Based on the decision of the manager of the company FIŠ doo and on the basis of Articles 24 and 25 of the Protection Act
personal data (Official Gazette of the Republic of Slovenia, 86/04, 113/05 and 67/07) and the enforceable provisions of the General Regulation on
protection of personal data shall be issued and published
RULES
on the protection of personal data
I. GENERAL PROVISIONS
Article 1
These rules determine the organizational, technical and logical-technical procedures and measures for
insurance of personal data in the company FIŠ doo in order to prevent unauthorized
destruction, alteration or loss of data as well as unauthorized access, processing,
use or transmission of personal data.
Employees and external collaborators who process and use personal data in their work,
they must be acquainted with the Personal Data Protection Act, with the sectoral legislation governing it
individual area of their work and with the content of these rules.
Article 2
Terms used in this policy have the following meanings:
1. ZVOP-1 - Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 86/04, 113/05 and 67/07);
2. Personal data - is any data relating to an individual, regardless of form, in
which is expressed;
3. Individual - is a specific or identifiable natural person to whom a personal refers
data; a natural person is identifiable if he can be identified, directly or indirectly,
in particular by reference to an identification number or to one or more factors which are
characteristic of his physical, physiological, mental, economic, cultural or social
identity, the method of identification not costly or not costly
a lot of time;
4. Personal data collection - is any structured set of data containing at least one personal data
information that is accessible on the basis of criteria that allow use or aggregation
data, whether the set is centralized, decentralized or dispersed to
functional or geographical basis; a structured data set is a data set that is
organized in such a way as to determine or enable the identifiability of the individual;
5. Processing of personal data - means any action or set of actions performed
in respect of personal data which are processed automatically or which are in the case of manual processing of works
personal data files or are intended to be included in a personal data file, in particular
collecting, retrieving, subscribing to, editing, storing, adapting or modifying,
insight, use, disclosure by transmission, communication, dissemination or other placement on
dispose of, classify or link, block, anonymize, delete or destroy;
processing can be manual or automated (various means of processing);
6. Personal data controller - is a natural or legal person or other person of public or
the private sector, which alone or together with others determines the purposes and means of processing
personal data;
7. Sensitive personal data - are data on racial, ethnic or ethnic origin,
political, religious, philosophical beliefs, trade union membership, health status,
sexual life, entry or erasure in or from criminal or misdemeanor records; and
biometric characteristics of the individual;
2
8. User of personal data - is a natural or legal person or other person of public or
the private sector to which personal data are provided or disclosed;
9. Data carrier - are all types of media on which data are recorded or recorded (documents,
acts, materials, files, computer equipment including magnetic, optical or other
computer media, photocopies, sound and image material, microfilms, transmission devices
data, etc.);
Article 3
The description of personal data collections managed by FIŠ doo is kept in the catalog of collections
personal data (description of personal data collections), which is kept in accordance with the provisions of Article 26 of ZVOP1. The catalog of personal data files is an appendix to these rules.
Employees who process personal data may be acquainted with the catalog of personal collections
data, and access to the catalog of personal data collections must also be provided to anyone who
this is required (inspection body, other employees due to current transactions or performance of the contract, etc.).
The employees of the company Fiš dooso were orally informed by the catalog of personal data collections
director of the company.
The company FIŠ doo keeps an up-to-date list, from which it is clear for each personal data collection
it is clear which person is responsible for an individual personal data file and which persons
due to the nature of their work, they may process personal data relating to an individual collection
personal data.
The following information is entered in the list: name of the personal data file, personal name and work title
the position of the person responsible for the personal data file and the personal name and position of the persons,
who, due to the nature of their work, may process personal data relating to the collection
personal data.
II. PROTECTION OF PREMISES AND COMPUTER EQUIPMENT
Article 4
Premises in which personal data carriers, hardware and software are located (protected
premises) must be protected by organizational and physical and / or technical measures which
prevent unauthorized persons from accessing the data.
Access is possible only during regular working hours, and outside this time only with permission
company manager. There are people in the company who take care of sales, administration and procurators
oral permission of the director of the company Fiš doo to access outside working hours
secure premises and computer databases where personal data files are stored.
The keys are not left in the lock in the door from the outside.
Protected areas must not remain unattended or must be locked in their absence
workers they supervise.
