The purpose of the Personal Data Protection Policy is to inform individuals, service users, colleagues and employees and other persons (hereinafter referred to as "the individual") who interact with the Maribor Youth Cultural Centre (hereinafter referred to as "the organisation") about the purposes and legal bases, security measures and the rights of individuals with regard to the processing of personal data carried out by our organisation.
We value your privacy and therefore always protect your data carefully.
We process your personal data in accordance with European legislation (Regulation (EU) 2016/697 on the protection of individuals with regard to the processing of personal data and on the movement of such data (hereinafter: the General Regulation)) and the applicable legislation in the field of personal data protection (Personal Data Protection Act (ZVOP-1, Journal of Laws of the Republic of Slovenia No. 94/07)) and other legislation that provides us with a legal basis for the processing of personal data.
The Personal Data Protection Policy contains information for individuals on how our organisation, as the controller, processes the personal data it receives from an individual on the basis of the legal grounds described below.
The data controller is the following organisation:
Mladinski kulturni center Maribor (Youth Cultural Centre Maribor)
Ob železnici 16, 2000 Maribor
Contact person: Marja Guček, CEO
Phone: +386 (0) 2 300 2 881
In accordance with Article 37 of the General Regulation, we have appointed the following company as Data Protection Officer:
DATAINFO.SI, d. o. o.
Tržaška cesta 85, SI-2000 Maribor
Phone: +386 (0) 2 620 4 300
Personal data means any information relating to an identified or identifiable natural or legal person (hereinafter referred to as 'data subject'); an identifiable natural or legal person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an identifier on the Internet, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural or legal person.
Purposes of processing and grounds for processing
The organisation collects and processes your personal data on the following legal bases:
- the processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the performance of a contract to which the data subject is a party or for the performance of measures at the request of such data subject prior to the conclusion of the contract;
- processing is necessary for the legitimate interests pursued by the controller or by a third party;
- the data subject has consented to the processing of his or her personal data for one or more specified purposes;
- processing is necessary for the protection of the vital interests of the data subject or of another natural person.
Fulfilling a legal obligation or carrying out a task in the public interest
Based on the provisions of the law, the organisation primarily processes data on its employees, as allowed by labour law. Thus, on the basis of the legal obligation, the organisation processes in particular the following types of personal data: name and surname, gender, date of birth, EMN, tax number, place, municipality and country of birth, nationality, residence for the purposes of the performance of the employment contract and the obligations arising therefrom.
The legal basis for the processing of personal data of individuals is also: Act on the Exercise of the Public Interest in Culture, the Labour Relations Act, the Act on the Provision of Funds for Certain Urgent Programmes of the Republic of Slovenia in the Field of Culture, and other legislation in the field of culture, the Collective Agreement for the Public Sector, the Collective Agreement for Cultural Activities in the Republic of Slovenia, and the Collective Agreement for Non-Economic Activities in the Republic of Slovenia. Zakon o uresničevanju javnega interesa za kulturo, Zakon o delovnih razmerjih, Zakon o zagotavljanju sredstev za nekatere nujne programe Republike Slovenije v kulturi in druga zakonodaja s področja kulture, Kolektivna pogodba za javni sektor, Kolektivna pogodba za kulturne dejavnosti v Republiki Sloveniji in Kolektivna pogodba za negospodarske dejavnosti v Republiki Sloveniji.
In limited cases, the processing of personal data is also permissible in the organisation on the basis of public interest.
If you enter into a specific contract with an organisation, this constitutes the legal basis for the processing of your personal data. We may therefore process your personal data for the purpose of concluding and performing a contract, such as a contract for hotel services at Hostel Pekarna. For the purpose of performing a hotel service contract, the organisation needs your name, email address, telephone number, start and end of service, card number.
If the individual does not provide the personal data, the organisation cannot conclude the contract, nor can the organisation perform the service or deliver goods or other products to you in accordance with the contract, as it does not have the necessary data for performance. The organisation may, by virtue of carrying out a lawful activity, inform individuals and users of its services of its services, events, training, offers and other content by sending an email to their email address. The individual may at any time request to stop such communication and processing of personal data and to cancel the receipt of communications via the unsubscribe link in the communication received, or as a request by email to firstname.lastname@example.org or by regular mail to the address of the organisation. email@example.com ali z redno pošto na naslov organizacije.
Processing of data for the purpose of keeping a guest book
For the purpose of check-in and check-out of guests, the organisation shall keep a guest register in accordance with the Act on Registration of Residence, which shall contain the following information: the serial number of the guest's registration, the name and surname, date of birth, sex, nationality and number and type of identification document, the date of arrival and departure of the guest, the time of arrival and departure of the guest, the date of check-in and check-out of the guest, information for the purpose of calculation and payment of the tourist tax, if the host is liable for payment of the tourist tax in accordance with the law regulating the promotion of tourism, information on the host, namely the host's name and surname or title, the host's registration number, or the EMN of a host who is not obliged to be entered in the register of accommodation establishments in accordance with the law regulating the catering industry, and the address or registered office and business address of the host, the details of the accommodation establishment or establishment, namely the name, address and establishment identification number of the accommodation establishment as entered in the register of accommodation establishments, if the host is obliged to be entered in the register of accommodation establishments in accordance with the law governing the catering industry, information for statistical purposes, namely the reporting status, the capacity available, the number of capacity sold and the number of days the establishment has been open, if the host is obliged to be entered in the register of accommodation establishments in accordance with the law governing the hospitality industry, other information which the host enters for the purposes of his business.
