Data protection policy
We handle your personal data in accordance with the law, fairly, securely, and transparently for you. We process personal data in accordance with European legislation (Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter: “General Regulation”)), applicable Slovenian legislation in the field of personal data protection and privacy in electronic communications, and other regulations governing the protection of personal data.
We are aware of our responsibility because you have entrusted us with your personal data. Therefore, all key information regarding data processing, our obligations, and your rights are listed below.
The purpose of the data protection policy is to inform service users, individuals, collaborators, business partners, employees, and other persons (hereinafter: individuals) who cooperate with the company Turistično Društvo Bled) (hereinafter: the company) about the purposes and legal bases, data security measures, and the rights of individuals regarding the processing of personal data carried out by our company.
When processing personal data, we rely on the legal bases for the lawfulness of processing under Article 6(1) of the General Regulation, namely: consent (a), performance of a contract (b), compliance with a legal obligation (c), the performance of a task carried out in the public interest (e), and legitimate interest (f).
This policy describes the purposes and how we process personal data that we receive from you based on the legal bases described below.
1. Data Controller
The data controller is the company Turistično Društvo Bled
Company address: Cesta svobode 10, 4260 Bled, Slovenia
Phone: +386 4 5741 122
Email: info@td-bled.si
2. Data Protection Officer
In accordance with Article 37 of the General Regulation, we have not appointed a Data Protection Officer. If you have any questions regarding the processing of your personal data, you can write to us at the following email address: info@td-bled.si
3. Personal Data
Personal data means any information relating to an identified or identifiable individual. This means that personal data includes not only the name and surname, date of birth, address, personal identification number, and tax number of an individual but also any data that allows a connection with a specific individual.
Individual – is an identified or identifiable natural person to whom personal data relates; a natural person is identifiable if they can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity.
4. Purposes and Bases for Data Processing
The company collects and processes your personal data on the following legal bases:
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary for the performance of a contract to which the individual is a party or in order to take steps at the request of the individual prior to entering into a contract;
• processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party;
• the individual has given consent to the processing of their personal data for one or more specific purposes;
• processing is necessary in order to protect the vital interests of the individual or another natural person.
4.1. Compliance with Legal Obligations
On the basis of legal obligations, the company primarily processes data about its employees, which is enabled by labor and social protection legislation. This is evident from the record of personal data collections for controllers.
On the basis of legal obligations for employment purposes, the company primarily processes the following types of personal data: name and surname, gender, date of birth, personal identification number, tax number, address, place and country of birth, phone number, email address, etc. In limited cases, the company may process personal data based on public interest.
The company processes data on the amount of service payments for the purpose of monitoring monthly payments. We base this data on the legal basis of a contract, and their collection is mandated by the VAT Act. Due to obligations to fulfill our legal obligations, we will process your personal data in accordance with tax regulations, which means that we will keep your data, such as payer data (account number, name, surname), for ten years after the end of the calendar year in which we issued the invoice. The legal basis for this processing purpose is compliance with legal obligations.
4.2. Performance of a Contract
In cases where an individual enters into a contract with the company, this serves as a legal basis for processing personal data. We are allowed to process personal data for the conclusion and performance of the contract. Upon concluding a contract with an individual or company, we obtain the following data: name, surname, company name, address, contact details, email address, phone number, and tax number.
If an individual does not provide personal data, the company cannot conclude a contract and cannot provide the service or deliver goods or other products in accordance with the contract, as it does not have the necessary data for execution. Based on its lawful activities, the company may inform individuals and users of its services about its services, events, education, offers, and other content via their email addresses. An individual can request the cessation of such communication and data processing at any time and withdraw from receiving messages via the unsubscribe link in the received message or by sending a request by email to info@td-bled.si or by regular mail to the company’s address.
4.3. Legitimate Interest
The invocation of the legal basis of legitimate interest is limited to processing by public authorities in the performance of their tasks. However, the company may also process personal data based on legitimate interest, which the company pursues to a limited extent.
This is not permissible when such interests are overridden by the interests or fundamental rights and freedoms of the individual to whom the personal data relates and which require the protection of personal data. In cases where the company uses legitimate interest, it always conducts an assessment in accordance with the General Regulation.