Outside business hours, computers and other hardware must be turned off and physically or
programmatically locked, unless used by persons who can access outside working hours
to secure premises and computer databases where personal data files are stored.
Employees are not allowed to leave personal data carriers on desks in the presence of persons they do not have
the right to inspect them.
3
Sensitive personal data must not be stored outside secure premises.
Article 5
The premises intended for business with customers must be data carriers and computer media
displays installed so that customers do not have access to them.
Article 6
Maintenance and repair of computer hardware and other equipment is permitted only with knowledge
authorized persons and may only be performed by authorized service and maintenance personnel who are authorized
the execution of works is sent by order (e-mail).
Article 7
Room maintainers, hardware and software, visitors and business partners are allowed
move in secured premises only with the knowledge and in the presence of an authorized person. Employees,
such as cleaners, security guards, etc., may move outside working hours only in those protected
premises where access to personal data is disabled (data carriers are stored in
locked cabinets and desks, computers and other hardware are turned off or how
otherwise physically or programmatically locked).
III. PROTECTION OF SYSTEM AND APPLICATION SOFTWARE COMPUTER EQUIPMENT AND
DATA PROCESSED BY COMPUTER EQUIPMENT
Article 8
Access to the software must be secured by allowing access only for that in advance
certain employees or legal or natural persons who, on the basis of an order sent through
provide the agreed services.
Article 9
Fixing, modifying and supplementing system and application software is
permitted only with the approval of an authorized person and may only be carried out by an authorized person
services and organizations and individuals who have a confirmed order (via email).
Article 10
The contents of network server disks and local workstations where personal information is located
is regularly checked for the presence of computer viruses. When a computer virus appears
it is eliminated as soon as possible with the help of an appropriate professional service, and at the same time the cause of the phenomenon is determined
virus in a computer information system.
All personal data and software intended for use in the computer
information system, and arrive at the company on other media for the transmission of computer data
or via telecommunication channels, must be checked for presence before use
computer viruses.
4
Article 11
Employees are not allowed to remove software from the company's headquarters unless they are licensed
director of the company Fiš doo
Article 12
Access to data via application software is protected by a password system for
authorization and identification of program users.
The authorized person determines the regime of assigning, storing and changing passwords.
Article 13
All passwords and procedures used to enter and administer the personal computer network
(control passwords), e-mail administration and application program administration are
kept in sealed envelopes and protected from unauthorized access. Use it
them only in exceptional circumstances or in emergencies. Any use of the contents sealed
the envelope is documented. After each such use, a new password content is determined.
Article 14
For the purposes of restoring a computer system in the event of breakdowns and other exceptional situations
provides regular backups of the contents of the network server and local stations if the data is there
are located.
These copies shall be kept in designated areas, which shall be fireproof, protected against
floods and electromagnetic disturbances, within the prescribed climatic conditions and locked.
IV. SERVICES PROVIDED BY EXTERNAL LEGAL OR NATURAL PERSONS
Article 15
With any external legal or natural person performing individual collection tasks,
processing, storage or transmission of personal data and is registered for
performing such an activity (contractual processor), a written contract provided for in
the second paragraph of Article 11 of ZVOP-1. Such a contract must also prescribe the conditions
and measures to ensure the protection of personal data and their protection.
External legal or natural persons may only provide personal data processing services only
they may not process or otherwise use the data for anyone within the scope of the Client's authorizations and data
another purpose.
Authorized legal or natural person who performs the agreed off-premises services for the company
controller must have at least the same strict way of protecting personal data as it provides
this policy.
V. RECEIPT AND TRANSMISSION OF PERSONAL DATA
Article 16
The employee in charge of receiving and recording mail must deliver the postal item by personal mail
information directly to the individual to whom the consignment is addressed, unless authorized
the recipient of this postal item so that he can open the postal item with his personal data.
5
The worker in charge of receiving and recording mail shall open and inspect all postal items and
consignments that otherwise arrive at the company's office - brought by customers or couriers, except for consignments
referred to in the third and fourth paragraphs of this Article.
The worker in charge of receiving and recording mail shall not open those items addressed to
another authority or organization and are inadvertently delivered and consignments marked as personal
the particulars or which appear on the envelope to refer to another person, unless he has
permission of the recipient of this postal item to be able to open the postal item with his personal
data.
