Personal data protection policy

The purpose of this Privacy Policy is to inform individuals, service users, colleagues, employees and other persons (hereinafter referred to as "the individual") who interact with Maribor Regional Museum ("the Organisation") about the purposes, legal bases, safeguards and rights of individuals with regard to the processing of personal data carried out by our Organisation.

We value your privacy, so we always protect your data carefully. 

We process personal data in accordance with European legislation (Regulation (EU) 2016/697 on the protection of individuals with regard to the processing of personal data and on the movement of such data (the "General Regulation")), applicable Slovenian legislation in the field of personal data protection and other legislation that provides us with a legal basis for processing personal data.

The Personal Data Protection Policy contains information on how our organisation, as the controller, processes the personal data it receives from individuals on the basis of legal grounds.

 

1) Operator

The data controller is the organisation: 

Maribor Regional Museum

Grajska ulica 2, 2000 Maribor

E-mail: museum@museum-mb.si

Phone: +386 2 228 35 51

2) Authorised person

In accordance with Article 37 of the General Regulation, we have appointed a company as the Data Protection Officer:

DATAINFO.SI, d.o.o.

Tržaška cesta 85, SI-2000 Maribor

www.datainfo.si 

E-mail: dpo@datainfo.si

Telephone: +386 (0) 2 620 4 300

3) Personal data

Personal data means any information relating to an identified or identifiable individual; an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

4) Purposes of processing and grounds for processing

The organisation collects and processes your personal data on the following legal bases:

  • processing is necessary for the fulfilment of legal obligationsapplicable to the operator;
  • processing is necessary for implementation of the contractto which the data subject is a party or to carry out measures at the request of such data subject prior to the conclusion of the contract;
  • processing is necessary for legitimate interests sought by the controller or a third party;
  • the data subject is agreed to the processing of his or her personal data for one or more specified purposes;
  • processing is necessary for protecting vital interests the data subject or another natural person.

 

4.1) Compliance with a legal obligation

Based on the provisions of the law, the organisation processes data on its employees, which is allowed by labour and social security legislation. In particular, the following types of personal data are processed by the organisation for recruitment purposes on the basis of a legal obligation: name and surname, gender, date of birth, EMN, tax number, place, municipality and country of birth, nationality, place of residence, etc. The legal basis for the processing of personal data of individuals is also: Act on the Realisation of the Public Interest in Culture, Act on the Protection of Cultural Heritage, Labour Relations Act, Act on the Wage System in the Public Sector, Act on the Protection of Documentary and Archival Material and Archives, Act on the Provision of Funds for Certain Urgent Programmes of the Republic of Slovenia in the Field of Culture, and other legislation in the field of culture.

 

In limited cases, the processing of personal data is also permissible in the organisation on the basis of public interest. All applicable sectoral regulations in this area are available on the website of the competent ministry: https://www.gov.si/drzavni-organi/ministrstva/ministrstvo-za-kulturo/zakonodaja/.

 

4.2) Implementation of the Contract

Where an individual enters into a specific contract with an organisation, this constitutes the legal basis for the processing of personal data. We may process personal data for the purpose of concluding and performing the contract, such as selling tickets, selling products, renting premises, etc. If the data subject does not provide personal data, the organisation cannot conclude the contract, nor can the organisation provide you with the services or goods or other products in accordance with the contract, as it does not have the necessary data to perform the contract. The organisation may, by virtue of carrying out a lawful activity, inform individuals and users of its services of its services, events, training, offers and other content by sending an email to their email address. An individual may at any time request to stop such communications and processing of personal data and to cancel the receipt of such communications via the unsubscribe link in the communication received, or as a request by email to museum@museum-mb.si or by regular mail to the organisation's address.

 

4.3) Legitimate interest

An organisation may also process personal data on the basis of a legitimate interest pursued by the organisation. The latter shall not be admissible where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. In the case of the application of legitimate interest, the organisation shall always carry out an assessment in accordance with the GDPR. The processing of personal data of individuals for direct marketing purposes is considered to be carried out in the legitimate interest. The organisation may also process personal data of individuals which it has collected from publicly available sources or in the course of the legitimate exercise of its activities for the purposes of offering goods, services, employment, information about benefits, events, etc. For these purposes, the organisation may use ordinary mail, telephone calls, e-mail and other means of telecommunication. For direct marketing purposes, the organisation may process the following personal data of individuals: name and surname of the individual, address of permanent or temporary residence, telephone number and e-mail address. The above personal data may also be processed by the organisation for direct marketing purposes without the individual's explicit consent. The individual may at any time request to cease such communication and processing of personal data and to withdraw from receiving communications via the unsubscribe link in the communication received, or as a request by email to museum@museum-mb.si or by regular mail to the organisation's address.

