The Personal Data Protection Policy aims to inform individuals, users of services, co-workers, employees, and other persons (hereinafter referred to as ‘data subject’) who cooperate with the Youth Centre for Cultural Activities Maribor (MKC Maribor, hereinafter referred to as ‘organization’) about the objectives, legal bases, security measures, and rights of individuals regarding the processing of personal data carried out by our organization.
We value your privacy and we therefore carefully protect your data.
We process personal data in accordance with the EU Regulation (EU Regulation 2016/697 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as: ‘General Regulation’)), the current Slovenian legal regulation regarding the protection of personal data, and other provisions, all of which forms our legal basis for the processing of personal data.
The personal data protection policy includes information on how our organization, as the controller, processes personal data that it receives from data subjects on a legal basis.
The personal data controller is the organization:
Youth Centre for Cultural Activities Maribor (MKC Maribor)
OB ŽELEZNICI 16, 2000 MARIBOR
02 300 2993
2] Authorized person
Under Article 37 of the General Regulation, we named the following organization as the authorized person for data protection:
Tržaška cesta 85, SI-2000 Maribor
Telephone: +386 (0) 2 620 4 300
3] Personal data
Personal data is understood to be as all information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
4] Purposes and bases for data processing
The organization collects and processes your personal data based on the following legal bases:
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
4.1] Legitimate interest
The organization may process personal information based on the legitimate interests it pursues. The latter is not permissible when such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. In the case of legitimate interest, the organization shall always carry out an assessment under the General Regulation. The processing of personal data of data subjects for direct marketing purposes is regarded as being carried out for a legitimate interest. The organization may only process personal data of data subjects it gathered from publicly available sources or during the lawful pursuit of its activities, including but not limited to offering goods, services, employment, information on benefits, events, etc. The organization may use regular mail, telephone calls, emails, and other means of telecommunication. The organization may process the following personal data of data subjects for direct marketing purposes: name and surname of the data subject, address of temporary or permanent residence, telephone number, and e-mail address. The above-mentioned personal data may be used by the organization for direct marketing purposes even without the explicit consent of the data subject. A data subject has the right to request the cessation of such communication, the processing of personal data, and the receiving of messages by using the unsubscribe link in the received message, by sending a request to the e-mail address email@example.com, or via ordinary mail sent addressed to MKC Maribor, Ob železnici 16, 2000 Maribor.
4.2] Processing based on consent
If the organization has no legal basis based on the law, a contractual obligation, or legitimate interest, it may ask the data subject for consent. Should the data subject give their consent, it may process certain personal data for the following purposes:
- address of residence and e-mail address for information and communication purposes;
- photos, videos, and other content related to the data subject (including but not limited to the publication of pictures of the data subject on the website of the organization) for activity documenting purposes and informing the public about the work and events of the organization;
- other purposes the data subject gives their consent for.
If a data subject gives their consent for the processing of personal data and changes their mind at any later point, they may request the termination of personal data processing by a written request submitted via email sent to firstname.lastname@example.org or via regular post sent to MKC Maribor, Ob železnici 16, 2000 Maribor.
A withdrawal of consent does not affect the legality of consent-based data processing before the withdrawal.
5] Storage and erasure of personal data
The organization shall store personal data only as long as it is necessary for the purpose for which it was collected or further processed. If the organization processes personal data based on the law, it shall keep store them for a period prescribed by law. Some personal data must be stored for the duration of the cooperation period while some data must be stored permanently. Personal data the organization processes based on a contractual relationship with the data subject must be stored for the period required for the performance of the contract and an additional 6 years after the contract ends, except when a contractual dispute arises between the data subject and the organization. In such a case, the organization must store the personal data for a period of 10 years after the date of the final judgement, arbitration, or court settlement or for a period of 5 years after the date of the amicable settlement if a legal dispute did not arise. Personal data the organization processes based on the consent of the data subject or a legitimate interest must be stored by the organization until a withdrawal of consent notice or a request for the erasure of personal data is issued. Personal data must be erased no later than 15 days after receiving a withdrawal of consent notice or the request for the erasure of personal data. The organization may erase said data even before consent is withdrawn if the goal of the personal data processing has been met or if this is required by law.
Exceptionally, the organization can reject the request for the erasure of personal data based on the following stipulations in the General Regulation: exercising the right to freedom of expression and information, compliance with a legal obligation for processing, for reasons of public interest in the area of public health, for archiving purposes in the public interest, for scientific or historical research purposes, for statistical purposes, and the exercise or defence of legal claims. After the expiration of the retention period, the organization must effectively and permanently erase and anonymize personal data so that it cannot be linked to a particular data subject.
