RULES ON THE PROTECTION OF PERSONAL DATA AND THE INTERNAL CODE OF CONDUCT

General provisions

Implementation of the requirements of the General Data Protection Regulation (GDPR) and the Personal Data Protection Act (ZVOP-2)

(on 14.04.2023)

Our organization has prepared a personal data protection policy with which we want individuals, service users, colleagues, employees and other persons (hereinafter: "individuals"), who cooperate with Studio da Vinci Ltd. (hereinafter: "organization") to inform about the purposes, legal bases, security measures and the rights of individuals in relation to the processing of personal data carried out by our organization.

We value your privacy very much, so we always carefully protect your data.

The processing of personal data takes place in accordance with European legislation (Regulation (EU) 2016/697 on the protection of individuals in the processing of personal data and on the flow of such data (hereinafter: "General regulation"), valid Slovenian legislation in the field of personal data protection and other legislation that provides us with a legal basis for the processing of personal data.

The personal data protection policy includes information on how our organization, as a controller, processes personal data provided by an individual based on legal grounds.

Manager

Organization Studio da Vinci Ltd. is responsible for handling your personal data. Their headquarters are located at Dunajska cesta 5, 1000 Ljubljana, Slovenia, and they can be reached by email at info@studiodavinci.si or by phone at 041 744 888.

Authorized person

In accordance with the provisions of Article 37 of the General Data Protection Regulation, we have not appointed an authorized person. If you have any questions or concerns regarding the processing of your personal data, you can contact us at any time by e-mail at info@studiodavinci.si.

Personal data

(Article 1)

Personal data is any information that relates to a specific or identifiable individual, whereby the identifiable individual can be directly or indirectly identified. An identifier can be, for example, a name, an identification number, location data, an online identifier or other factors that characterize a person's physical, physiological, genetic, mental, economic, cultural or social identity.

Fulfillment of legal obligations

(Article 2)

The organization collects and processes data about its employees in accordance with the provisions of labor law and social security legislation, which is a legal obligation for the manager. Personal data such as name, surname, gender, date of birth, EMŠO, tax number, place, municipality and country of birth, citizenship, residence and other information are processed for employment purposes. On the basis of tax legislation, data on issued invoices is also processed and stored. In some cases, personal data may also be processed in the public interest.

Execution of the contract

(Article 3)

In the case of a contract between an individual and an organization, this constitutes the legal basis for the processing of personal data. The organization may process an individual's personal data for the purposes of concluding and implementing a contract. If the individual does not provide personal data, the organization cannot conclude a contract and cannot fulfill its obligations, such as the provision of services ordered by the individual.

Based on the contract concluded between the organization and the individual, the organization will send news, advice and possible events to the individual. The organization will also process certain personal data of individuals, such as name, surname, email address, telephone number and payment information, for the purposes of signing contracts and sending newsletters to which the individual has signed up.

Purposes of processing and basis for data processing

(Article 4)

·        The organization collects and processes your personal data on the following legal bases:

·        Processing is necessary to fulfill a legal obligation applicable to the controller;

·        The processing is necessary for the implementation of a contract, the contracting party of which is the individual to whom the personal data relates, or for the implementation of measures at the request of such an individual before the conclusion of the contract;

·        Processing is necessary for the legitimate interests pursued by the controller or a third party;

·        The data subject has consented to the processing of his personal data for one or more specified purposes;

·        The processing is necessary to protect the vital interests of the individual to whom the personal data relates or another natural person.

Legitimate interest

(Article 5)

The organization can also process personal data on the basis of legitimate interest, but their use is limited when it comes to processing by public authorities in the performance of their tasks. To a limited extent, the organization may use a legitimate interest in the processing of personal data, but this is not allowed when these interests prevail over the rights and freedoms of the data subject who require the protection of personal data. When using a legitimate interest, the organization makes an assessment in accordance with the General Regulation.

From time to time, the organization may provide individuals with information about services, events, offers and other content via e-mail and phone calls. However, the individual can at any time request the termination of this type of communication and processing of personal data, and cancel receiving messages via the unsubscribe link in the received message, or as a request by e-mail to info@studiodavinci.si or by regular mail to the address of the organization.

