Public Institute Bogenšperk
Cultural centre
Bogenšperk Castle
Contact
Bogenšperk Castle
News
Bogenšperk Festival
a
M

Close

Personal data protection

Personal data protection policy

The purpose of the personal data protection policy is to inform individuals, service users, colleagues and employees and other persons (hereinafter: data subject) who cooperate with the Bogenšperk Public Institute (hereinafter: public institute) about the purposes and legal bases, security measures and rights of individuals regarding the processing of personal data carried out by the public institute.

At the public institute, we respect your privacy, therefore we process personal data in accordance with European legislation (Regulation (EU) 2016/697 on the protection of individuals with regard to the processing of personal data and on the flow of such data (hereinafter: General Regulation)) and applicable legislation in the field of personal data protection (Personal Data Protection Act (ZVOP-2, Official Gazette of the Republic of Slovenia, No. 163/22 and 40/25 – ZinfV-1)) and other legislation that gives us a legal basis for the processing of personal data.

Controller

The controller of personal data is the organisation:

Bogenšperk Public Institute
Staretov trg 12
1275 Šmartno pri Litiji
Phone: +386 1 898 78 67
E-mail: info@bogensperk.si

Authorised person

The Data Protection Officer is responsible for supervising the proper processing of your personal data. In accordance with Article 37 of the General Regulation, the Data Protection Officer is:

Mateja Krvina
E-mail: gdpr@idealis.si
Phone: +386 31 785 556

Personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as the data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Purposes of processing and grounds for processing
The organization collects and processes your personal data on the following legal grounds:

  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of such a person prior to entering into a contract;
  • the processing is necessary for the legitimate interests pursued by the controller or a third party;
  • the data subject has consented to the processing of his or her personal data for one or more specific purposes;
  • the processing is necessary to protect the vital interests of the data subject or other natural persons.

Fulfillment of a legal obligation or performance of a task in the public interest

Based on the provisions of the law, the organization primarily processes data about its employees, which is enabled by labor legislation. Thus, based on the legal obligation, the organization primarily processes the following types of personal data: name and surname, gender, date of birth, EMŠO, tax number, place, municipality and country of birth, citizenship, place of residence for the purposes of implementing the employment contract and obligations under this title.

The legal basis for the processing of personal data of individuals is also: the Public Sector Wage System Act, the Cultural Heritage Protection Act, the Institutions Act, the Act on the Realization of the Public Interest in Culture, the Civil Servants Act, the Employment Relationships Act.

In limited cases, the processing of personal data within an organization is also permissible on the basis of public interest.

Implementation of the Treaty

If you conclude a specific contract with an organization, this constitutes the legal basis for the processing of personal data. We may process your personal data in order to conclude and perform a contract, such as ticket sales, membership in an association, provision of training, service contract, etc. If an individual does not provide personal data, the organization cannot conclude a contract, nor can the organization provide you with a service or deliver goods or other products in accordance with the concluded contract, as it does not have the necessary data for the performance. The organization may, on the basis of performing a lawful activity, inform individuals and users of its services about its services, events, training, offers and other content to their email address. An individual may at any time request the termination of such communication and processing of personal data and cancel the receipt of messages via the unsubscribe link in the received message, or as a request by email to info@bogensperk.si or by regular mail to the organization’s address.

Legitimate interest

The legitimate interest ground is limited to processing by public authorities in the performance of their tasks. However, an organisation may also process personal data on the basis of a legitimate interest pursued by the organisation to a limited extent. The latter is not permissible where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. In the case of the application of legitimate interest, the organisation shall always carry out an assessment in accordance with the GDPR.

As a result, we may from time to time inform individuals about services, events, training, offers and other content via email, telephone calls and ordinary mail. An individual may at any time request to cease such communications and processing of personal data and to opt-out of receiving communications via the unsubscribe link in the communication received, or as a request by email to info@bogensperk.si or by regular mail to the organisation’s address.

