Privacy Policy

The Agency for Communication Networks and Services of the Republic of Sloveniaa (hereinafter referred to as "the Agency") is aware of its responsibilities with regard to the handling of personal data.¹, and therefore processes all personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) and the Personal Data Protection Act (PDPA-2), as well as with other legislation that provides the Agency with a legal basis for the processing of personal data.

The purpose of the personal data protection policy is to provide the data subject with information on how and which personal data received by the Agency from the data subject on the basis of the legal bases described below are processed by the Agency as the controller and on the rights of the data subject with regard to the processing of such personal data.

The Agency undertakes to process the personal data collected in accordance with the applicable regulations and not to disclose such data to third parties, except where it has a legal or other appropriate legal basis for such disclosure.

The terms used by the Agency in this Policy are explained in the General Data Protection Regulation.

Controller of personal data

The Agency for Communication Networks and Services of the Republic of Slovenia

Address: Stegne 7, 1000 Ljubljana

Telephone: + 386 1 583 63 00

E-mail: info.box@akos-rs.si.

Data Protection Officer (DPO)

The control over the correct processing of your personal data is exercised by the Data Protection Officer. For any further clarifications regarding the protection of personal data and for assistance in exercising your rights, the DPO is at your disposal at dpo@akos-rs.si.

Legal basis for the processing of personal data

The Agency collects and processes your personal data on the following legal bases:

the data subject has consented to the processing of his or her personal data (Article 6(a) of the General Data Protection Regulation);
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (Article 6(e) of the GDPR).

Processing based on the consent of the data subject:

The Agency collects and processes personal data exceptionally on the basis of the prior consent (consent) of individuals, namely:

e-mail address for sending the Agency's e-newsletter - in order to receive the Agency's e-newsletter, the individual must provide the e-mail address to which he or she wishes to receive the Agency's e-newsletter;
name, surname, address, telephone and/or e-mail address when reporting a breach in the electronic media via the form on the Agency's website - if the individual wishes the Agency to respond to the report or inform him/her of the findings of the report, he/she must provide his/her contact details when reporting the breach;
name and email address when submitting a question via the form on the Agency's website - in order for the Agency to respond, the individual must provide his or her name and email address.

If the data subject has given his or her consent to the processing of personal data and subsequently no longer wishes to do so, he or she may, at any time, request the interruption of the processing of personal data by submitting a written application to the Controller or by sending an e-mail to info.box@akos-rs.si. Withdrawal of consent shall not affect the lawfulness of processing on the basis of consent prior to its withdrawal.

The data subject may unsubscribe from the receipt of the newsletter at any time and at no cost by clicking on the unsubscribe link in any e-mail message received or by sending a written communication to the Controller's address or e-mail address info.box@akos-rs.si.

The performance of a task carried out in the public interest or in the exercise of official authority:

Enforcement Agency² and by-laws³ the tasks and powers laid down by law, the Agency collects and processes personal data of individuals which are necessary for the fulfilment of its legal obligations.

Video surveillance

Video surveillance is carried out at the Communications Networks and Services Agency of the Republic of Slovenia. Video surveillance is used to monitor entrances and exits to and from the Agency's business premises and to protect individuals (employees, contractors of the Agency, visitors and individuals in the car park) and the Agency's property (pursuant to Article 6(1)(e) of the GDPR in conjunction with Articles 76 and 77 of the GDPR-2). CCTV cameras are installed at the Agency's headquarters and at external locations, where they mainly record the entrances to the premises, the car park, the archives and the remote radio-monitoring stations. Video surveillance is used to assist in the detection, handling or resolution of incidents, crimes, claims for damages or other claims (Personal data may consequently be disclosed to competent legal entities.) The recordings are kept for up to 60 days from the date of the recording, after which they are automatically deleted. Video surveillance shall not be carried out in a way that would have a particular processing impact. Nor does video surveillance allow for unusual further processing, such as transfers to third country entities. Video surveillance allows live monitoring of what is happening. Any information concerning the implementation of video surveillance may be obtained by calling (01) 583 63 00 or by e-mailing info.box@akos-rs.si. The rights of individuals are described in this Privacy Policy. Further questions may also be addressed to the Data Protection Officer, who can be contacted at dpo@akos-rs.si.

