PRIVACY POLICY

 

The purpose of the privacy policy is to inform individuals, customers, product or service users, employees, and other persons (hereinafter referred to as “individuals”) who interact with the company BETI tekstilna industrija d.o.o., Tovarniška cesta 2, 8330 Metlika (hereinafter referred to as “company”), about the purposes, legal bases, security measures, and rights of individuals regarding the processing of personal data carried out by the company.

We value your privacy, and therefore we always carefully safeguard your data.

We process personal data in accordance with applicable data protection legislation and other legislation that provides us with a legal basis for processing personal data.

Any changes to this document will be published on our website. By using the website, you confirm that you are familiar with the entire content of the privacy policy.

Data Controller:

BETI tekstilna industrija, d.o.o.

Tovarniška cesta 2, 8330 Metlika

e-mail: info@beti.si

telephone: (+386) 7 36 38 100

Website: https://www.beti.si/

 

 

1. Personal Data

Personal data means any information relating to an identified or identifiable individual; an identifiable individual is one who can be directly or indirectly identified, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

 

2. Purposes of Processing and Legal Bases for Data Processing

The company collects and processes personal data on the following legal bases:

  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
  • the data subject has consented to the processing of their personal data for one or more specific purposes;
  • processing is necessary to protect the vital interests of the data subject or of another natural person.

 

CCTV Surveillance

We conduct CCTV surveillance in the company. Cameras are installed around the entrances to the organization at the following locations: rear – left towards the boiler room, main entrance, side entrance towards the boiler room, side entrance towards the parking lot, entrance to the warehouse left and right, rear towards the railway, road to the main entrance, and inside the company at the main entrances, namely: entrance from the parking lot, production left and right of the entrance. CCTV surveillance is used to monitor entries into and exits from the premises (based on Article 77 of the Personal Data Protection Act (ZVOP-2)). CCTV surveillance is also conducted for the purpose of protecting individuals (users, employees, and visitors) and the organization’s property (based on the legitimate interest as defined in point (f) of Article 6(1) of the General Data Protection Regulation). Recordings are kept for up to 6 months. CCTV surveillance is not conducted in a manner that has a specific impact on processing. CCTV surveillance enables real-time monitoring. All information regarding the implementation of CCTV surveillance can be obtained at the organization’s telephone number or email address. The rights of individuals are described in this Privacy Policy.

 

Execution of the concluded contract

In cases where an individual enters into a contract with the company, this constitutes a legal basis for the processing of personal data. The company may therefore process personal data for the purpose of concluding and executing the contract, such as the sale of goods and services, preparing offers, participating in various programs, etc. If an individual does not provide personal data, the company cannot conclude the contract, nor can the company perform the service or deliver goods or other products in accordance with the concluded contract, as it does not have the necessary data for execution. On this basis, the company processes only those personal data that are necessary for the conclusion and proper execution of contractual obligations.

The legal basis for data processing is the contract. The retention period is until the purpose of the contract is fulfilled or up to 6 years after the termination of the contract, except in cases where a dispute arises between the individual and the company regarding the contract. In such a case, the company retains the data for an additional 10 years after the finality of the court decision, arbitration, or judicial settlement, or if there is no judicial dispute, for 5 years from the date of amicable settlement of the dispute.

 

Legitimate Interest

The company may also process personal data based on its legitimate interest. This is not permissible when such interests are overridden by the interests or fundamental rights and freedoms of the individual whose personal data require protection. In the case of using legitimate interest, the company conducts an assessment in accordance with the legislation. Processing personal data of individuals for direct marketing purposes is considered to be carried out in the legitimate interest.

The company may process personal data of individuals collected from publicly available sources or within the framework of lawful activities, also for the purposes of offering goods, services, employment, informing about benefits, events, etc. To achieve these purposes, the company may use regular mail, telephone calls, email, and other telecommunication means. For direct marketing purposes, the company may process the following personal data of individuals: the individual’s name and surname, permanent or temporary address, telephone number, and email address. The company may process the mentioned personal data for direct marketing purposes even without the explicit consent of the individual. The individual may request the cessation of such communication and processing of personal data at any time and revoke the receipt of messages through an unsubscribe link in the received message or submit a request via email or regular mail to the company’s address.

The legal basis for data processing is legitimate interest. The data will be processed until the receipt of messages is revoked, or until the purpose of processing is fulfilled. Revocation does not affect the lawfulness of processing based on consent before its withdrawal.

 

Processing Based on Consent

If the company does not have a legal basis established on the basis of law, contractual obligation, legitimate interest, or protection of an individual’s life, it may request the individual’s consent. Thus, it can process certain personal data of the individual also for the following purposes when the individual gives consent:

  • residential address and email address (for communication and information purposes);
  • photographs, videos, and other content related to the individual (e.g., posting pictures of individuals on the website for documenting activities and informing the public about the company’s work and events);
  • other purposes for which the individual agrees by giving consent.

If an individual consents to the processing of personal data and later decides not to, they can request the cessation of personal data processing by submitting a request via email or regular mail to the company’s address. Revocation of consent does not affect the lawfulness of processing based on consent before its withdrawal. Upon receipt of the revocation or request for deletion, the data will be deleted within 15 days at the latest. The company may also delete this data before revocation when the purpose of processing personal data has been achieved or as required by law.

In exceptional cases, the company may refuse a request for deletion for reasons specified in the General Data Protection Regulation, such as exercising the right to freedom of expression and information, fulfilling legal obligations of processing, reasons of public interest in the field of public health, archival purposes in the public interest, scientific or historical research purposes, statistical purposes, or the exercise or defense of legal claims.

