Vila Portorož - Luxury Accommodation on the Slovenian Coast

Protection of Personal Data

Based on Articles 24 and 25 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 86/04, 113/05, 51/07 and 67/07), the director of the company VILA PORTOROŽ d.o.o., Obala 114b, 6320 Portorož, Vlasta Prešeren (hereinafter: director) issues this regulation.

REGULATION ON THE PROTECTION OF PERSONAL DATA

GENERAL PROVISIONS

1.1. Content and Purpose of the Regulation

1.1.1. This regulation establishes organizational, technical, and logical-technical procedures and measures for the protection of personal data in Vila Portorož d.o.o. to prevent accidental or intentional unauthorized destruction of data, their alteration or loss, as well as unauthorized access, processing, use, or disclosure of personal data.

1.1.2. Employees and external collaborators who process and use personal data in their work must be familiar with the Personal Data Protection Act, the relevant legislation governing their specific area of work, and the content of this regulation.

Meaning of Terms

The terms used in this regulation have the following meanings:

1.2.1. ZVOP-1 - Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 86/04, 113/05, 51/07 and 67/07).

1.2.2. Personal Data - any data relating to an individual, regardless of the form in which it is expressed.

1.2.3. Individual - a specific or identifiable natural person to whom the personal data relates; a natural person is identifiable if they can be directly or indirectly identified, primarily by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity, whereby the method of identification does not incur significant costs or require much time.

1.2.4. Personal Data Collection - any structured set of data that contains at least one personal data accessible based on criteria that allow for the use or combination of data, regardless of whether the set is centralized, decentralized, or dispersed on a functional or geographical basis; a structured set of data is a set of data organized in such a way that it determines or allows for the identifiability of an individual.

1.2.5. Processing of Personal Data - means any operation or set of operations performed in relation to personal data, which are processed automatically or which are part of a personal data collection during manual processing or are intended for inclusion in a personal data collection, especially collection, acquisition, entry, editing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, classification or linking, blocking, anonymization, deletion, or destruction; processing can be manual or automated (processing means).

1.2.6. Data Controller - a natural or legal person or another entity in the public or private sector that determines the purposes and means of processing personal data alone or together with others, or a person designated by law who also determines the purposes and means of processing.

1.2.7. Sensitive Personal Data - data concerning racial or ethnic origin, political, religious, or philosophical beliefs, membership in a trade union, health status, sexual life, entry or deletion in or from criminal or misdemeanor records, and biometric characteristics.

1.2.8. User of Personal Data - a natural or legal person or another entity in the public or private sector to whom personal data is disclosed or revealed.

1.2.9. Data Carrier - all types of media on which data is recorded or stored (documents, acts, materials, files, computer equipment including magnetic, optical, or other computer media, photocopies, audio and visual materials, microfilms, data transmission devices, etc.).

1.2.10. Information System is the software, hardware, communication, and other equipment managed by Vila Portorož d.o.o., which operates independently or in a network and is intended for collecting, processing, distributing, using, and otherwise processing data in electronic form.

1.2.11. Malicious Software includes computer viruses, worms, Trojan horses, and similar software that is installed in the information system or part of it without the knowledge of the owner or manager and interferes with the integrity of the information system.

PROCESSING OF PERSONAL DATA

Each personal data collection in a specific work area of Vila Portorož d.o.o. is established by the responsible person for that specific data collection (hereinafter: responsible person), appointed by the director of Vila Portorož d.o.o..

2.1. Processing of Personal Data

2.1.1. Only those personal data that have an appropriate basis in ZVOP-1 may be processed in the data collection.

2.1.2. The individual must be informed about the processing in accordance with the provision of Article 19 of ZVOP-1.

2.1.3. Responsible persons and persons who may process certain personal data due to the nature of their work must be familiar with the provisions of ZVOP-1 and the content of this regulation before processing personal data.

2.2. Catalog of Personal Data Collections

2.2.1. Vila Portorož d.o.o. provides a catalog for each personal data collection, which includes:

name of the personal data collection,
data controller of the personal data collection,
legal basis of the personal data collection,
categories of individuals to whom the personal data relates,
types of personal data in the personal data collection,
purpose of collecting, processing, storing, and using personal data and the legal basis for the purpose,
duration of storage and use of personal data,
limitations on the rights of individuals regarding personal data in the personal data collection and the legal basis for the limitations,
users of personal data contained in the personal data collection,
fact whether personal data is transferred out of the country, to whom, and the legal basis for the transfer,
general description of the protection of personal data,
reference to related personal data collections.