Types of personal data held on the basis of the individual's consent:

When	Personal data	Purpose of processing	Legal basis for processing	Retention period
Each time you visit the Agency's website	IP address	For the purpose of website security and to prevent illegal activities on the website (e.g. hacking, phishing, etc.).	The processing is necessary for the performance of the controller's tasks (Article 6(e) of the General Regulation).	Until the end of the session (general rule) or permanently (for cases of attempted abuse).
When subscribing to the newsletter	IP address	For the purpose of website security and to prevent illegal activities on the website (e.g. hacking, phishing, etc.).	The processing is necessary for the performance of the controller's tasks (Article 6(e) of the General Regulation).	Until the end of the session (general rule) or permanently (for cases of attempted abuse).
When subscribing to the newsletter	E-mail address	For the sole purpose of informing you of the Agency's news.	Processing based on the valid consent of the data subject (Article 6(a) of the General Regulation).	Until withdrawal of consent or until objection. The data subject may unsubscribe from receiving the newsletter at any time via the link provided in each e-mail or by written communication.
*When reporting infringements in the electronic media*	Name and surname Address Telephone number E-mail address (all optional)	For the purpose of communicating with the individual, for the Agency to respond to the complaint or, if the individual so wishes, to inform the individual of its findings in relation to the complaint. If personal data is not provided, the Agency cannot contact the individual.	Processing based on the valid consent of the data subject (Article 6(a) of the GDPR). The Agency processes data only if necessary for the exercise of its legitimate powers, duties or obligations (Article 6(e) of the GDPR).	Depending on the type of procedure and the legal bases governing the management and preservation of documentary and archival material.
*When making an enquiry*	Name and surname E-mail address	Personal data is necessary for the Agency to be able to answer the individual's question.	Processing based on the individual's valid consent (Article 6(a) of the GDPR).	Depends on the type of procedure and the legal bases governing the management and preservation of documentary and archival material.

Retention period of personal data

The Agency shall keep the personal data of the data subject only for as long as is necessary to fulfil the purpose for which the personal data were collected and processed. The period of retention of personal data shall also depend on the type of procedure and the legal bases governing the management and preservation of documentary and archival material.

Personal data processed by the Agency on the basis of the consent of the data subject shall be stored until the consent is withdrawn or until a request for erasure is made, insofar as the retention period does not depend on the type of procedure and the legal bases governing the processing and storage of documentary and archival material. Upon receipt of a withdrawal of consent or a request for erasure, the data shall be erased within 15 days at the latest. The Agency may also delete the data before revocation where the purpose of the processing of the personal data has been achieved or where provided for by law.

The Agency may exceptionally refuse a request for erasure on the grounds set out in Article 17(3) of the General Data Protection Regulation, namely if the processing of the data is necessary:

for the exercise of the right to freedom of expression and information,
for compliance with a legal obligation to process or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
for reasons of public interest in the field of public health,
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or
for the establishment, exercise or defence of legal claims.

After the retention period has expired, the Agency shall effectively and permanently erase or anonymise the personal data so that they can no longer be associated with a specific individual.

Categories of users

The personal data processed whenever you visit the Agency's website is transmitted to the contractual processor that maintains the website for the Agency. The contractual processor processes the personal data exclusively on behalf of the controller, under the instructions and under the control of the controller.

Transfer of personal data to a third country or an international organisation

Personal data are not transferred to third countries or international organisations.

Rights of individuals with regard to the processing of personal data

In accordance with the General Data Protection Regulation, each individual has the following rights with regard to the protection of personal data:

1. to access personal data:

Each individual has the right to request information from the controller as to whether personal data concerning him or her are being processed and, if so, which personal data are being processed, on what basis and why they are being used by the Agency. An individual whose personal data is processed by the controller has access to his or her personal data (which allows him or her to receive a copy of the personal data held by the Agency about him or her).