Thus, individuals may occasionally be informed about services, events, education, offers, and other content via email, phone calls, and regular mail.
An individual can request the cessation of such communication and data processing at any time and withdraw from receiving messages via the unsubscribe link in the received message or by sending a request by email to info@td-bled.si or by regular mail to the company’s address.
Purposes for which personal data is processed, the legal basis for their processing, and the retention period.
Visiting the website https://td-bled.si/
Purpose of processing personal data: Each time you visit the website https://td-bled.si/, the server hosting the website automatically stores server log files. On the server where the website https://td-bled.si/ is hosted, data about website visits is recorded, specifically the IP address of visitors, browser version, date and time, and information about reconnections.
Turistično Društvo Bled does not process such data separately and does not link it with other data. The contractual processor (website hosting provider) processes personal data solely for the purpose of providing website maintenance services at the address Turistično Društvo Bled.
The purpose of these procedures is to ensure network and information security, i.e., to enable the detection and prevention of unauthorized access that could jeopardize the availability, integrity, and confidentiality of stored or transmitted personal data and the security of related services accessible through these networks and systems. Such processing is necessary due to the legitimate interests pursued by the company.
Legal basis for processing personal data:
e) point of the first paragraph of Article 6 of the General Data Protection Regulation and the fourth paragraph of Article 6 of the Data Protection Act (Official Gazette of the Republic of Slovenia, No. 136/22; hereinafter ZVOP-2).
Users or categories of users of personal data:
Contractual processor maintaining the website for the purposes of ensuring security and site maintenance.
Information on transfers of personal data to a third country or international organization:
Data is not transferred to third countries or international organizations.
Retention period: The retention period of server log files is limited to 30 days.
Responding to inquiries (via contact form)
Purpose of processing personal data: Each time an inquiry is sent from the contact form, the visitor’s message is sent to the company’s email address, and personal data is processed for the purpose of responding to the inquiry (name and surname, address, email, and phone number).
Turistično Društvo Bled collects and processes personal data of senders or potential customers (name and surname, address, email, and phone number) for the purpose of responding to inquiries, preparing offers based on the customer’s inquiry, or for possible offer adjustments.
Legal basis: Turistično Društvo Bled collects and processes personal data for the purpose of responding to inquiries. Such processing is necessary due to the legitimate interests pursued by the company.
Turistično Društvo Bled does not collect personal data of individuals with the aim of sending unnecessary advertising messages, but only for the purpose of mandatory information.
Retention period: We will keep customers’ personal data only for our own use, and we will delete them at the customer’s request.
Cookies and other data
When you use the services on https://td-bled.si, other data or information may also be automatically recorded and processed for the purposes of internal analyses to improve our services, for statistical processing, and for security reasons.
The data we process for the described purposes are:
1. cookies,
2. data on service usage (web browser and current IP address of the device, time and duration of access to these websites, websites from which these websites are accessed).
In the case of point 1, your personal data is processed based on the provisions of the Electronic Communications Act (Official Gazette of the Republic of Slovenia, No. 130/22 as amended). Except for the processing of personal data with cookies necessary for the operation of the websites, other cookies are installed only with the prior consent of the individual (legal basis from point a of Article 6(1) of the General Data Protection Regulation).
In the case of point 2, we base the processing of personal data on point f of Article 6(1) of the General Data Protection Regulation (on the legitimate interests of the controller to provide user-friendly and user-tailored services, reduce the risk of misuse, detect them, and ensure the security of its network and information). Where we can achieve the intended purpose, anonymized data is used in statistical processing. Anonymized data can no longer be linked to the user who provided such personal data, so this Privacy and Personal Data Protection Policy does not apply to their processing.
Age restriction for information society services
Services provided by https://td-bled.si/ are intended for persons over 16 years of age. The user, when sending an inquiry or subscribing to educational content or online analysis, must confirm that they are over 16 years old and that the information provided is true and accurate and that they are familiar with the explanations of the consent to the processing of personal data.
Age is not a condition for using the website https://td-bled.si/, and we are not obliged to verify which data relates to persons under 16 years of age. We advise parents and legal guardians of children under 16 years of age to properly educate children under 16 years of age about the safe use of the internet and the provision of their personal data. All risks arising from the inability of a minor to take on valid commitments are the responsibility of their parents and guardians.
