Notice on the Processing of Personal Data

Maribor Tourist Board, Tkalski prehod 4, 2000 Maribor (hereinafter: ZTM), VAT ID: SI70464600, Registration Number: 1526022000.

In order to ensure clear and transparent information, we are providing you with detailed information about the processing of personal data collected in connection with your purchase of products in our online store and your visit to our websites.

This notice also includes information about your rights related to the processing of your data. This data processing notice applies only to natural persons.

The protection of your privacy is extremely important to us, so we kindly ask you to read this notice carefully.

The controller responsible for determining the purpose and means of processing your personal data, in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679), is:

Name: Maribor Tourist Board
Address: Tkalski prehod 4
Postal Code and City: 2000 Maribor
Registration Number: 1526022000

Vaše osebne podatke obdelujemo v skladu z določbami Splošne uredbe o varstvu podatkov (Uredba (EU) 2016/679), Zakona o varstvu osebnih podatkov in drugih veljavnih predpisov o varstvu osebnih podatkov.

Vaše osebne podatke obdelujemo za naslednje namene:

• nadgradnja in izboljšanje spletne strani,

• preučevanje poteka brskanja v spletni trgovini,
• segmentiranje in analize in
• e-obveščanje

V kolikor bomo vaše osebne podatke nadalje obdelovati za namen, ki ni namen, za katerega smo jih zbrali, vam bomo pred dodatno obdelavo posredovali vse predpisane informacije o tem drugem namenu, skladno s členom 13 Splošne uredbe o varstvu podatkov.

Zagotovitev osebnih podatkov je obveznost , ki je potrebna za sklenitev pogodbe, dobave blaga in storitev, reševanje morebitnih ugovorov ali reklamacij posameznikov, itd. V kolikor se taki podatki ne zagotovijo, nakup izdelkov v naših spletnih trgovinah ne bo mogoč.

Podatke obdelujemo v skladu z naslednjimi pravnimi temelji:

• (a) točka drugega odstavka 6. člena Splošne uredbe o varstvu podatkov: (a) posameznik, na katerega se nanašajo osebni podatki, je privolil v obdelavo njegovih osebnih podatkov v enega ali več določenih namenov
• (b) točka drugega odstavka 6. člena Splošne uredbe o varstvu podatkov: (b) obdelava je potrebna za izvajanje pogodbe, katere pogodbena stranka je posameznik, na katerega se nanašajo osebni podatki, ali za izvajanje ukrepov na zahtevo takega posameznika pred sklenitvijo pogodbe
• (f) točka drugega odstavka 6. člena Splošne uredbe o varstvu podatkov: (f) obdelava je potrebna zaradi zakonitih interesov, za katere si prizadeva upravljavec ali tretja oseba, razen kadar nad takimi interesi prevladajo interesi ali temeljne pravice in svoboščine posameznika, na katerega se nanašajo osebni podatki, ki zahtevajo varstvo osebnih podatkov, zlasti kadar je posameznik, na katerega se nanašajo osebni podatki, otrok.

Pravica do umika soglasja (7. člen Splošne uredbe)- če obdelava osebnih podatkov temelji na vašem soglasju, imate pravico, da kadar koli umaknete soglasje s pisnim obvestilom o odstopu od pooblaščene osebe za varstvo podatkov. V tem primeru vaših osebnih podatkov ne bomo več obdelovali, razen če obstaja druga pravna podlaga za njihovo obdelavo. Umik soglasja učinkuje od trenutka, ko je naveden, kar pomeni, da ne vpliva na zakonitost obdelave vaših osebnih podatkov v obdobju od podelitve soglasja do njegovega preklica.