The legal basis for data processing is consent. The data will be processed until revocation or withdrawal of consent or until the purpose of processing is fulfilled. Revocation of consent does not affect the lawfulness of processing based on consent before its withdrawal.

 

Protection of Individual’s Vital Interests

The company may process personal data of an individual when it is necessary to protect their vital interests. In urgent cases, the company may search for the individual’s personal documents, verify if the person exists in its database, review their medical history, or contact their relatives, without the individual’s consent. This applies when it is absolutely necessary to protect the vital interests of the individual.

 

3. Storage and Deletion of Personal Data

The company will retain personal data only for as long as necessary to fulfill the purpose for which the personal data were collected and processed. If the company processes data based on the law, it will retain them for the period prescribed by law. Some data are stored during the cooperation with the company, while some data must be retained permanently. Personal data processed by the company based on a contractual relationship with an individual will be kept for the period necessary to execute the contract and for 6 years after its termination, except in cases where a dispute arises between the individual and the company regarding the contract. In such cases, the company will retain the data for an additional 10 years after the finality of the court decision, arbitration, or judicial settlement, or if there is no judicial dispute, for 5 years from the date of amicable settlement of the dispute.

Personal data processed by the company based on an individual’s consent or legitimate interest will be retained until the consent is revoked or a request for data deletion is made. Upon receipt of the revocation or request for deletion, the data will be promptly deleted. The company may also delete this data before revocation when the purpose of processing personal data has been achieved or as required by law. In the event of an individual’s exercise of rights, the company will retain the individual’s personal data until the matter is finally decided, and thereafter, in accordance with the final decision.

In exceptional cases, the company may refuse a request for deletion for reasons such as exercising the right to freedom of expression and information, fulfilling legal obligations of processing, reasons of public interest in the field of public health, archival purposes in the public interest, scientific or historical research purposes, statistical purposes, or the exercise or defense of legal claims. After the retention period, the company must effectively and permanently delete or anonymize personal data so that they can no longer be associated with a specific individual.

 

4. Contractual Processing of Personal Data and Data Transfers

The company may entrust certain processing of personal data based on a contract for data processing to a data processor. Data processors may process the entrusted data exclusively on behalf of the controller, within the scope of its authorization specified in a written contract or other legal act, and in accordance with the purposes defined in this privacy policy.

The company’s data processors primarily include:

  • other providers of legal and business consultancy;
  • infrastructure maintainers (video surveillance, security services);
  • information system maintainers;
  • providers of email services and cloud software services;

For the purpose of better overview and control over data processors and the organization of mutual contractual relationships, the company also maintains a list of data processors, listing all specific data processors with whom the company cooperates.

The company will not, under any circumstances, disclose an individual’s personal data to unauthorized third parties. Data processors may process personal data only within the company’s instructions and may not use personal data for any other purposes.

The company, as the controller, and its employees do not transfer personal data to third countries (outside the European Economic Area – EU Member States, Iceland, Norway, and Liechtenstein) and international organizations, whereby relationships with data processors are regulated based on standard contractual clauses (model contracts adopted by the European Commission) and/or binding corporate rules (established by the company and approved by supervisory authorities in the EU).

 

5. Cookies

The company’s website operates with the help of so-called cookies, which are important for providing web services and are used to store data about the state of each web page, to assist in collecting statistics about users and website visits, etc. Upon entering the website, only those cookies that are strictly necessary for the operation of the website (e.g., for the shopping cart) are loaded onto the device. Other cookies will only be loaded with the individual’s consent. Individuals can change settings and delete cookies at any time (instructions are available on the respective browser’s websites). Cookies are used for website visit statistics.

You can read more about cookies on our website here:
https://www.beti.si/en/cookies/

 

6. Data Protection and Data Accuracy

The company ensures information security and the security of infrastructure (spaces and application-system software). Our information systems are protected, among other measures, by antivirus programs and a firewall. We have implemented appropriate organizational and technical security measures aimed at protecting personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as well as other unlawful and unauthorized forms of processing. In the case of transmitting special categories of personal data, we transmit them in encrypted form and protected by a password. Individuals are responsible for securely providing their personal data and ensuring that the data provided are accurate and credible.

 

7. Individual Rights Regarding Data Processing

An individual whose personal data is processed has the right to request access to personal data, as well as correction or deletion of personal data, or restriction of processing concerning them, and the right to object to processing and the right to data portability. The individual’s request is handled in accordance with the provisions of the General Data Protection Regulation and applicable data protection legislation.

All the aforementioned rights and any inquiries can be exercised by the individual by sending a request to the company’s address. The company will respond to the individual’s request without undue delay, no later than one month after receiving the request. This period may be extended by up to two additional months, taking into account the complexity and number of requests, and the individual will be informed of any such extension, along with the reasons for the delay. Exercising these rights is free of charge for the individual, but the company may charge a reasonable fee if the request is manifestly unfounded or excessive, especially if it is repetitive. In such cases, the company may also refuse the request. In case of doubt about the identity of the individual, additional information may be requested by the company to verify identity.

The company will inform the individual of the decision regarding the request, including the reasons for the decision and information about the right to lodge a complaint with the supervisory authority within 15 days of being informed of the decision. The right to lodge a complaint with the supervisory authority can be exercised by the individual at the Information Commissioner of the Republic of Slovenia at the address: Dunajska 22, 1000 Ljubljana (email: gp.ip@ip-rs.si, website: www.ip-rs.si).

 

 

 

The privacy policy is effective as of the date of publication on the notice board, namely September 1st, 2023.

 

Metlika, 31.8.2023

 

Beti d.o.o.

M.Sc. Maja Čibej, CEO