 

4.4) Processing on the basis of consent or consent

If the organisation does not have a legal basis based on the law, a contractual obligation or a legitimate interest, it may ask the individual for consent or assent. In this way, it may also process certain personal data of the data subject for the following purposes where the data subject has given his or her consent:

  • your home address and email address for information and communication purposes;
  • photographs, videos and other content relating to an individual (e.g. posting images of individuals on the organisation's website) for the purposes of documenting activities and informing the public about the organisation's work and events;
  • other purposes for which the individual consents.

 

If the data subject has given his or her consent to the processing of personal data and at some point no longer wishes to do so, he or she may request the interruption of the processing of personal data by sending a request by e-mail to museum@museum-mb.si or by regular mail to the organisation's address. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.

 

4.5) The processing is necessary for the protection of the vital interests of the individual

The organisation may process the personal data of the data subject insofar as this is necessary for the protection of his or her vital interests. In urgent cases, the organisation may search for a personal document of the data subject, check whether that person exists in its database, examine his/her medical history or contact his/her relatives, without the need for the consent of the data subject. The above applies in the case where it is strictly necessary to protect the vital interests of the individual.

5) Retention and deletion of personal data

The organisation will keep personal data only for as long as necessary to fulfil the purpose for which the personal data were collected and processed. If the organisation processes the data on the basis of the law, it will keep the data for the period prescribed by the law. In this respect, some data will be kept for the duration of the cooperation with the organisation, while some data must be kept permanently. Personal data processed by the organisation on the basis of a contractual relationship with an individual will be kept by the organisation for the period necessary for the performance of the contract and for a period of 6 years after its termination, except in cases where there is a dispute between the individual and the organisation in relation to the contract. In such a case, the organisation shall keep the data for 10 years after the final decision of a court, arbitration or court settlement or, if there has been no court settlement, for 5 years from the date of amicable settlement of the dispute. Those personal data processed by the organisation on the basis of the individual's personal consent or legitimate interest will be retained by the organisation until the consent is withdrawn or until the data are requested to be erased. Upon receipt of a revocation or a request for erasure, the data shall be erased within a maximum of 15 days. The organisation may also delete the data prior to revocation where the purpose of the processing of personal data has been achieved or where required by law.

Exceptionally, an organisation may refuse a request for erasure on the grounds set out in the General Regulation, such as the following: the exercise of the right to freedom of expression and information, compliance with a legal obligation to process, grounds of public interest in the field of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and the exercise or defence of legal claims. After the retention period has expired, the personal data must be effectively and permanently erased or anonymised by the organisation so that it can no longer be linked to a specific individual.

 

6) Contractual processing of personal data and data export

The organisation may entrust individual personal data to a contractual processor on the basis of a contractual processing agreement. Contract processors may process the entrusted data exclusively on behalf of the controller, within the limits of the controller's authorisation, as set out in a written contract or other legal instrument, and in accordance with the purposes set out in this Privacy Policy.

 

The contractual processors with which the organisation cooperates are mainly:

  • accounting services and other providers of legal and business advice;
  • infrastructure maintenance (video surveillance, security services);
  • information systems maintainers;
  • email service providers and software providers, cloud services;

 

Under no circumstances will the Organisation disclose the personal data of an individual to unauthorised third parties. Contracted processors may only process personal data within the framework of the Organisation's instructions and may not use personal data for any other purpose.

 

The Organisation as controller and its employees do not export personal data to third countries (outside the Member States of the European Economic Area - EU Member States plus Iceland, Norway and Liechtenstein) and to international organisations, except to the USA, where the relationship with US contract processors is governed by standard contractual clauses (standard contracts adopted by the European Commission) and/or binding corporate rules (adopted by the Organisation and approved by the supervisory authorities in the EU).

 

In order to improve the overview and control of the contractual processors and the regularity of the contractual relationship between them, the Organisation shall maintain a list of contractual processors, which shall include all the specific contractual processors with which the Organisation cooperates.

7) Cookies

The organisation's website works with the help of cookies. A cookie is a file that stores the settings of web pages. Cookies are stored by websites on users' devices used to access the internet in order to identify individual devices and the settings used by users to access the internet. Cookies allow websites to identify if a user has already visited a website. In the case of advanced applications, they can be used to adjust individual settings accordingly. Their storage is under the full control of the browser used by the individual - which can restrict or completely disable the storage of cookies if desired.