4.4. Processing based on consent
If the company does not have a legal basis demonstrated by law, contractual obligation, or legitimate interest, it may request consent from the individual. Thus, it may also process certain personal data of the individual for the following purposes when the individual gives consent:
• home address and email address for the purposes of information and communication;
• photos, video recordings, and other content related to the individual (e.g., publication of photos of individuals on the company’s website) for the purposes of documenting activities and informing the public about the company’s work and events;
• other purposes for which the individual agrees with consent.
Subscribing to newsletters (series of educational emails, occasional emails)
Purpose of processing personal data:
When subscribing to electronic newsletters (a series of educational emails) https://td-bled.si/, in addition to your IP number, we process your email address that you enter into the web form, as well as the date and time of registration. Turistično Društvo Bled processes this data solely for the purpose of delivering the series of educational emails to which the user has subscribed or for agreeing to receive occasional emails when submitting an online analysis.
Legal basis for processing personal data:
We process personal data (email address) based on the valid consent of the individual (Article 6(a) of the Regulation). When filling out the form to subscribe to online newsletters (a series of educational emails or occasional emails), you indicate your consent that Turistično Društvo Bled may use your email address for the purpose of providing education in the field of online sales and that you are aware that you can unsubscribe from receiving newsletters at any time.
You can do this by clicking on the unsubscribe link in the sent email. If you do not confirm in two steps (entering the email address and clicking on the confirmation email), Turistično Društvo Bled will not send notifications to your email address, nor will it collect or process your email address.
Turistično Društvo Bled uses a pre-approval system for email addresses, meaning that it only sends emails to people who explicitly agree to receive email notifications.
Retention period: We will retain your email data until you withdraw your consent or unsubscribe from receiving newsletters. If you do not unsubscribe from receiving newsletters, we will retain your email data until the end of the newsletter campaign.
If an individual gives consent for the processing of personal data and at some point no longer wishes it, they can request the cessation of data processing by sending a request via email to info@td-bled.si or by regular mail to the company’s address. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
4.5. Processing necessary to protect the vital interests of the individual
The company may process the personal data of an individual to whom the personal data relates if it is necessary to protect their vital interests. In emergency cases, the company may search for the individual’s identification document, verify whether the person exists in its database, examine their medical history, or contact their relatives, for which the company does not need the individual’s consent. This applies when it is necessary to protect the individual’s vital interests.
5. Retention and Deletion of Personal Data
The company will retain personal data only as long as necessary to fulfill the purpose for which the personal data was collected and processed. If the company processes data based on law, it will retain it for the period prescribed by law.
Some data is retained for the duration of cooperation with the company, while some data must be retained permanently. Personal data that the company needs to perform a contract will be retained for as long as necessary to fulfill the contract and for five years after the end of the calendar year in which the contract terminated unless a longer retention period is required due to a dispute related to the contract. In such cases, we will retain your personal data for 10 years after the end of the calendar year of the finality of the court decision, arbitration, or judicial settlement, or – if there was no legal dispute – 5 years after the end of the calendar year from the date of peaceful resolution of the dispute.
The personal data that the company processes based on the individual’s consent or legitimate interest will be retained until the consent is withdrawn or until a request for deletion of data is made. Upon receipt of a withdrawal or deletion request, the data will be deleted no later than 15 days. The company may also delete this data before withdrawal when the purpose of processing personal data has been achieved or if so prescribed by law.
Exceptionally, the company may refuse a request for deletion for reasons stated in the General Regulation, such as the exercise of the right to freedom of expression and information, compliance with a legal obligation to process, reasons of public interest in the field of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and the exercise or defense of legal claims.
After the retention period has expired, the company must effectively and permanently delete or anonymize the personal data so that they can no longer be linked to a specific individual.
6. Contractual Processing of Personal Data and Data Transfers
The company may entrust individual processing of personal data based on a data processing agreement to a contractual processor with whom we have a data processing agreement. Contractual processors may process entrusted data solely on behalf of the controller, within the limits of its authorization, which is written in the contract or other legal act, and in accordance with the purposes specified in this privacy policy.