Processing based on consent

If the organisation does not have a legal basis based on the law, the performance of a public task, a contractual obligation or a legitimate interest, it may ask the individual for consent. It may also process certain personal data of the data subject for the following purposes where the data subject has given his or her consent:

  • residential address and e-mail address for the purposes of information and communication,
  • tax identification number or personal identification number for the purposes of possible enforcement in the event of default (e.g. non-payment of a bill),
  • photographs, video recordings and other content relating to the individual (e.g. recordings at public events) for the purposes of documenting activities and informing the public about the work and events of the organisation;
  • other purposes for which the individual has consented.

If the data subject has given consent to the processing of personal data and at some point no longer wishes to do so, he or she may request that the processing of personal data be stopped by sending a request by e-mail to info@bogensperk.si or by regular mail to the address of the organisation.

The processing is necessary to protect the vital interests of the data subject

The organisation may process the personal data of a data subject insofar as this is necessary to protect his or her vital interests. For example, the organisation may search for a personal document of the data subject, check whether that person exists in its database, examine his/her medical history or contact his/her relatives without the need for the consent of the data subject. The above applies in cases where it is strictly necessary to protect the vital interests of the individual.

Video surveillance

Public Institution Bogenšperk has video surveillance. Video surveillance (cameras are installed around the entrances to Bogenšperk Castle) is used to monitor entrances and exits to and from the premises (pursuant to Article 77 ZVOP-2). Video surveillance is also carried out for the purpose of protecting individuals (users, employees and visitors) and the property and cultural heritage of the organisation (on the basis of legitimate interest as defined in Article 6(1)(f) of the General Regulation, in conjunction with Articles 76 et seq. of ZVOP-2). Video surveillance is carried out within certain work areas where it is strictly necessary for the safety of people or property or cultural heritage. Video surveillance will assist us in detecting, handling or resolving incidents, incidents, crimes, claims for damages or other claims. Recordings are kept for 30 days. We do not carry out video surveillance in a way that would have a particular processing impact. Neither does video surveillance allow for unusual further processing, such as transfers to third country entities, the possibility of audio intervention in the event of live monitoring of events.

Video surveillance allows the monitoring of live events by an authorised person. All information concerning the implementation of video surveillance can be obtained by contacting the organisation’s telephone number or e-mail address. The rights of individuals are described in this Privacy Policy. You can also contact the Data Protection Officer if you have any further questions.”

Retention and deletion of personal data

The organisation will keep personal data only for as long as necessary to fulfil the purpose for which the personal data were collected and processed. If the organisation processes the data on the basis of a law, the organisation will keep the data for the period prescribed by the law. In this respect, some data will be kept for the duration of the cooperation with the organisation and some data must be kept permanently.

Personal data processed by the organisation on the basis of a contractual relationship with an individual will be kept by the organisation for the period necessary for the performance of the contract and for 6 years after its termination, except in cases where there is a dispute between the individual and the organisation in relation to the contract. In such a case, the organisation shall keep the data for 5 years after the final decision of a court, arbitration or court settlement or, if there has been no court settlement, for 5 years from the date of amicable settlement of the dispute.

Those personal data processed by the organisation on the basis of the individual’s personal consent or legitimate interest will be retained by the organisation until the consent is withdrawn or until the data are requested to be erased. Upon receipt of a revocation or a request for deletion, the data shall be deleted within 15 days at the latest. The organisation may also delete the data prior to revocation where the purpose of the processing of personal data has been achieved or where required by law.

Exceptionally, an organisation may refuse a request for erasure on the grounds set out in the General Regulation, such as the following: the exercise of the right to freedom of expression and information, compliance with a legal obligation to process, grounds of public interest in the field of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the exercise or defence of legal claims.

After the retention period has expired, the controller shall erase or anonymise the personal data effectively and permanently so that they can no longer be associated with a specific individual.

Contractual processing of personal data and data export

The Organisation may entrust a contractual processor with the processing of personal data on the basis of a contractual processing agreement. Contract processors may process the entrusted data exclusively on behalf of the controller, within the limits of the controller’s authorisation, which is enshrined in a written contract or other legal act and in accordance with the purposes set out in this Privacy Policy.