Processing to protect the vital interests of the individual

(Article 6)

In the event that this is absolutely necessary to protect the life interests of the individual, the organization may process his personal data without his consent. In such emergencies, an organization can review an individual's identity document, verify that the person exists in their database, examine their medical history, or contact their next of kin.

Storage and deletion of personal data

(Article 7)

The organization will keep personal data only for as long as is necessary to achieve the purpose for which the data was collected and processed. In case of processing based on the law, the organization will keep the data for the period required by the law. Some data is kept for the duration of cooperation with the organization, while other data is kept permanently. Personal data processed by the organization on the basis of a contractual relationship with an individual is kept by the organization for the period necessary for the execution of the contract and for 6 years after its termination. If there is a dispute between the organization and an individual regarding the contract, the data is kept for 10 years after the finality of the court decision, arbitration or court settlement, or 5 years from the date of peaceful resolution of the dispute, if there was no court dispute. Data processed by the organization based on the individual's personal consent or legitimate interest is kept by the organization until the consent is revoked or the data is deleted. After receiving the cancellation or deletion request, the data is deleted within 15 days at the latest. If the purpose of personal data processing has been achieved or if the law so requires, the organization may delete this data before cancellation.

Processing with consent or consent

(Article 8)

If the organization does not have a legal basis based on law, contract or legitimate interest, it may ask the individual for consent or consent to process their personal data for certain purposes. With consent, the organization can process an individual's personal data for purposes such as information and communication, documenting activities and informing the public about the organization's work and events, as well as other purposes for which the individual agrees with consent. If an individual revokes their consent to the processing of personal data, they can request the termination of the processing of personal data by writing to info@studiodavinci.si or by mail to the address of the organization. However, the revocation of consent does not affect the lawfulness of the processing carried out before the revocation.

Contractual processing of personal data and export

(Article 9)

The organization can entrust certain processing of personal data within the framework of contracts to contractual processors, who can process this data only on behalf of and according to the instructions of the organization. These contract processors are usually accounting services, IT system maintainers, cloud service providers, email service providers, social networking and online advertising providers (such as Google, Facebook, Instagram, etc.).

The organization maintains a list of contract processors that it maintains for the purpose of reviewing and monitoring their work. This list contains all the specific contract processors with which the organization works.

The organization will not pass on personal data to unauthorized third parties, and contractual processors may only process personal data within the framework of the organization's instructions and may not use it for other purposes.

The organization does not export personal data to third countries (outside the EU) or to international organizations, except in the USA, where relations with contractual processors are governed by standard contractual clauses (model contracts adopted by the European Commission) and/or binding business rules ( adopted by the organization and approved by supervisory authorities in the EU).

In some cases, the organization may refuse the request to delete data for the reasons listed in the General Regulation, such as the right to freedom of expression and information, compliance with the legal obligation of processing, public interest in the field of public health, archiving in the public interest, scientific or historical research purposes, statistical purposes, or the exercise or defense of legal claims. After the retention period has expired, the organization effectively and permanently deletes or anonymizes personal data so that it can no longer be linked to a specific individual.

Cookies

(Article 10)

Cookies are files that allow websites to remember the user's preferences and activities, such as logging in, shopping or browsing the web. Websites store cookies on users' devices to identify individual devices and settings that the user used when accessing the web. Cookies are also useful in advanced applications that adapt to the user's needs. The browser used by the individual has full control over the storage of cookies, as it can limit or completely disable them.

Cookies are crucial for providing user-friendly online services. They are used to store information about the state of each website, collect statistics about users and website traffic, and evaluate the effectiveness of the website design.

Cookie privacy overview

(Article 11)

This website uses cookies to improve your experience while browsing the website. Among these are cookies that are necessary for the operation of the basic functionality of the website and are stored in your browser. In addition, we also use third-party cookies to help us analyze and understand how you use this website. We will only store these cookies with your consent. You can also choose whether you want cookies or not. However, some cookies may affect your browsing experience.

Types of cookies and storage time

(Article 12)

Web page https://davinci-luxuryrealestate.com/ uses the following cookies:

Necessary cookies

Necessary cookies are absolutely necessary for the website to function properly. These cookies provide basic functionality and security features of the website, anonymously.