Contractual processors with whom the company cooperates are:
• accounting services and other providers of legal and business consulting,
• website hosting providers,
• information system maintenance providers,
• email service providers and software providers, cloud services,
• social media and online advertising providers (Google, Facebook, Instagram, LinkedIn, etc.).
For the purposes of better oversight and control over contractual processors and the organization of the contractual relationship, the company also maintains a list of contractual processors, where all specific contractual processors with whom the company cooperates are listed.
For certain services, we may also share your personal data with potential project partners, supervisory authorities, or based on a court request. The company will not disclose personal data to unauthorized third parties under any circumstances. Contractual processors may only process personal data within the instructions of the company and may not use the personal data for any other purposes.
As a data controller, the company and its employees do not transfer personal data to third countries (outside the member states of the European Economic Area – EU members and Iceland, Norway, and Liechtenstein) and international organizations, except to the USA, where relationships with data processors from the USA are regulated based on standard contractual clauses (model contracts adopted by the European Commission) and/or binding corporate rules (adopted by the company and approved by supervisory authorities in the EU).
Disclosure of personal data to third parties
We inform you that your personal data may also be accessible to:
- our verified contractual processors who enable us to develop and maintain the website, store databases, electronically notify, prepare web analytics, educational content (based on a service agreement and agreement under Article 28 of the General Data Protection Regulation),
- authorized persons and competent state authorities who have a valid legal basis for obtaining and processing data in their legal regulations (based on point c of Article 6(1) of the General Data Protection Regulation – compliance with a legal obligation).
In each case of disclosing your personal data, we ensure appropriate technical and organizational measures to ensure the security of your personal data, and all recipients of your data are also required to implement similar measures.
Transfer of personal data to third countries
We only transfer data to third countries (outside the EU and EEA) if we have your explicit consent for such transfer and when it is necessary to fulfill our contractual and legal obligations. In the case of exporting your personal data, we do so to the minimum extent necessary to provide the services at https://td-bled.si/. Your data may be transferred:
– to the USA if you consent to the display of customized ads on these websites (e.g., to Google, Inc.), for sending email notifications (Elasticmail), when entering your personal data via various forms through which https://td-bled.si/ communicates with its users (Ninja Form), and for communication with social networks.
When transferring your personal data to third countries, in addition to the appropriate legal basis for such transfer, we also ensure additional measures to maintain an adequate level of security for your data during the transfer, relying on the principles of Chapter V of the General Data Protection Regulation.
Social networks
For the purposes of communication and providing interesting content to users of https://td-bled.si/, we also use business profiles on the following social networks:
Meta Platforms, Inc., which operates Facebook and Instagram;
LinkedIn Ireland Unltd. Co., which operates LinkedIn;
Google, Inc., which operates YouTube
In these cases, we may obtain and process your data, but we do not transfer it to our internal databases at https://td-bled.si/. When using these business profiles, authorized persons of the controller have access to your private messages and public posts. From social networks, we receive statistical reports on the visits to our profiles, general interests of visitors, and demographic data. These reports do not contain personal data and are only used to provide interesting content to users of our services.
In the case of using the services of the mentioned social networks and their interaction with these websites, data is transferred to the USA, where the companies managing the respective network independently manage the received personal data. This means that they determine the types of personal data they process, the purposes and legal bases for processing personal data, and independently manage cookies on their websites, determining their usage purposes.
We urge you to review the privacy policies of the social networks mentioned in the first paragraph of this section when interacting with them, available at the
following links:
Facebook
Instagram
LinkedIn
YouTube
Twitter
7. Cookies
The company’s website operates using so-called cookies. A cookie is a file that stores website settings. Websites store cookies on users’ devices, which they use to access the internet to recognize individual devices and settings used by users when accessing them. Cookies allow websites to recognize if a user has already visited the website. In advanced applications, they can be used to appropriately adjust individual settings. Their storage is under the complete control of the browser used by the individual – it can limit or completely disable the storage of cookies.
Cookies are of fundamental importance for providing user-friendly online services. They are used to store data on the status of individual websites, help collect statistics on users and website visits, etc. With the help of cookies, we assess the effectiveness of the design of our website.