The legal basis for the processing of data is the law.
Guest data is kept by the organisation for a calendar year. After one year from the end of the calendar year, the host shall delete the data from the electronic guest book or destroy it if the guest book is kept in physical form.
The legitimate interest ground is limited to processing by public authorities in the performance of their tasks. However, an organisation may also process personal data on the basis of a legitimate interest pursued by the organisation to a limited extent. The latter is not permissible where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. In the case of the application of legitimate interest, the organisation shall always carry out an assessment in accordance with the GDPR.
As a result, we may from time to time inform individuals about services, events, training, offers and other content via email, telephone calls and ordinary mail. An individual may at any time request to cease such communications and processing of personal data and to opt-out of receiving communications via the unsubscribe link in the communication received, or as a request by email to firstname.lastname@example.org or by regular mail to the organisation's address. email@example.com oz. z redno pošto na naslov organizacije.
Processing on the basis of consent or consent
If the organisation does not have a legal basis based on the law, the performance of a public task, a contractual obligation or a legitimate interest, it may ask the individual for consent. In this way, it may also process certain personal data of the data subject for the following purposes, where the data subject has given his or her consent:
- your home address and email address for information and communication purposes,
- tax number or EMN for the purposes of possible enforcement in the event of default (e.g. non-payment of an invoice),
- photographs, video recordings and other content relating to the individual (e.g. recordings at public events) for the purposes of documenting activities and informing the public about the work and events of the organisation;
- other purposes for which the individual has consented.
If the data subject has given his/her consent to the processing of personal data and at some point no longer wishes to do so, he/she may request that the processing of personal data be discontinued by sending a request by e-mail to firstname.lastname@example.org or by regular mail to the address of the organisation (MKC Maribor, Ob železnici 16, 2000 Maribor).
Retention and deletion of personal data
The organisation will keep personal data only for as long as necessary to fulfil the purpose for which the personal data were collected and processed. If the organisation processes the data on the basis of a law, the organisation will keep the data for the period prescribed by the law. In this respect, some data will be kept for the duration of the cooperation with the organisation and some data must be kept permanently.
Personal data processed by the organisation on the basis of a contractual relationship with an individual will be kept by the organisation for the period necessary for the performance of the contract and for 6 years after its termination, except in cases where there is a dispute between the individual and the organisation in relation to the contract. In such a case, the organisation shall keep the data for 5 years after the final decision of a court, arbitration or court settlement or, if there has been no court settlement, for 5 years from the date of amicable settlement of the dispute.
Those personal data processed by the organisation on the basis of the individual's personal consent or legitimate interest will be retained by the organisation until the consent is withdrawn or until the data are erased. Upon receipt of a revocation or a request for erasure, the data shall be erased within a maximum of 15 days. The organisation may also delete the data prior to revocation where the purpose of the processing of personal data has been achieved or where required by law.
Exceptionally, an organisation may refuse a request for erasure on the grounds set out in the General Regulation, such as: the exercise of the right to freedom of expression and information, compliance with a legal obligation to process, grounds of public interest in the field of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the exercise or defence of legal claims.
After the retention period has expired, the controller shall erase or anonymise the personal data effectively and permanently so that they can no longer be associated with a specific individual.
Contractual processing of personal data and data export
The contractual processors with which the provider cooperates are mainly:
- accounting services and other providers of legal and business advice;
- infrastructure maintenance (video surveillance, security, cleaning services);
- information systems maintenance;
- email service providers and software, cloud service providers (e.g. Arnes, Microsoft, Google, Squarespace, MailChimp, SqualoMail);
- social networking and online advertising providers (Google, Facebook, Instagram, Twitter, YouTube, TikTok, etc.).
Under no circumstances will the Organisation disclose the personal data of an individual to unauthorised third parties.
Contracted processors may only process personal data within the scope of the Organisation's instructions and may not use personal data for any other purpose.
The Organisation, as controller, and its employees do not export personal data to third countries (outside the Member States of the European Economic Area - EU Member States plus Iceland, Norway and Liechtenstein) and to international organisations, except to the USA, where the relationship with US contract processors is governed by standard contractual clauses (standard contracts adopted by the European Commission) and/or binding corporate rules (adopted by the Organisation and approved by the supervisory authorities in the EU).