2.2.2. The description of personal data collections, whose controller is Kabi, is maintained in the catalog of personal data collections (description of personal data collections), which is maintained in accordance with the provisions of Article 26 of ZVOP-1. Data from points 1, 2, 4, 5, 6, 9, 10, 11, and 12 of the catalogs of personal data collections are submitted to the state authority responsible for maintaining the Register of Personal Data Collections. The catalog of personal data collection must be provided for each personal data collection no later than 15 days before the establishment of the personal data collection, and the data from the catalog must also be submitted to the competent state authority within the same period. The catalog of personal data collections is updated with each change in the type of personal data in the individual collection, and changes must also be submitted to the competent state authority within 8 days.

2.2.3. Employees who process personal data must be familiar with the catalog of personal data collections, and access to the catalog must also be provided to anyone who requests it.

2.2.4. Vila Portorož d.o.o. is obliged to maintain an up-to-date list, from which it is clear for each personal data collection which person is responsible for the individual personal data collection and which persons may process personal data relating to the individual personal data collection due to the nature of their work. The following data is recorded in the list: name of the personal data collection, personal name and job title of the person responsible for the personal data collection, and personal name and job title of the persons who may process personal data relating to the personal data collection due to the nature of their work.

2.3. Data Disclosure upon User Request

Personal data is disclosed only to those users who provide appropriate legal basis or written request or consent of the individual to whom the data relates.

For each disclosure of personal data, the entitled party must submit a written application, clearly stating the provision of the law that authorizes the user to obtain personal data, or a written request or consent of the individual to whom the data relates must be attached to the application.

The envelope in which personal data is disclosed must be made in such a way that the contents of the envelope are not visible under normal light or when illuminated with ordinary light. The envelope must also ensure that the opening of the envelope and access to its contents cannot be done without visible traces of opening the envelope.

Personal data may only be transmitted by information, telecommunications, and other means if procedures and measures are implemented that prevent unauthorized access or destruction of data and unauthorized access to their contents.

Sensitive personal data may only be disclosed via telecommunications networks if they are specifically protected by cryptographic methods and electronic signatures so that the data remains unreadable during transmission.

Original documents are never disclosed, except in the case of a written order from a court.

The original document must be replaced with a copy during the absence.

2.4. Record of Disclosures

2.4.1. Vila Portorož d.o.o. maintains a record of all disclosures of personal data from point 2.3, stating the following data:

which personal data were disclosed,
personal name/company and address/headquarters of the person to whom personal data were disclosed, or
indication that the disclosure was made by official duty,
date of disclosure of personal data, and
legal basis on which personal data were disclosed.

2.4.2. The list from point 2.4.1 is in electronic form, and the entry is made by the data processor who disclosed the personal data to the user.

2.5. Disclosure of Data within Vila Portorož d.o.o.

Personal data of employees at Vila Portorož d.o.o. and other individuals may be disclosed within Kabi

d.o.o. to those persons who need them in the performance of their work and tasks. An employee who transfers the content of data collections within the company in any way must ensure the secure transfer of data.

2.6. Receipt of Personal Data

The employee responsible for receiving and recording mail must deliver the mail containing personal data directly to the individual or service to which the mail is addressed.

The employee responsible for receiving and recording mail opens and reviews all mail and packages that arrive at Vila Portorož d.o.o. - brought by clients or couriers, except for packages from the third and fourth paragraphs of this article.

The employee responsible for receiving and recording mail does not open those packages addressed to another authority or organization and delivered by mistake, as well as packages marked as personal data or for which it is evident from the markings on the envelope that they relate to a competition or tender.

The employee responsible for receiving and recording mail must not open packages addressed to an employee, on which it is indicated on the envelope that they are to be delivered personally to the addressee, and packages on which the personal name of the employee is first indicated without the designation of their official position and only then the address of Vila Portorož d.o.o..

2.7. Storage and Deletion of Personal Data

Personal data may only be stored for the period specified in point 6 of the catalog of the individual personal data collection.

After the retention period has expired, personal data shall be deleted, destroyed, blocked, or anonymized.

For deleting personal data in electronic form, a method must be used that prevents the recovery of all or part of the deleted data.