Zakoniti interes: Zavod lahko obdeluje osebne podatke na podlagi njenega zakonitega interesa opravljati pridobitno dejavnost na trgu, vendar le, če po skrbni oceni interesi Zavoda ne prevladajo nad interesi ali temeljnimi pravicami in svoboščinami posameznika, na katerega se osebni podatki nanašajo, pri čemer se upoštevajo razumna pričakovanja posameznikov, na katere se nanašajo osebni podatki, glede na njihovo razmerje do Zavoda. Med zakonite interese Zavoda spada tista obdelava, ki je nujna za preprečevanje prevar in zlorab ali za izterjavo neplačanih pogodbenih obveznosti kupcev. Prav tako se na podlagi zakonitega interesa osebni podatki kupcev v omejen obsegu obdelujejo za namene neposrednega trženja, vendar pa v tem primeru obdelava osebnih podatkov kupcev poteka omejeno časovno obdobje (največ 5 let od zadnjega nakupa) upoštevaje pogoje veljavne zakonodaje in v zelo omejenem obsegu obdelave, zlasti ni vsiljiva in pretirano pogosta, ne vključuje posebnih vrst osebnih podatkov ter poteka brez avtomatiziranega odločanja o pravicah posameznika v razmerju do Zavoda. Posameznik lahko navedeni obdelavi kadar koli brezplačno ugovarja, lahko zahteva popravek osebnih podatkov, kakor tudi trajno ali začasno prenehanje osebnih podatkov za namen neposrednega trženja.

We process your personal data in accordance with the provisions of the General Data Protection Regulation (Regulation (EU) 2016/679), the Personal Data Protection Act, and other applicable personal data protection regulations.

Your personal data is processed for the following purposes:

• improving and upgrading the website,
• analyzing browsing behavior in the online store,
• segmentation and analytics, and
• email notifications.

If we intend to further process your personal data for a purpose other than the one for which it was collected, we will provide you with all legally required information regarding the new purpose before any additional processing, in accordance with Article 13 of the General Data Protection Regulation.

Providing personal data is a requirement necessary for entering into a contract, delivering goods and services, resolving any complaints or disputes by individuals, etc. If such data is not provided, purchasing products through our online store will not be possible.

We process data on the basis of the following legal grounds:

• (a) Article 6(1)(a) of the General Data Protection Regulation: the data subject has given consent to the processing of their personal data for one or more specific purposes;
• (b) Article 6(1)(b) of the General Data Protection Regulation: processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract;
• (f) Article 6(1)(f) of the General Data Protection Regulation: processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, especially where the data subject is a child.

Right to withdraw consent (Article 7 of the GDPR) – If the processing of personal data is based on your consent, you have the right to withdraw your consent at any time by submitting a written notice to the data protection officer. In such cases, we will stop processing your personal data unless another legal basis for processing exists. The withdrawal of consent is effective from the moment it is communicated and does not affect the legality of processing based on consent before its withdrawal.

Legitimate interest: The controller may process personal data based on its legitimate interest to conduct business on the market, but only if—after careful consideration—these interests are not overridden by the interests or fundamental rights and freedoms of the data subject. This assessment takes into account the reasonable expectations of individuals in relation to the controller. Legitimate interest includes processing necessary to prevent fraud or abuse or to collect unpaid contractual obligations from customers. Additionally, based on legitimate interest, customer data may be processed for direct marketing purposes, but only for a limited time period (up to five years from the last purchase), in accordance with applicable laws and only in a limited, non-intrusive, and infrequent manner. Such processing does not involve special categories of personal data or automated decision-making regarding the rights of individuals in relation to the controller. The data subject may object to this processing at any time free of charge, request rectification of personal data, or request temporary or permanent cessation of data processing for direct marketing purposes.

In accordance with the principle of data minimization, we collect only the data that is strictly necessary to achieve a specific purpose:

• first and last name
• delivery and billing address
• email address
• telephone number, fax number
• in the case of participation in prize draws where the prize value exceeds EUR 42, we also collect your tax number, if the prize is monetary, we also collect your bank account number and related banking details

If necessary to achieve the above-mentioned purposes of processing or if required by law, your personal data may be disclosed to natural or legal persons, public authorities, or other bodies (external recipients). Regardless of which external recipients we share your personal data with, we will only provide the data that is necessary to achieve the specific purpose of processing.

