. For these purposes, the company may use ordinary mail, telephone calls, e-mail and other means of telecommunication. For direct marketing purposes, the company may process the following personal data of individuals: name and surname of the individual, address of permanent or temporary residence, telephone number and e-mail address. For the purposes of direct marketing, the company may also process the aforementioned personal data without the individual’s explicit consent. The individual may at any time request to cease such communication and processing of personal data and to withdraw from receiving communications via the unsubscribe link in the communication received or by sending a request by e-mail or regular mail to the company’s address.

The legal basis for the processing of data is legitimate interest. The data will be processed until the cancellation of the receipt of communications or until the purpose of the processing is fulfilled. The withdrawal does not affect the lawfulness of the processing on the basis of the consent prior to its withdrawal.

2.3 Processing on the basis of consent or consent

If the company does not have a legal basis based on the law, a contractual obligation, a legitimate interest or the protection of the life of the individual, the company may ask for consent or assent from the individual. In this way, it may also process certain personal data of the data subject for the following purposes where the data subject has given his or her consent: residential address and e-mail address (for information and communication purposes); photographs, videos and other content relating to the data subject (e.g. publication of images of individuals on the website for the purposes of documenting activities and informing the public about the work and events of the company; other purposes for which the individual has consented.

If an individual has given consent to the processing of personal data and at some point no longer wishes to do so, he or she may request that the processing of personal data be discontinued by sending a request by e-mail or by regular mail to the company’s address. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal. Upon receipt of a revocation or a request for deletion, the data shall be deleted within a maximum of 15 days. The company may also delete the data prior to revocation where the purpose of the processing of personal data has been achieved or where required by law.

Exceptionally, the company may refuse a request for erasure on the grounds set out in the GDPR in cases of exercising the right to freedom of expression and information, compliance with a legal obligation to process, reasons of public interest in the field of public health, archiving purposes in the public interest, scientific or historical research purposes, statistical purposes, the exercise or defence of legal claims.

The legal basis for the processing of data is consent. The data will be processed until the consent is withdrawn or revoked or the purpose of the processing is fulfilled. The withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.

2.4 Protection of vital interests of the individual

The company may process the personal data of an individual if it is necessary for the protection of their vital interests. In emergency situations, the company may search for the individual’s personal document, verify whether the person exists in its database, review their medical history, or contact their relatives, without needing the individual’s consent. This applies when it is essential to protect the individual’s vital interests.

3) Storage and deletion of personal data

The company will retain personal data only for as long as necessary to fulfill the purpose for which the data was collected and processed. If the company processes data based on the law, it will store it for the period prescribed by the law. Some data is retained during the company’s collaboration, while other data must be stored permanently. Personal data processed by the company based on a contractual relationship with the individual will be retained for the period necessary to fulfill the contract and for an additional 6 years after its termination, unless a dispute arises between the individual and the company regarding the contract. In such cases, the company will retain the data for 10 years after the finality of a court decision, arbitration, or judicial settlement, or if there was no legal dispute, for 6 years from the day of the amicable resolution of the dispute.

For personal data processed by the company based on the individual’s consent or legitimate interest, the company will retain the data until the withdrawal of consent or a request for deletion. Upon receiving the withdrawal or deletion request, the data will be deleted without undue delay. The company may delete this data before the withdrawal if the purpose of data processing has been fulfilled or if required by law.

In cases of exercising individual rights, the company will retain the individual’s personal data until a final decision is made in the matter, and after finality, in accordance with the final decision.

Exceptionally, the company may refuse a deletion request for reasons such as: exercising the right to freedom of expression and information, fulfilling a legal obligation of processing, public interest reasons in public health, archival purposes in the public interest, scientific or historical research, statistical purposes, or for the establishment, exercise, or defense of legal claims. After the retention period has expired, the company must effectively and permanently delete or anonymize the personal data so that it can no longer be associated with a specific individual.

4) Contractual processing of personal data and data transfer

The company may entrust certain processing of personal data to a contractual processor based on a data processing agreement. Contractual processors can process the entrusted data exclusively on behalf of the data controller, within the scope of the authority specified in a written contract or another legal act, and in accordance with the purposes defined in this privacy policy.

The contractual processors with whom the company collaborates primarily include:

– Accounting services and other providers of legal and business consulting;

– IT system maintenance providers;

– Providers of email services and software, cloud service providers.

For better oversight and control over the contractual processors and to ensure the proper regulation of mutual contractual relationships, the company maintains a list of all specific contractual processors with whom it collaborates.

Under no circumstances will the company provide personal data to unauthorized third parties. Contractual processors are only allowed to process personal data in accordance with the company’s instructions and must not use the data for any other purposes.

The company, as a data controller, and its employees do not transfer personal data to third countries (outside the member states of the European Economic Area – EU member states, as well as Iceland, Norway, and Liechtenstein) or to international organizations, except to the U.S., where relationships with contractual processors in the U.S. are regulated based on standard contractual clauses (model contracts adopted by the European Commission) and/or binding corporate rules (adopted by the company and approved by supervisory authorities in the EU).

5) Cookies

The company’s website operates using so-called cookies, which are essential for providing online services. They are used to store data about the status of individual web pages, assist in collecting user statistics, monitor website traffic, and more. Upon entering the website, only those cookies that are strictly necessary for the website’s functionality are loaded onto the user’s device. Other cookies will be loaded only with the individual’s consent. The individual can change the settings and delete cookies at any time (instructions are available on the specific browser’s website).

You can check and manage active cookies on the website in the privacy center by clicking on the icon in the lower-left corner.

6) Data protection and data accuracy

The company ensures information security and infrastructure safety (including premises and application system software). Our information systems are protected with antivirus programs and a firewall, among other security measures. We have implemented appropriate organizational and technical security measures aimed at protecting personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as well as from other unlawful and unauthorized forms of processing. When transmitting special categories of personal data, we do so in encrypted form, protected by a password. The individual is responsible for ensuring that they transmit their personal data securely and that the provided data is accurate and authentic.

7) Individual rights regarding data processing

An individual whose personal data is being processed has the right to request access to their personal data, as well as the right to request correction, deletion, or restriction of the data’s processing. Additionally, they have the right to object to the processing and the right to data portability. These requests are handled in accordance with the provisions of the General Data Protection Regulation (GDPR) and applicable data protection legislation.

All rights and questions can be asserted by submitting a request to the company’s address. The company will respond to the request without undue delay, and no later than one month after receiving the request. This period can be extended by up to two additional months, depending on the complexity and number of requests, in which case the individual will be notified along with the reasons for the delay. Exercising these rights is free of charge for the individual, but the company may charge a reasonable fee if the request is clearly unfounded or excessive, particularly if it is repetitive. In such cases, the company may also reject the request. If there is doubt about the identity of the individual, the company may request additional information necessary to verify their identity.

In the decision regarding the individual’s request, the company will also provide reasons for the decision and inform the individual of their right to lodge a complaint with the supervisory authority within 15 days of being informed of the decision. The right to lodge a complaint with the supervisory authority can be exercised by contacting the Information Commissioner of the Republic of Slovenia at: Dunajska 22, 1000 Ljubljana (email: gp.ip@ip-rs.si, website: www.ip-rs.si).

The privacy policy was adopted and updated on August 15, 2024.