Personal data in physical form must be destroyed in a manner that ensures that the personal data becomes unrecognizable and unrecoverable (e.g., paper shredder or by an organization that deals with the destruction of confidential documents).

Waste data carriers containing personal data must be processed before disposal so that recovery or recognition of personal data is not possible.

Regularly and promptly, it is necessary to delete and destroy auxiliary documentation or computer products or templates that contain personal data that have expired.

2.8. Contractual Processing of Personal Data

With legal or natural persons who perform tasks related to the collection, processing, storage, and disclosure of personal data (contractual processors), Vila Portorož d.o.o. concludes a written contract in accordance with the second paragraph of Article 11 of ZVOP-1.

External legal or natural persons may only perform personal data processing services within the scope of the client's authorizations and may not process or otherwise use the data for any other purpose.

The authorized legal or natural person performing agreed services outside the premises of the controller must ensure an equivalent or stricter method of protecting personal data than that provided for in this regulation.

PROTECTION OF PREMISES, COMPUTER EQUIPMENT, AND PERSONAL DATA PROCESSED WITH COMPUTER EQUIPMENT

3.1. Protection of Premises

3.1.1. The entrance to the building is guarded by a security guard, and business premises are secured with security doors that allow entry only based on identification means.

3.1.2. Premises where carriers of secret or personal data, hardware, and software (secured premises) are located must be protected by organizational, physical, and technical measures that prevent unauthorized persons from accessing the data.

3.1.3. The director of Vila Portorož d.o.o. determines or approves the time regime of access permissions to business and secured premises, which prescribes which persons may access specific areas during and outside working hours. The access regime is implemented based on identification means, without which entry is not possible.

3.1.4. Cabinets in secured premises containing data carriers with personal data must be locked outside working hours.

3.1.5. Cabinets with data carriers containing personal data located outside secured premises must be permanently locked. Keys are kept by the employee who supervises the individual cabinet.

3.1.6. During working hours, maintenance workers and equipment, clients, and other visitors may only move in secured premises in the presence of a responsible employee. 3.1.7. Outside working hours, technical maintenance workers and cleaners may only move in secured premises if the data carriers are stored in a manner prescribed by this regulation for the time outside working hours.

3.2. Protection of Data Carriers

3.2.1. Employees must not leave carriers of confidential or personal data on desks in the presence of persons who do not have the right to view them.

3.2.2. Data carriers located outside secured premises (common areas) must be locked.

3.2.3. Paper data carriers used for entering personal data into a computer-managed data collection must be locked in cabinets. Likewise, other forms of data carriers must also be locked.

3.2.4. In areas where clients or persons not employed by the company have access, data carriers and computer displays must be positioned during processing or work on them in such a way that clients cannot view them.

3.2.5. Responsible employees must not remove personal data carriers from Vila Portorož d.o.o. without the explicit permission of the director.

3.2.6. Disclosure of personal data to authorized institutions and others who demonstrate a legal basis for obtaining personal data is permitted only by the competent director or head of the relevant service.

3.3. Protection of Hardware and Software

3.3.1. Personal data collections located in the information system are protected by a password system for authorizing and identifying users of programs and users.

3.3.2. The same provisions apply to the storage and protection of application software as for other data in this regulation.

3.3.3. The creation and storage of archival and backup copies must be appropriately documented.

3.3.4. The responsible employee must ensure that in the case of servicing, repairing, changing, or supplementing system or application software, any copies of personal data are appropriately destroyed after the need for the copy has ceased.

3.3.5. The responsible employee must be present at all times during the servicing of computers and software and must monitor that there is no theft, alteration, or destruction of personal data.

3.3.6. If it is necessary to repair a device containing data carriers with personal data outside the company, the responsible employee must, in cooperation with a professionally trained employee, ensure the appropriate deletion of personal data from the carrier or the removal of the data carrier itself from the device.

3.3.7. All components of the information system used for entering, processing, and storing personal data must be adequately protected against unauthorized access and intrusions. A comprehensive system of protection against malicious software must be established in the information system.

3.3.8. All data and software intended for use on computers in the information system of Vila Portorož d.o.o. and arriving at Vila Portorož d.o.o. on media for transferring computer data or via telecommunications means must be checked for the presence of malicious software before use.

