On the basis of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter: GDPR) and the Act on the Protection of Personal Data (Official Gazette of the Republic of Slovenia, hereinafter: ZVOP-2) is issued by the director of the company Borut Knapič.
I. General provisions
This Rulebook defines the organizational, technical and logical technical procedures and measures for the protection of personal data in the company Knapič d.o.o.
with a view to ensuring that:
- personal data have been processed in a lawful, fair and transparent manner;
- personal data are collected for specified, explicit and legitimate purposes and are not processed in a manner incompatible with these purposes;
- by default, only the personal data necessary for each specific purpose of the processing is processed; this obligation applies to the amount of collected personal data, the extent of their processing, the period of their retention and their accessibility;
- the rights and freedoms of data subjects are respected and protected;
- ensure the security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or injury;
- the company can demonstrate compliance with personal data protection legislation.
The provisions of this Regulation and the obligations of the employees of Knapič d.o.o., which must be respected, are determined.
The provisions of this Regulation also apply to other persons who carry out work in the company on the basis of contracts other than contracts of employment.
If there is doubt about the meaning of any of the provisions of this document, please contact Jana Pirečnik Knapič.
For the purposes of this Regulation the terms mean as follows:
- Personal data – the meaning is the same as in the GDPR.
- An individual – is a defined or identifiable natural person to whom the personal data relates; a natural person is identifiable if it can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors characterizing his physical, physiological, mental, economic, cultural or social identity, the method of identification does not high costs or does not require a lot of time.
- Collection of personal data – the meaning is the same as in the GDPR.
- Processing of personal data – the meaning is the same as in the GDPR.
- The data controller – the meaning is the same as in the GDPR.
- Sensitive personal data – the meaning is the same as in the GDPR.
- The data controller – the meaning is the same as in the GDPR.
- Data carrier – all types of assets on which data are written or recorded (documents, acts, materials, files, computer equipment including magnetic, optical or other computer media, photocopies, sound and visual material, microfilm, data transmission devices, etc. .).
- Employees – means persons who have concluded an employment contract with a company, persons who work in the company as pupils or students, persons who perform work in the company on the basis of a contract between the company and their employer that carries out the activity of providing work to other employers, and persons performing work for a company on the basis of civil law contracts.
- Security incident – means a security breach that causes the unintentional or unlawful destruction, loss, modification, unauthorized disclosure, or access to personal data sent, stored or otherwise processed.
The company keeps and maintains a record of the activity of processing personal data with the prescribed components, in accordance with the provision of Article 30 of the GDPR, for each collection separately.
Records of processing activities are kept in electronic form, access is only available to authorized persons.
Each department manager is responsible for keeping records of the processing activity, in which the individual collection is kept, and the director is supervised.
Only personal data for which there is an appropriate legal basis under the provisions of the GDPR or other legislation can be processed in the company or for the needs of the company. If the legal basis for processing does not exist, the personal data should be immediately ceased to be actively processed and disable access to them, and notify the director of the company that determines the further handling of such data.
Personal data may only be collected for specified and lawful purposes and may not be further processed in such a way that their processing would be inconsistent with these purposes unless otherwise provided by the law. When the company intends to further process personal data for purposes other than the purpose for which personal data were collected, it is necessary to check whether the new purpose is compatible with the original one and to draw up a written report thereon.
Measures to ensure the security of specific (collections) of personal data, such as, inter alia, pseudonymization and encryption, limitation of retention and access times, processing restrictions, limitation of purpose, etc., and the manner of implementation is determined by Knapič d.o.o.
Specific types of personal data may only be processed in accordance with the provisions of the GDPR and other legislation. During processing, this information must be specifically marked and secured in such a way as to prevent unauthorized persons from accessing them.
Individuals must be informed of the processing of personal data in accordance with the provisions of Articles 12, 13 and 14 of the GDPR. Each head of the department is responsible for carrying out notifications, within which the individual collection is kept.
Each department manager, within which the individual collection is kept, is obliged (for each individual collection) to define and maintain a written list of persons who, due to the nature of their work and/or function, may process certain personal data or have access to collections (in hereinafter referred to as “authorized processors”). Heads of departments are obliged to forward written lists of authorized processors to the director of the company.
An individual has the right to obtain confirmation from the company that his personal data are being processed and, if so, to have access to personal data (accessory) and information from paragraph 1 of Article 15 of the GDPR.
An individual has the right to reach the company to correct inaccurate or complete incomplete personal data in connection with him without undue delay.