Cookies are essential for providing personalised online services. They are used to store information about the state of a particular website, to help collect statistics about users and website traffic, etc. We use cookies to evaluate the effectiveness of our website design.

 

The organisation's website uses the following cookies:

Cookie name

Duration

Function

_ga

2 years

Designed to collect information about the use of the website. They allow the analysis of visits to improve the user experience. The data is collected in an anonymous form.

_gat

10 minutes

Designed to collect information about the use of the website. They allow the analysis of visits to improve the user experience. The data is collected in an anonymous form.

catAccCookies

Always present

Used to store information about the settings related to the use of cookies on the site.

uncodeAI.css

session

For the operation of the website.

uncodeAI.images

session

For the operation of the website.

uncodeAI.screen

session

For the operation of the website.

 

You can delete the cookies stored by your browser (instructions can be found on the web pages of each browser).

8) Data protection and data accuracy

The organisation is responsible for information and infrastructure security (premises and application system software). Our IT systems are protected by, among other things, antivirus and firewall protection. We have put in place appropriate organisational and technical security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access and against other unlawful and unauthorised forms of processing. In the case of transmission of special types of personal data, we transmit them in encrypted and password-protected form.

It is the individual's responsibility to ensure that his or her personal data is provided securely and that the data provided is accurate and reliable. The Organisation will endeavour to ensure that the personal data it processes is accurate and, where necessary, kept up to date and may from time to time contact the individual to confirm the accuracy of the personal data.

9) Rights of the data subject with regard to data processing

Under the GDPR, the data subject has the following data protection rights:

 

  • you can request information about whether we hold personal data about you and, if so, what data we hold, on what basis we hold it and why we use it;
  • can request access to his or her personal data, which allows him or her to receive a copy of the personal data held by the organisation and to check whether the organisation is processing it lawfully;
  • may request rectification of personal data, such as the rectification of incomplete or inaccurate personal data;
  • may request the erasure of his/her personal data where there is no longer any reason for further processing or where he/she exercises his/her right to object to further processing;
  • to object to further processing of personal data where the organisation relies on legitimate business interest (including in the case of legitimate interest of a third party), where there are grounds relating to the particular situation of the data subject; the data subject has the right to object at any time if the organisation processes personal data for direct marketing purposes;
  • may request the restriction of the processing of his/her personal data, which means the interruption of the processing of personal data, for example, if the data subject wishes the organisation to establish its accuracy or to verify the grounds for further processing of personal data;
  • may request the transfer of his/her personal data in a structured electronic format to another controller, insofar as this is possible and feasible;
  • may withdraw the consent or consent he/she has given to the collection, processing and transfer of his/her personal data for a specific purpose; upon notification that he/she has withdrawn his/her consent, the organisation will cease to process the personal data for the purposes for which it was originally collected, processed and transferred, unless the organisation has other lawful legal grounds to do so lawfully. 

 

If the individual wishes to exercise any of the above rights, he or she may send a request by email to museum@museum-mb.si or by regular mail to the organisation's address. The organisation will respond to a request concerning the rights of an individual without undue delay and in any event within one month of receipt of the request. Should this time limit be extended (by up to two additional months), taking into account the complexity and number of requests, you will be informed. Access to personal data and the exercise of rights is free of charge for the data subject. However, the organisation may charge a reasonable fee if the data subject's request is manifestly unfounded or excessive, in particular if it is repetitive. In such a case, the organisation may also refuse the request. In the case of the exercise of rights under this title, the organisation may need to request certain information from the data subject to help it confirm the identity of the data subject, which is only a precautionary measure to ensure that personal data are not disclosed to unauthorised persons.

 

In exercising their rights under this Title, or if they consider that their rights have been violated, individuals may seek protection or assistance from the supervisory authority, the Information Commissioner's Office, by visiting the following website: https://www.ip-rs.si/.  

 

If an individual has any questions regarding the processing of his or her personal data, he or she may always contact our organisation by email at museum@museum-mb.si or by regular mail to the organisation's address.

10) Publication of amendments

Any changes to our Personal Data Protection Policy will be published on our website: https://museum-mb.si . By using the website, the individual confirms that he or she accepts and agrees to the entire content of this Privacy Policy.

 

The Personal Data Protection Policy was adopted by Dr. Mirjana Koren, Director of the organisation on 1.12.2022 

Accessibility