Correction of personal data:

The data subject has the right to obtain from the controller the rectification, without undue delay, of inaccurate personal data concerning him or her. The data subject shall also have the right, having regard to the purposes of the processing, to have incomplete personal data completed, including by submitting a supplementary declaration.

3. erasure of personal data:

The data subject shall have the right to have personal data concerning him or her erased by the controller without undue delay and the controller shall have the obligation to erase the personal data without undue delay where one of the following grounds applies:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
the data subject withdraws consent and there is no other legal basis for the processing;
the personal data have been unlawfully processed;
where required by law.

4. Restriction of processing of personal data:

The data subject may request the controller to restrict the processing of his or her personal data where one of the following applies:

the data subject contests the accuracy of the data for a period which enables the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of their use;
the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the establishment, exercise or defence of legal claims;
the data subject has lodged an objection to the processing of his or her personal data.

5. portability of personal data:

For personal data processed by the controller on the basis of the data subject's consent, the data subject shall have the right to receive personal data relating to him or her which he or she has held on the controller, in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.

6. Withdrawal of consent:

Any data subject may withdraw the consent or the agreement that he or she has given to the collection, processing and transfer of his or her personal data for a specific purpose at any time without affecting the lawfulness of the processing carried out on the basis of the consent up to the time of withdrawal. The withdrawal of consent may be given in writing by post to the address of the controller or by e-mail to info.box@akos-rs.si. Upon receipt of a notification from the data subject of the withdrawal of consent or of the consent to the processing of his/her personal data, the controller shall immediately stop processing the data for the purposes for which they were originally provided, unless there is already another legal basis for the processing which does not permit erasure at the request of the data subject.

Procedure for exercising rights

If the data subject wishes to exercise any of the rights set out above, he or she may submit a written request to the controller by post or by email to info.box@akos-rs.si.

The controller will provide the data subject with a copy of the personal data processed or reply to the data subject's request without undue delay or at the latest within one month of receipt of the request.

Access to and exercise of the rights concerning personal data shall be free of charge for the data subject.

If the data subject makes the request electronically and unless otherwise requested, the controller will provide the personal data to the data subject in electronic form.

Should the data subject request additional copies, the controller may charge a reasonable fee, taking into account administrative costs.

If the individual's requests would be manifestly unfounded or excessive (e.g. repetitive), the controller may charge the individual a reasonable fee, taking into account administrative costs, or refuse to act on the individual's request.

In the case of the exercise of rights relating to personal data, the controller may request additional information from the data subject for the purposes of reliable identification. If the controller is unable to identify the data subject reliably, the controller may refuse the data subject's request to exercise the rights.

If the data subject wishes to exercise the rights set out above, he or she may, at any time, contact the Data Protection Officer at dpo@akos-rs.si for assistance . Anyone may also, at any time and anonymously, report to the Data Protection Officer any possible unlawful practices in the field of personal data protection.

Possibility to lodge a complaint

A complaint or a report may be lodged with the Information Commissioner of the Republic of Slovenia against the controller's conduct in relation to the protection of personal data.

Information on the existence of automated decision-making

The Agency does not use automated decision-making.

Publication of changes

Any amendments to the Agency's Personal Data Protection Policy will be published on the Agency's website. By using the website, the individual confirms that he/she accepts and agrees to the entire content of this Personal Data Protection Policy.

The Personal Data Protection Policy has been adopted by the Director of the Agency.

1 Personal data means any information relating to an identified or identifiable natural or legal person (hereinafter referred to as 'data subject'); an identifiable natural or legal person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural or legal person.

2 Available at https://www.akos-rs.si/zakoni-in-priporocila/zakoni.

3 Available at https://www.akos-rs.si/zakoni-in-priporocila/podzakonski-akti.

Name	Purpose	Lifetime
_ga	Used to distinguish users.	2 years
_ga_container-id	Used to persist session state.	2 years