An individual has the right to obtain the right to delete personal data relating to him without undue delay when one of the following reasons applies:
- personal data are no longer needed for the purposes for which they were collected or otherwise processed;
- an individual revokes the consent on the basis of which the processing takes place and there is no other legal basis for processing;
- an individual opposes the processing and there are no overriding legitimate reasons for processing them;
- personal data has been processed illegally;
- personal data must be deleted in order to fulfill a legal obligation in order to comply with legal obligations;
- personal data were collected in connection with the offer of information society services from a minor individual.
An individual has the right to limit the processing of a company when one of the following cases applies:
- an individual disputes the accuracy of the data, for a period that allows the company to verify the accuracy of personal data;
- the processing is illegal and the individual opposes the erasure of personal data and, instead, requires a restriction on their use;
- the company does not need any personal data for processing purposes, but needs the individual to enforce, enforce or defend legal claims;
- an individual has filed an objection concerning the processing until it is verified that the legal reasons for the controller prevail over the grounds of the data subject.
An individual has the right to receive personal data that he has forwarded to the company in a structured, widely used and machine-readable form, and the right to forward this data to another controller without hindering him in this when:
- processing is based on consent and
- processing is carried out with automated means.
The director of the company shall be obliged to ensure that individuals are informed in the appropriate way in accordance with the requirements of the GDPR on the rights referred to in the preceding paragraphs of this Article. The Director also arranges for a single point of contact for individuals to contact when exercising their rights.
In order to exercise the rights of individuals and to communicate with them, the head of the department is responsible for the collection of personal data of an individual. If the individual’s personal data are located in several collections, the director of the company shall designate the competent head of the department.
The head of the department or other person, who sees it, is obliged to draw attention to the fact that the planned processing of personal data, in particular (but not exclusively) using new technologies, taking account of the nature, scope, circumstances and purposes of the processing of personal data, could result in great risk to the rights and freedoms of individuals.
In this case, the Director decides whether an assessment of the effect of the foreseen processing actions on the protection of personal data is necessary. For the performance of the impact assessment, the head of the department is responsible, or the other is the authorized person Jana Pirečnik Knapič. All employees who can make the necessary data and assessments available are obliged to participate.
The impact assessment shall be carried out in writing and shall include:
- a systematic description of the anticipated treatment and processing purposes and, where appropriate, the legitimate interests pursued by the company;
- an assessment of the necessity and proportionality of the processing operations with respect to their purpose;
- assessment of the risks to the rights and freedoms of data subjects;
- measures to address risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned.
If the department manager or another person who has made an impact assessment finds that the treatment envisaged would cause a high risk if the company did not take measures to mitigate the risk, it is obliged to inform the director of the company about this in order to determine whether consultation with the supervisory organs.
II. Security of premises and computer equipment
The premises in which personal data carriers are located, hardware and software (protected areas) must be protected by organizational and physical and/or technical measures that prevent unauthorized persons from accessing data.
Access is possible only in regular working hours, and outside of this time only on the basis of the permission of Knapič d.o.o.
Keys are not left in the door lock from the outside.
Protected spaces must not remain uncontrolled, or they must lock in the absence of workers who control them.
Outside of working hours, cabinets and desks with personal data carriers must be locked; computers and other hardware switched off and physically or programmatically locked.
Employees must not leave personal data on the tables in the presence of persons who have no right to view them.
Carriers of personal data located outside protected areas (corridors, common spaces) must be permanently locked.
Sensitive personal data must not be kept outside the protected areas.
An employee who uses personal data or processes them in his work may not, during the working hours, leave the personal data on the desks uncontrollably or otherwise expose them to the risk that unauthorized persons may gain access to personal data.
Keys, cards, passwords and other assets that allow access to protected areas must be protected, managed and kept conscientiously and carefully. Any loss or distraction or suspicion of abuse must be communicated immediately.
In premises intended for dealing with customers, data carriers and computer displays must be installed in such a way that customers do not have access to it.
Maintenance and repair of computer hardware and other equipment is permitted only with the knowledge of the authorized person, and it can be performed only by authorized services and maintenance providers who have concluded an appropriate contract or a issued order form with Knapič d.o.o.
Room, hardware and software providers, visitors and business partners may move in protected areas only with the knowledge of an authorized person. Employees, such as cleaners, security guards, etc., can only move outside those working hours only in those protected areas, where access to personal data is prevented (data carriers are stored in locked cabinets and desks, computers and other hardware are switched off or how otherwise physically or programmatically locked).
III. Protecting system and application-program-software and data processed with computer equipment
Access to the Software must be protected in such a way as to permit access only for that purpose to the designated employees or legal or natural persons who perform agreed services according to the contract.