Essential cookies are necessary for the operation of the website, and such cookies cannot be excluded. Additionally, with your prior consent, we may also use cookies for the purposes of website usage analytics, social network connections, or providing additional functionality. These cookies allow us to evaluate the effectiveness of our solutions’ design and provide you with the best possible user experience. As we strive to improve your user experience, we try to understand your use of our websites, services, or tools. To this end, we use either internal or external tools to analyze the usage of applications and user experiences.
We use Illow to manage cookies, which allows users to be informed about installed cookies and manage consent for the installation of individual cookies on the user’s device. More information about the cookies used by the Turistično Društvo Bled website can be found under Cookie Settings, accessible in the footer of the page, which allows cookie usage. Upon visiting our site, you can set the desired cookies or accept or reject all of them.
In internal tools, we rely on the legal basis of our legitimate interest ((point f) of the first paragraph of Article 6 of the GDPR regulation), while for analytical tools from third-party providers, we will ask for your consent before use. The legal basis for the cookie notice is the amended Electronic Communications Act (Official Gazette No. 109/2012; hereinafter ZEKom-1), which entered into force on January 15, 2013.
8. Data Security and Accuracy
The company ensures information security and infrastructure security (premises and application system software). Our information systems are protected, among other things, with antivirus programs and a firewall. The company has implemented appropriate organizational and technical security measures to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as well as from other unlawful and unauthorized forms of processing.
In the case of transmitting special types of personal data, we send them in an encrypted form and protected with a password. As an individual, you are responsible for securely providing your personal data and ensuring that the data provided is accurate and truthful. The company (controllers) will strive to ensure that the personal data it processes is accurate and, where necessary, updated. Occasionally, the company may contact an individual to confirm the accuracy of personal data.
9. Your Data Processing Rights
In accordance with the General Regulation (EU), an individual has the following data protection rights:
• You can request information about whether we have your personal data, and if so, which data we have and on what basis we have it and why we use it;
• You can request access to your personal data, which allows you to receive a copy of the personal data held by the company and check whether the company is processing it lawfully;
• You can request corrections to personal data, such as correcting incomplete or inaccurate personal data;
• You can request the deletion of your personal data when there is no reason for further processing or when you exercise your right to object to further processing;
• You can object to further processing of personal data where the company relies on legitimate business interest (including in the case of legitimate interest of a third party) when there are reasons related to your particular situation; you have the right to object at any time if the company processes personal data for direct marketing purposes;
• You can request the restriction of processing your personal data, which means stopping the processing of personal data, for example, if you want the company to verify the accuracy or reasons for further processing of personal data;
• You can request the transfer of your personal data in a structured electronic format to another controller, if possible and feasible;
• You can withdraw the consent you have given for the collection, processing, and transfer of your personal data for a specific purpose; upon receiving the notice that you have withdrawn your consent, the company will stop processing personal data for the purposes originally accepted, unless the company has another lawful legal basis to do so lawfully.
If you wish to exercise any of the above rights, you can send a request by email to info@td-bled.si or by regular mail to our address.
We will respond to a request relating to an individual’s rights without undue delay and in any case within one month of receiving the request. If this period is extended, considering the complexity and number of requests (by a maximum of two additional months), you will be notified.
Access to an individual’s personal data and the exercise of rights is free for the individual, but we may charge a reasonable fee if your request is excessive, clearly unfounded, or excessive, especially if it is repetitive.
In such cases, we may also refuse your request. When exercising the rights in this context, we may need to request certain information from you to help confirm your identity, which is a security measure to ensure that your personal data is not disclosed to unauthorized persons.
At any time, especially if you believe that our exercise of your data protection rights is not appropriate, you can write to us at the following email address: info@td-bled.si.
When exercising the rights in this context, or if you believe that your rights have been violated, you can seek protection or assistance from the supervisory authority, which in Slovenia is the Information Commissioner, Dunajska 22, 1000 Ljubljana, https://www.ip-rs.si
If you have any additional questions regarding our processing of your personal data, you can contact us at any time via email at info@td-bled.si or by regular mail to our address.
10. Publication of Changes
Any changes to our Data Protection Policy will be published on the company’s website: info@td-bled.si. We strive to ensure that this policy is always in accordance with the law and our actual activities in the field of personal data processing. Therefore, we will occasionally update this policy and publish it on this website.
By using the website, the individual confirms that they accept and agree with the entire content of this data protection policy.
Last modified: 30/08/2024