The organisation as controller and its employees do not export personal data to third countries (outside the European Economic Area - EU Member States plus Iceland, Norway and Liechtenstein) and to international organisations, except to the USA, where US contract processors are included in the EU-US Privacy Shield programme. For more information on the EU-US Privacy Shield, see the Information Commissioner's Office: https://www.ip-rs.si/varstvo-osebnih-podatkov/obveznosti-upravljavcev/iznos-osebnih-podatkov-v-tretje-drzave/iznos-osebnih-podatkov-v-zda/.
The organisation's website works with the help of cookies. A cookie is a file that stores the settings of web pages. Cookies are stored by websites on users' devices used to access the internet in order to identify individual devices and the settings used by users to access the internet. Cookies allow websites to recognise if a user has visited that website before and, in the case of advanced applications, they can be used to adjust individual settings accordingly. Their storage is under the full control of the browser used by the user - which can restrict or disable the storage of cookies if desired.
Cookies are essential for providing user-friendly online services. They are used to store information about the state of a particular website, to help gather statistics about users and website traffic, etc. Cookies can therefore be used to evaluate the effectiveness of our website design.
The organisation's website uses the following cookies:
(Cookie name / Duration / Function)
PH_HPXY_CHECK / session / information about the current session
The storage and management of cookies is under the full control of the browser used by the user. The browser can restrict or disable the storage of cookies if it wishes. You can also delete cookies that have been stored by your browser, instructions can be found on the web pages of each browser.
The Maribor Youth Cultural Centre has video surveillance. Video surveillance (cameras are installed around the entrances to the organisation and in the lifts in the administration building) is used to monitor entrances to and exits from the premises (based on Article 77 of ZVOP-2). Video surveillance is also carried out for the purpose of protecting individuals (users, employees and visitors) and the property of the organisation (on the basis of legitimate interest as defined in Article 6(1)(f) of the General Regulation, in conjunction with Articles 76 et seq. of the GDPR).
Data Protection and Data Accuracy
The organisation takes care of information security and the security of the infrastructure (premises and application system software). Our information systems are protected by, among other things, anti-virus programmes and firewalls. We have put in place appropriate organisational and technical security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access and against other unlawful and unauthorised forms of processing. In the case of the provision of special types of personal data, we provide them in encrypted and password-protected form.
It is your responsibility to provide us with your personal data securely and to ensure that the data provided is accurate and authentic. We will endeavour to ensure that the personal data we process about you is accurate and, where necessary, kept up to date, and we may contact you from time to time to confirm the accuracy of your personal data.
Rights of the individual with regard to data processing
Under the GDPR, the data subject has the following data protection rights:
You can request information about whether we hold personal data about you and, if so, what data we hold and on what basis we hold it and why we use it.
You can request access to your personal data, which allows you to receive a copy of the personal data we hold about you and to check whether we are processing it lawfully.
Request corrections to your personal data, such as correcting incomplete or inaccurate personal data.
Request the erasure of your personal data where there is no reason for further processing or where you exercise your right to object to further processing.
Object to further processing of your personal data where we rely on legitimate commercial interest (including in the case of legitimate interest of a third party), where there are grounds relating to your particular situation; notwithstanding the provision of the previous sentence, you have the right to object at any time if we process your personal data for direct marketing purposes.
You request the restriction of the processing of your personal data, which means the cessation of the processing of personal data about you, for example, if you want us to establish its accuracy or to verify the grounds for its further processing.
You request the transfer of your personal data in a structured electronic format to another controller, insofar as this is possible and feasible.
You withdraw the consent or assent you have given to the collection, processing and transfer of your personal data for a specific purpose; upon notification that you have withdrawn your consent, we will cease to process your personal data for the purposes you originally consented to, unless we have another lawful legal basis to do so lawfully.
If you wish to exercise any of the rights set out above, please send your request by email to email@example.com or by regular mail to the organisation's address: the Maribor Youth Cultural Centre, Ob železnici 16, 2000 Maribor.
Access to your personal data and exercised rights is free of charge. However, we may charge a reasonable fee if the data subject's request is manifestly unfounded or excessive, in particular if it is repetitive. In such a case, we may also refuse the request.
You will be informed if this time limit is extended (by up to two additional months), taking into account the complexity and number of requests. Access to the personal data and the rights exercised is free of charge for the data subject. However, the organisation may charge a reasonable fee if the data subject's request is manifestly unfounded or excessive, in particular if it is repetitive. In such a case, the organisation may also refuse the request. In the case of the exercise of rights under this title, the organisation may need to request certain information from the data subject to help it confirm the identity of the data subject, which is only a precautionary measure to ensure that personal data are not disclosed to unauthorised persons.
In exercising their rights under this title, or if the individual considers that their rights have been violated, they may seek protection or assistance from the supervisory authority, i.e. the Information Commissioner, at: https://www.ip-rs.si/.
If the data subject has any questions regarding the processing of personal data, he or she may always contact our organisation by e-mail at firstname.lastname@example.org or by regular mail at MKC Maribor, Ob železnici 16, 2000 Maribor.
Publication of changes
The Personal Data Protection Policy was adopted by Marja Guček, Director of MKC Maribor, on 25 October 2021.