Correction, modification and complementation of system and application software is permitted only on the basis of an authorized person’s authorization, and it can only be performed by authorized services and organizations and individuals who have concluded an appropriate contract with or contract with Knapič d.o.o.
The same terms and conditions apply to the storage and protection of the application software as for the other data contained in this policy.
The contents of the network server disks and local workstations where personal data are located are checked instantly by the presence of computer viruses. At the onset of a computer virus, it is eliminated as soon as possible, and at the same time the cause of the virus appears in the computer information.
All personal data and software intended for use in the computer information system and arriving in Knapič d.o.o. on media for transmission of computer data or via telecommunication channels must be checked before use for the presence of computer viruses.
Employees must not install software without the knowledge of the person in charge of the operation of the computer information system. They must also not remove the software from the computer information system without the permission of Knapič d.o.o.
Access to data through application software is protected by the system of passwords for authorizing and identifying users of programs and data, and the password system must also allow the possibility of subsequent identification of when individual personal data were entered into a database, used or otherwise processed, and who did it.
All passwords and procedures used for entering and administering a network of personal computers (supervisory or supervisory passwords), administering e-mail and administering application programs are stored in sealed envelopes and protected against access by unauthorized persons. They are used only in exceptional circumstances or in case of emergency.
Personal data can only be stored and processed locally (on local computers and other similar devices) in exceptional cases, where this is strictly necessary in view of the nature of the work. After the end of the need for such storage and processing of personal data, personal data must be transferred to centralized databases or permanently deleted.
Any copies of the contents of personal data collections on local media (external disks, USB keys, etc.) are stored in locked cabinets.
For the purpose of restoring the computer system in case of failures and in case of other exceptional situations, regular copying of the content of the network server and local stations is provided, if the data are there.
These copies are stored in the respective locations, which must be fireproof, protected against floods and electromagnetic disturbances, within the prescribed climatic conditions and locked.
IV. Services provided by external legal or natural persons
With any outside legal or natural person performing individual tasks relating to the collection, processing, storage or transmission of personal data and is registered to perform such an activity (contracted or contracted processor), the written contract provided for in paragraph 2 28. of the Article of the General Data Protection Regulation is to be concluded. In such a contract, the conditions and measures to ensure the protection of personal data and their insurance must also be prescribed. Before concluding a contract with a processor, the person responsible (usually the head of the department) is obliged to obtain data from him to enable him to verify that the processor meets the requirements of the legislation on the protection of personal data; this includes the disclosure of all under contractual processors, including their names and seats.
This also applies to outsiders who maintain hardware and software, and manufacture and install new hardware or software.
External legal or natural persons may only provide personal data processing services only within the framework of the authorizations of the person placing an order and may not process or otherwise use the data for any other purpose.
An authorized legal or natural person who carries out agreed services outside of the premises of the controller for Knapič d.o.o. must at least have the same strict method of protecting personal data as provided for in this Regulation.
In addition to other requirements, the company must ensure in contracts with processors the right to carry out a review or audit in the field of personal data protection with the contractor at least once a year. The review or audit must be carried out at any suspicion or indication that the processor is in breach of the contract concluded or does not provide a sufficient level of protection of personal data. The audit shall be carried out at the expense of the company, whereby the processor may not charge the company for any engagement of its people and/or under contractual processors.
V. Reception and transmission of personal data
The worker, who is in charge of receiving and registering mail, must deliver a postal item with personal data directly to the individual, or to the service to which this consignment is addressed.
The worker, who is in charge of receiving and registering mail, opens and inspects all postal items and consignments that otherwise arrive to the administrative body by the parties or couriers, with the exception of the consignments referred to in the third and fourth paragraphs of this Article.
The worker, who is in charge of receiving and registering mail, does not open those consignments addressed to another body or organization and is accidentally delivered and the items marked as personal data or which appear on the label on the envelope that they relate to competition or tender.
The worker, who is in charge of receiving and registering mail, must not open consignments addressed to a worker on which the envelope indicates that they are served personally to the addressee and the consignments on which the personal name of the worker is first mentioned without the indication of his official position and only then the address of the administrative body.
Personal data is permitted to be transmitted by means of information, telecommunication and other means only in the course of procedures and measures, that prevent the unauthorized data from being tampered with or destroyed, and unjustifiably informed about their content.
Sensitive personal data is sent to the addressees in enclosed envelopes against signature in the delivery book or though registered letter.
Personal data are sent by sending them by registered post.
The envelope, in which the personal data are transmitted, must be made in such a way, that the envelope does not allow the contents of the envelope to be visible under normal light or when the envelopes are illuminated by the usual light. The envelope must also ensure that the opening of the envelope and its content can’t be carried out without a visible opening of the envelope.