·        cookielawinfo-checkbox-analytics 11 months This cookie is set using the GDPR Cookie Consent widget. It is used to store the user's consent regarding cookies in the "Analytics" category.

·        cookielawinfo-checkbox-functional 11 months The cookie is set with the GDPR Cookie Consent utility and serves to record the user's consent regarding cookies in the "Functional" category.

·        cookielawinfo-checkbox-necessary 11 months This cookie is set with the GDPR Cookie Consent widget. It is used to store the user's consent regarding cookies in the "Necessary" category.

·        cookielawinfo-checkbox-others 11 months This cookie is set using the GDPR Cookie Consent utility. It is used to store the user's consent regarding cookies in the "Other" category.

·        cookielawinfo-checkbox-performance 11 months This cookie is set with the GDPR Cookie Consent widget. It is used to store the user's consent regarding cookies in the "Performance" category.

·        viewed_cookie_policy 11 months This cookie is set with the GDPR Cookie Consent utility and serves to store information on whether the user has given consent to the use of cookies. It does not store any personal data.

Functional cookies:

Functionality cookies help implement certain functionalities, such as sharing website content on social media platforms, collecting feedback and other third-party functions.

Performance cookies:

Performance cookies are used to understand and analyze key performance indicators of the website, helping to provide a better user experience for visitors.

Analytical cookies:

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as number of visitors, bounce rate, traffic source, etc.

Advertising cookies:

Advertising cookies are used to show visitors relevant advertisements and marketing campaigns. These cookies track visitors across various websites and collect data so that personalized advertisements can be displayed.

The organization ensures a high level of security for information systems and the infrastructure it uses (including physical infrastructure and application-system software). Protection of information systems includes anti-virus programs and firewalls. These measures are intended to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and other unlawful forms of processing. If we provide special types of personal data, we always encrypt and password-protect it.

The individual himself is responsible for the safe transmission of his personal data and for the fact that the data transmitted is accurate and authentic. The organization will make every effort to ensure that the personal data it processes is accurate and up-to-date, and if necessary, the individual will be asked to confirm the accuracy of the personal data.

Individual rights regarding data processing

(Article 13)

The organization respects the rights of individuals in accordance with the General Regulation on the Protection of Personal Data:

·        The individual has the right to information about whether the organization processes his personal data and what data is processed and why.

·        An individual has the right to access his personal data, which enables the review of the personal data held by the organization and the verification of the lawfulness of their processing.

·        An individual has the right to correct their personal data, such as correcting incomplete or inaccurate personal data.

·        An individual has the right to delete his personal data when there is no reason for further processing or when he exercises his right to object to further processing.

·        An individual may object to the further processing of personal data when the organization refers to a legitimate business interest, when there are reasons related to the individual's special situation, or when the organization processes personal data for direct marketing purposes.

·        An individual has the right to restrict the processing of his personal data, which means stopping the processing of personal data, for example, if the individual wants the organization to verify the accuracy or to check the reasons for further processing of the personal data.

·        The individual has the right to transfer his personal data in a structured electronic form to another controller, insofar as this is possible and feasible.

·        An individual may revoke consent to the collection, processing and transfer of his personal data for a specific purpose; the organization will stop processing the personal data for the purposes for which it was originally accepted, unless the organization has other lawful legal grounds for further processing.

An individual can exercise his rights regarding the protection of personal data by sending a request by e-mail to info@studiodavinci.si or by regular mail to the address of the organization. The organization will respond to the request without undue delay and in any case within one month of receipt of the request. If an individual's request is clearly unfounded or excessive, particularly if it is repeated, the organization may charge a reasonable fee or deny the request. The organization may request certain information from the individual to confirm the identity of the individual, which is only a security measure to ensure that personal information is not disclosed to unauthorized persons. If an individual believes that their personal data protection rights are violated, they can contact the supervisory authority, i.e. the Information Commissioner on the website https://www.ip-rs.si/. For additional questions regarding the processing of personal data, the individual can always contact the organization via email at info@studiodavinci.si or by regular mail to the organization's address.

Announcement of changes

(Article 14)

Any changes will be posted on our website https://davinci-luxuryrealestate.com. By using our website, the individual confirms that he accepts and agrees with the entire content of this personal data protection policy.

The responsible person has adopted the personal data protection policy of the day April 14, 2023