The worker in charge of receiving and recording mail may not open items addressed to
workers, on which the envelope states that they are to be served in person on the addressee, and consignments, on
which first state the personal name of the worker without indicating his official position, and
only then the registered office of the company, unless it has the permission of the recipient of this postal item to open
a postal item with his personal data.
Article 17
Personal data may be transferred through information, telecommunications and others
funds only when implementing procedures and measures that prevent unauthorized persons
misappropriation or destruction of data and unjustified disclosure of their content.
Sensitive personal data is sent to addressees in sealed envelopes against signature in the delivery note
book or with a certificate.
Personal data is sent by registered mail.
The envelope in which the personal data are transmitted must be made in such a way that the envelope
does not allow the contents to be visible under normal light or when the envelopes are illuminated with normal light
envelopes. The envelope must also ensure that there is no opening of the envelope and no acquaintance with its contents
can be done without a visible trace of opening the envelope.
Article 18
The processing of sensitive personal data must be specially marked and secured. Society otherwise
does not currently keep sensitive personal information.
The data referred to in the previous paragraph, insofar as they appear in the company's operations, may be
transmitted over telecommunications networks only if they are specially protected by cryptographic networks
methods and electronic signature in such a way as to ensure the illegibility of the data between them
transmission.
Article 19
Personal data is provided only to those users who prove themselves legally
basis or with a written request or consent of the data subject.
For each transfer of personal data, the beneficiary must submit a written application in which it must be
a clearly stated provision of the law authorizing the user to obtain personal data, or
the application must be accompanied by a written request or consent of the data subject
refer.
6
Each transfer of personal data is recorded in the record of transfers from which it must be
it is clear which personal data were provided, to whom, when and on what basis (Article 22
ZVOP-1).
Originals of documents are never provided, except in the case of a written court order. Original
the document must be replaced by a copy during the absence.
VI. DELETE DATA
Article 20
After the expiry of the retention period, personal data shall be archived, unless otherwise provided by law or other act
otherwise.
The deadlines for deleting personal data from the database can be seen in point 6 of the catalog
personal data files.
Article 21
To erase data from computer media, such a method of erasure is used that it is impossible
restoration of all or part of the deleted data.
Data on traditional media (documents, files, register, list,…) are destroyed in a way that
disables reading all or part of the destroyed data.
Auxiliary material is destroyed in the same way (eg matrices, calculations and graphs, sketches, experimental
or unsuccessful printouts, etc.).
It is forbidden to dump waste data carriers with personal data in rubbish bins.
When transferring personal data carriers to the place of destruction, it is necessary to ensure adequate
insurance also at the time of transfer.
VII. ACTION IN CASE OF SUSPECTED UNAUTHORIZED ACCESS
Article 22
Employees are obligated about activities related to detection or unauthorized destruction
confidential information, malicious or unauthorized use, misappropriation, alteration or
immediately notify an authorized person or manager, and they themselves try to do so
activity to prevent.
VIII. RESPONSIBILITY FOR THE IMPLEMENTATION OF SECURITY MEASURES AND PROCEDURES
Article 23
The implementation of procedures and measures for the protection of personal data is the responsibility of the manager and
authorized persons appointed by the manager.
Supervision over the implementation of the procedures and measures set out in these Rules shall be performed on a case-by-case basis
sales manager in the company.
7
Article 24
Anyone who processes personal data is obliged to implement the prescribed procedures and measures for
protect the data and protect the data of which he became aware or was acquainted with them at
doing their job. The data protection obligation does not end with the termination of employment
relationships.
Before starting work at the workplace where personal data is processed, the employee must
sign a special declaration obliging him to protect personal data (Annex to the contract on
employment).
It must be evident from the signed declaration that the signatory is acquainted with the provisions of these rules and
provisions of ZVOP-1, and the statement must also contain instructions on the consequences of the violation.
Article 25
Employees are disciplinary liable for violating the provisions of the previous article, while others are subject to disciplinary action
contractual obligations.
IX. FINAL PROVISIONS:
Article 26
These rules were adopted on 05/05/2018 and enter into force on 15/05/2018.
Šentrupert, 05/05/2018 FIŠ doo
dir. Boris Fischer
Attachment:
- Catalog of personal data collection
8
9
CATALOG OF PERSONAL DATA COLLECTION - 1
1. NAME OF THE COLLECTION
Records of customers who have entered into a transaction with the company.