The processing of sensitive personal data must be specifically marked and protected.
The data referred to in the preceding paragraph may only be transmitted via telecommunication networks, if they are specially protected by cryptographic methods and electronic signature in such a way, as to ensure the illegibility of data during their transmission.
Personal data is provided only to those users, who show up with the appropriate legal basis or with the written request or consent of the data subject.
For each transfer of personal data, the beneficiary must file a written application in which the provision of the law authorizing the user to obtain personal data must be clearly stated, or the written request or consent of the data subject must be attached to the application.
In case of obtaining and transferring personal data between public authorities, the provisions of the regulation governing administrative operations must also be considered.
The originals of documents shall never be transmitted except in the case of a court order. The original document must be replaced with a copy during the absence.
VI. Deletion of Data
After the expiry date, personal data are effectively erased, destroyed, or anonymised, unless otherwise provided by law or other act.
The Head of the Department shall decide on the erasure, destruction or anonymization of personal data. A record of destruction, erasure or anonymisation of personal data shall be made, which may not contain personal data of individuals, whose data has been deleted, destroyed or anonymised.
To delete data from computer media, such a method of deletion is used, that it is impossible to restore all or part of the deleted data.
Data on classic media (documents, files, registers, lists …) are destroyed in a way that prevents reading of all or part of the destroyed data. The exact method of destruction for individual types of personal data or carriers is determined by the company’s director.
In the same way, ancillary material is to be destroyed (such as matrices, calculations and charts, sketches, experimental or unsuccessful printouts, etc.).
It is prohibited from discharging waste volumes of data with personal data in the recycle bins.
When transferring personal data carriers to the site of destruction, adequate insurance must also be provided at the time of transfer.
VII. Action in case of security incidents concerning personal data
Employees shall be obliged to implement measures to prevent the misuse of personal data and, with personal data that they acquaint themselves with in their work, must act conscientiously and carefully in the manner and in accordance with the procedures laid down in this Regulation.
Employees are obliged to immediately notify the authorized person or superior about activities related to the detection or unauthorized destruction of confidential data, malicious or unauthorized use, altering, change or damaging, and they themselves try to prevent such activity.
The Director of the company must inform the Information Commissioner, within 72 hours, of any violation of the protection of personal data. Where it is likely that a violation of personal data protection is likely to pose a high risk to the rights and freedoms of individuals, the director of the company must ensure that the affected individuals are informed without undue delay that there has been a violation of the protection of personal data.
The director of the company is obliged to ensure that, after a security incident, an analysis of the causes and a proposal of measures is taken to reduce or eliminate the risk of such and future security incidents, and that, if appropriate and possible, the proposed measures are also implemented.
If it turns out, that the security incident has caused or an employee was involved or if a security incident occurred due to negligence on the part of the employee, the director of the company shall, regardless of the other provisions of this Rulebook, take appropriate labor-related measures against the employee.
VIII. Responsibility for the implementation of security measures and procedures
The Director of the company and the authorized persons who are not employees of the company are responsible for the implementation of procedures and measures for the protection of personal data.
The supervision referred to in paragraph 1 of this Article also includes procedures for regular testing, estimation and evaluation of the effectiveness of technical and organizational measures to ensure the safety of processing. All employees and other persons in the company are obliged to participate in this.
Anyone processing personal data is obliged to implement the prescribed procedures and measures for data protection and to protect the data for which he has learned or was acquainted with them in the performance of his/her work. The obligation to protect data does not end with the termination of the employment relationship.
Prior to commencing work on a workplace where personal data are processed, the employee must sign a separate statement obliging him/her to protect personal data.
The signed declaration must show that the signatory is aware of the provisions of this Regulation and the provisions. Of the General Data Protection Regulation, and the statement must also include instruction on the consequences of the violation.
For violation of the provisions of the previous article, the employees are disciplinally liable and the rest on the basis of contractual obligations.
IX. Final Provisions
This policy regulation shall enter into force on 25.5.2018.
This regulation shall be published on 25.5.2018. Employees are given access to this website, as well as in writing to an authorized person.
Prepared by: Jana Pirečnik Knapič
 According to GDPR, this record is not required for companies with fewer than 250 employees, EXCEPT if:
- processing is likely to pose a risk to the rights and freedoms of individuals (it is therefore invasive);
- treatment is NOT occasional;
- processing includes specific types of data.
Against this background, especially on the condition of (un)periodicity of processing, it is recommended that companies with less than 250 employees also keep records of processing activities.