3.3.9. The password system for authorizing and identifying users and programs protects access to data through application software. Persons responsible for the operation of the information system determine the regime for assigning, storing, and changing passwords, which must be approved by the director of Vila Portorož d.o.o..

3.3.10. All important passwords for access and administration of shared information technology are kept in sealed envelopes in fireproof cabinets.

3.3.11. In terms of availability and integrity of personal data, personal data must be securely stored in an appropriate and prescribed manner.

3.3.12. The removal of created backup copies of records may only be permitted by the director of Vila Portorož d.o.o. for justified reasons.

3.3.13. Computer copies of the contents of personal data collections are stored in a location that must be protected against fire, flooding, and electromagnetic disturbances, within prescribed climatic conditions, and adequately locked.

SPECIAL PROVISIONS ON VIDEO SURVEILLANCE

4.0.1. To ensure control of entry and exit in the server rooms of Vila Portorož d.o.o., video surveillance is conducted with visual recording of the entrance area.

4.0.2. At the location where video surveillance is conducted, a notice is posted with the following content: "The area is under video surveillance. Video surveillance is conducted by Vila Portorož d.o.o., phone number 01-280-5080."

4.1. Storage of Video Surveillance Recordings

Video surveillance recordings are stored as records of the video surveillance system for a period of 1 month. Recordings may be stored longer if required by law, at the request of the competent state authority, or to protect the legitimate interests of ARNES, if these data are subject to legal, criminal, or administrative proceedings.

4.2. Record of the Video Surveillance System

4.2.1. The director appoints a responsible person for the record of the video surveillance system by decision. Personal data in the record of the video surveillance system may only be processed by the director and the designated responsible person.

4.2.2. Documentation on access, use, and processing of personal data in the record of the video surveillance system is kept for the period during which legal protection of the individual's rights is possible due to unauthorized disclosure or processing of personal data.

ACTION UPON DISCOVERY OF ABUSE OF PERSONAL DATA OR INTRUSION INTO PERSONAL DATA COLLECTIONS

5.0.1. An employee who learns or notices that there has been an abuse of personal data (disclosure of personal data, unauthorized destruction, unauthorized alteration, damage to the collection, appropriation of personal data) or an intrusion into the personal data collection must immediately notify the responsible employee or director and attempt to prevent such activity.

5.0.2. The director must take appropriate action against an employee who has abused personal data or has unlawfully intruded into the personal data collection. Any abuse of personal data for purposes not in accordance with the purposes of collection specified in the law under which the data is collected, or purposes specified in the catalog of personal data collections, is considered an abuse of personal data.

5.0.3. If the perpetrator is an employee of the company, the competent director must initiate disciplinary proceedings and report the intrusion or abuse to law enforcement authorities in cases:

if there is a suspicion of an intrusion that is intended to abuse personal data or their use contrary to the purposes for which they were collected

if there has already been an abuse of personal data

5.0.4. In the case of abuse or suspicion of abuse of personal data held in personal data collections of Kabi

d.o.o. by persons who are not employees of Vila Portorož d.o.o., it shall notify the competent authorities.

RESPONSIBILITY FOR IMPLEMENTING PERSONAL DATA PROTECTION MEASURES

6.1. Implementation of Procedures and Measures

6.1.1. Anyone processing personal data is obliged to implement the procedures and measures prescribed by this regulation for the protection of personal data and to protect personal data with which they have been acquainted in the performance of their work. The obligation to protect does not cease with the termination of the employment relationship.

6.1.2. Before starting work in a position where personal data is processed, the employee must sign a declaration obliging them to protect personal data.

6.2. Responsibility for Implementation and Supervision of Implementation

6.2.1. The heads of organizational units and authorized persons appointed by the director of Arnesa are responsible for implementing procedures and measures for the protection of personal data.

6.2.2. The director of Vila Portorož d.o.o. together with the technical director of Vila Portorož d.o.o. supervises the implementation of the procedures and measures specified in this regulation.

6.2.3. Employees are disciplinarily responsible for violating the provisions of Article 17, while others are responsible based on their contractual obligations.

FINAL PROVISION

This regulation enters into force on the 8th day after the director's signature and is published on the websites of Vila Portorož d.o.o.

In Lucija, on 29.08.2019

VILA PORTOROŽ d.o.o.

Vlasta Prešeren
Phone: +386 31 670 395
E-mail: [email protected]