6] Contractual processing of personal data and exporting data
The organization predominantly cooperates with the following contractual data processors:
- wild – marko damiš s.p.
The organization will not share the personal data of data subjects with any unauthorized third parties. Contractual processors may process personal data exclusively in accordance with the instructions of the organization and cannot process personal data for any other purposes.
As the controller, the organization and its employees do not export personal data to any third countries (to any non-EU Member State of the European Economic Area – EU Members including Iceland, Norway, and Lichtenstein) and international organizations, with the exception of the United S whereby relationships with contractual processors from the United states are governed by standard contractual clauses (standard contracts adopted by the European Union) and/or binding conroporate rules (adopted by the organization and approved by EU supervisory authorities).
For better oversight and the supervision of contractual processors and mutual contractual relationships purposes, the organization maintains a list with all specific contractual data processors the organization is cooperating with.
8] Data protection and accuracy
The organization guarantees both information and infrastructure security (for the premises and systems software applied). Our information software is protected with an anti-virus programme and a firewall, among other things. We have introduced appropriate organizational and technical security measures that are designed to protect personal data from any accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and other illegal and unauthorized forms of processing. If any special types of personal data are submitted, we transmit them in encrypted form and password protected.
Data subjects are responsible for the secure transmission, accuracy, and authenticity of their personal data. The organization will strive towards the accuracy of the processed personal data and to keep the data up-to-date. The organization may occasionally contact data subjects to confirm the accuracy of the personal data.
9] Individual rights regarding the processing of personal data
In accordance with the General Regulation, the following rights are provided to individuals regarding the protection of personal data:
- they may request information on whether we have their personal data, what data we possess, what our legal basis is for processing it, and why we use said data;
- they may request access to their personal data, which allows them to receive a copy of the personal data the organization has and verify if the organization processes the data in accordance with the law;
- they may request rectification of personal data, such as the rectification of incomplete or inaccurate data;
- they may request the deletion or removal of their personal data where there is no compelling reason for its continued processing or when they invoke their right to restrict any further the processing of their personal data;
- they have the right to object to any further processing of their personal data in certain circumstances, even if the organization has a legitimate business interest (or a third party has a legitimate business interest); they have the right to object if the organization processes their personal information for direct marketing purposes;
- they have the right to restrict the processing of their personal data, which means that the processing of personal data is suspended, for instance, if they wish for the organization to verify the accuracy of the personal data or to verify the legitimate grounds for the processing of personal data;
- they have the right to transmit personal data in a structured and machine-readable format directly to another controller if that is possible and achievable;
- they have the right to withdraw their consent for the collection, processing, and transfer of their personal data for a specific purpose; the organization will stop processing personal data for the intended original purposes after receiving the notification that consent has been withdrawn unless it has no other legal basis to do it lawfully.
If a data subject wishes to invoke any of the aforementioned rights, they can send a request via an e-mail sent to email@example.com or via regular mail sent to MKC Maribor, Ob železnici 16, 2000 Maribor.
The organization will answer any requests about the rights of data subjects without undue delay and in any event within one month of receipt of the request. In case this deadline is extended (for two additional months at most) due to the complexity and number of requests, you will be duly notified. Data subjects can access their personal data and invoke their rights free of any charge. However, the organization reserves the right to charge a reasonable remuneration if the request from the data subject is manifestly unfounded or excessive, in particular, because of their repetitive character. The organization may even decline the request in this case. If the data subject exercises their rights under this title, the organization may request certain information from the data subject that will help confirm the identity of the data subject. This is simply a security measure that guarantees that personal data is not divulged to unauthorized persons.
When the data subject exercises their right under this title or when the data subject deems that their rights are being violated, they may refer to the supervisory authority for protection or assistance, which is the Information Commissioner who can be found on the following link: https://www.ip-rs.si/.
If the data subject has any questions regarding the processing of their personal data, they can always refer to our organization with an e-mail sent to firstname.lastname@example.org or via regular mail sent to MKC Maribor, Ob železnici 16, 2000 Maribor.
10] Publication of amendments
Any amendments to our Personal Data Protection Policy will be published on the websites of the organization: www.mkc.si., www.mladimaribor.si, www.hotelpekarna.eu, www.medianox.org, www.mfru.org. By using our website, the data subject accepts and agrees in full with the contents of this Personal Data Protection Policy.
The Personal data protection policy was adopted by the director of the Youth Centre for Cultural Activities Maribor (MKC) Marja Guček on the 25th of October 2021