The contractual processors with which the Provider cooperates are, in particular:

  • Information systems maintainers;

In no case will the Organisation disclose the personal data of an individual to unauthorised third parties.

Contract processors may only process personal data within the framework of the instructions of the organisation and may not use personal data for any other purpose.

The Organisation, as controller, and its employees do not export personal data to third countries (outside the Member States of the European Economic Area – EU Member States plus Iceland, Norway and Liechtenstein) and to international organisations, except to the USA, where the relationship with US contract processors is governed by standard contractual clauses (standard contracts adopted by the European Commission) and/or binding corporate rules (adopted by the Organisation and approved by the supervisory authorities in the EU).

Data protection and data accuracy

The organisation ensures information and infrastructure security (premises and application system software). Our information systems are protected by, among other things, antivirus and firewalls. We have put in place appropriate organisational and technical security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access and against other unlawful and unauthorised forms of processing. In the case of the provision of special types of personal data, we provide them in encrypted and password-protected form.

It is your responsibility to provide us with your personal data securely and to ensure that the data provided is accurate and authentic. We will endeavour to ensure that the personal data we process about you is accurate and, where necessary, kept up to date, and we may contact you from time to time to confirm the accuracy of your personal data.

Individual rights regarding data processing

In accordance with the General Regulation, an individual has the following rights regarding the protection of personal data:

  • You can request information about whether we have personal data about you and, if so, what data we have and on what basis we hold it and why we use it.
  • You request access to your personal data, which allows you to receive a copy of the personal data we hold about you and to check whether we are processing it lawfully.
  • You request rectification of personal data, such as the rectification of incomplete or inaccurate personal data.
    You request the erasure of your personal data where there is no reason for further processing or where you exercise your right to object to further processing.
  • You object to further processing of personal data where we rely on a legitimate business interest (including in the case of a legitimate interest of a third party) where there are reasons relating to your particular situation; notwithstanding the provision of the previous sentence, you have the right to object at any time if we process your personal data for direct marketing purposes.
  • You request restriction of processing of your personal data, which means stopping the processing of personal data about you, for example, if you want us to establish its accuracy or verify the grounds for its further processing.
  • You request the transfer of your personal data in a structured electronic format to another controller, where possible and feasible.
  • You withdraw the consent or consent you have given to the collection, processing and transfer of your personal data for a specific purpose; upon receipt of notification that you have withdrawn your consent, we will cease processing your personal data for the purposes you originally accepted, unless we have another legitimate legal basis for doing so.
  • If you wish to exercise any of the aforementioned rights, please send your request by email to info@bogensperk.si or by regular mail to the organization’s address.

Access to your personal data and exercised rights is free of charge for you. However, we may charge a reasonable fee if the data subject’s request is manifestly unfounded or excessive, in particular if it is repetitive. In such a case, we may also refuse the request.

If you exercise your rights under this heading, we may need to request certain information from you to help us confirm your identity, which is only a precautionary measure to ensure that personal data is not disclosed to unauthorised persons.

You can also use the Information Commissioner’s form available on their website to exercise your rights under this heading. Link to: https://www.ip-rs.si/fileadmin/user_upload/doc/obrazci/ZVOP/Zahteva_za_seznanitev_z_lastnimi_osebnimi_podatki__Obrazec_SLOP_.doc

If you believe that your rights have been violated, you can contact the supervisory authority or the Information Commissioner for protection or assistance. Link to: https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/kljucna-podrocja-uredbe/prijava-krsitev/

If you have any questions about the processing of your personal data, you can always contact us.

Publication of amendments

Any changes to the personal data protection policy will be published on the website of the public institute (https://bogensperk.si/javni-zavod-bogensperk/).

By using the website, the individual confirms that he/she accepts and agrees with the entire content of this personal data protection policy.

The personal data protection policy was adopted by the director of the Public Institute Bogenšperk, Peter Avbelj, September 2025.