Your data may be disclosed to the following external recipients:

• April 8 d.o.o. – Website maintainer for visitmaribor.si
• Medijska klinika d.o.o. – Website maintainer for https://shop.visitmaribor.si

When, in accordance with applicable regulations, we engage other natural or legal persons to process your personal data exclusively on our behalf and in accordance with our instructions (processors), we will only engage those who are able to implement appropriate technical and organizational measures that meet the requirements of the General Data Protection Regulation and data protection laws, and who ensure adequate protection of your rights.

Your personal data is processed within the European Economic Area (EEA).

If there is a need to transfer your personal data to recipients in third countries, we will do so only if the European Commission has issued a decision that those countries ensure an adequate level of data protection as required by the General Data Protection Regulation (GDPR), or if appropriate safeguards are in place (e.g., Standard Contractual Clauses). For information about the adopted security measures, you can contact our Data Protection Officer mentioned in section 2 of this notice.

Data necessary for the execution of the contractual relationship may be retained for up to 5 years (the general statute of limitations) after the termination of the contractual relationship, based on Article 346 of the Obligations Act (OZ, Official Gazette of the Republic of Slovenia, No. 97/2007 – consolidated text, 64/2016 – Constitutional Court decision, and 20/2018 – OROZ631).

Data obtained based on your consent is retained only as long as you have given consent for its processing, except in cases where other legal grounds require a longer retention period.

As a data subject whose personal data we process, we would like to inform you that under the conditions laid down by the General Data Protection Regulation (GDPR), you have the following rights regarding the processing of your personal data:

• Right of access (Article 15 GDPR) – the right to receive information on whether we process your personal data, and if so, to access that personal data and information including the categories of data processed, the purpose of processing, retention period, transfer to third countries, etc.
• Right to rectification (Article 16 GDPR) – the legal right to correct inaccurate personal data and to complete incomplete personal data.
• Right to erasure (“right to be forgotten”) (Article 17 GDPR) – the right to have your personal data erased if, among other reasons, the data are no longer necessary for the purposes for which they were collected, if you withdraw your consent and there is no other legal ground for processing, or if your personal data were processed unlawfully. This right is subject to limitations and cannot be exercised if processing is necessary for establishing, exercising, or defending legal claims or for compliance with a legal obligation.
• Right to restriction of processing (Article 18 GDPR) – the right to request that we restrict the processing of your personal data (e.g., if you contest the accuracy or purpose of processing), except for storage and some other types of processing.
• Right to object to processing (Article 21 GDPR) – the right to object to the processing of personal data concerning you that we process on the basis of legitimate interests, including profiling. In this case, we may process the data only if we demonstrate overriding legitimate grounds or for the establishment, exercise, or defense of legal claims.
• Right to data portability (Article 20 GDPR) – the right to receive your personal data in a structured, commonly used, and machine-readable format and to transfer those data to another controller if the processing is automated and based on your consent or a contract.
• Right to withdraw consent (Article 7 GDPR) – if the processing of your personal data is based on your consent, you have the right to withdraw that consent at any time by providing written notice to our Data Protection Officer. Upon withdrawal, we will no longer process your personal data unless another legal basis applies. Withdrawal takes effect from the moment it is made and does not affect the lawfulness of processing carried out before withdrawal.

If you wish to exercise any of your rights concerning the processing of your personal data, you can contact our Data Protection Officer using the contact details provided in section 2 of this notice.

To act on your request to exercise your rights, we may require additional information to verify your identity. If we cannot verify your identity, we have the right to refuse your request.

If your requests are manifestly unfounded or excessive, especially due to their repetitive nature, we have the right to charge a reasonable fee or refuse to act on the request.

If you believe that we are violating the provisions on personal data protection in our processing of your personal data, you have the right to lodge a complaint with the supervisory authority. In the Republic of Slovenia, this authority is the Information Commissioner (address: Dunajska 22, 1000 Ljubljana, email: gp.ip@ip-rs.si, phone: +386 1 230 97 30, website: www.ip-rs.si).

Without prejudice to your right to lodge a complaint with the supervisory authority, we suggest that before submitting a complaint, you contact our Data Protection Officer to clarify any possible disputes.

Your personal data are not subject to automated decision-making, including profiling, as defined in paragraphs 1 and 4 of Article 22 of the General Data Protection Regulation.