Records of potential customers who have themselves expressed an interest in the supply of goods or
provision of services.
List of collections:
o Collection of existing and potential customers ARABIA TRUCKS; Responsible person: Tadej Fišer -
Sales manager; Access: Luka Deberšek - business process analyst and work organizer, Žiga
Kerin - salesman, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer - director.
o Collection of existing and potential customers TRUCKS EURO5; Responsible person: Tadej Fišer -
Sales manager; Access: Luka Deberšek - business process analyst and work organizer, Žiga
Kerin - salesman, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer - director.
o Collection of existing and potential customers TRUCKS RO / SK / BG; Responsible person: Tadej Fišer -
Sales manager; Access: Luka Deberšek - business process analyst and work organizer, Žiga
Kerin - salesman, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer - director.
o Collection of existing and potential customers TRUCKS; Responsible person: Tadej Fišer - Manager
sales; Access: Luka Deberšek - business process analyst and work organizer, Žiga Kerin -
salesman, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer - director.
o Collection of existing and potential customers PARTNERS TRUCKS; Responsible person: Tadej Fišer -
Sales manager; Access: Luka Deberšek - business process analyst and work organizer, Žiga
Kerin - salesman, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer - director.
o Collection of existing and potential clients EKOKAMINI; Responsible person: Luka Deberšek -
Business Process Analyst and Work Organizer; Access: Tadej Fišer - sales manager, Žiga Kerin
- salesman, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer - director.
o Collection of existing and potential customers RENTING MACHINES; Responsible person: Žiga Kerin -
seller; Access: Tadej Fišer - Sales Manager, Luka Deberšek - Business Process Analyst
and work organizer, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer - director.
o Collection of existing and potential customers of KRUHOREZNICA; Responsible person: Tatjana Novak -
secretary; Access: Tadej Fišer - Sales Manager, Luka Deberšek - Business Process Analyst and
work organizer, Žiga Kerin - salesman, Andrej Fišer - procurator, Boris Fišer - director.
o Collection of existing and potential clients RENTAL OF BUSINESS PREMISES; Responsible person
Luka Deberšek - Business Process Analyst and work organizer; Access Tadej Fišer - manager
sales, Žiga Kerin - salesman, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer -
director.
o Collection of existing and potential customers INQUIRY ECOCAMINES; Responsible person Luka
Deberšek - Business Process Analyst and work organizer; Access Tadej Fišer - sales manager,
Žiga Kerin - salesman, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer - director.
10
o Collection of existing and potential customers CONTACTS; Responsible person Luka Deberšek - Analyst
business processes and work organizer; Access Tadej Fišer - sales manager, Žiga Kerin -
salesman, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer - director.
o Collection of existing and potential clients CANDIDATES FOR EMPLOYMENT; Responsible person: Tatjana
Novak - secretary; Access: Tadej Fišer - Sales Manager, Luka Deberšek - Business Analyst
processes and work organizer, Žiga Kerin - salesman, Andrej Fišer - procurator, Boris Fišer -
director.
2. LEGAL BASIS
For the conclusion of contracts - the law or the personal consent of a party who is a natural person.
3. CATEGORIES OF INDIVIDUALS COVERED BY PERSONAL DATA IN THE COLLECTION
Persons who have shown an interest in the supply of goods or services.
4. TYPES OF PERSONAL DATA
Name and surname, address, telephone, e-mail.
5. PURPOSE OF PROCESSING
To carry out the economic activity of trade, rental of property.
6. STORAGE DEADLINE
Until the revocation of the data subject or as long as this is the case
necessary to achieve the purpose for which the personal data were collected. Upon completion
purpose, personal data shall be deleted or destroyed, subject to tax regulations
regarding the obligations of the archive of concluded transactions with clients.
7. USERS OR CATEGORIES OF PERSONAL DATA USERS
Employees of the company in the field of sales, company secretariat and other persons who
have the authority of the manager to enter into transactions.
8. GENERAL DESCRIPTION OF THE PROTECTION OF PERSONAL DATA COLLECTIONS
Personal data is stored, processed and protected in accordance with the Insurance Rules
personal data dated 5.5.2018. Personal data in writing shall be kept in a file or
monks relating to transactions concluded. Personal data in a computer system is
stored on an individual unit accessed with personal passwords.
Šentrupert, 5.5.2018 FIŠ doo
dir. Boris Fischer