PERSONAL DATA PROTECTION POLICY
1. Introduction
At LANGUAGESITTER, jezikovno izobraževanje, d. o. o., located at Litostrojska cesta 40, 1000 Ljubljana (hereinafter referred to as “LanguageSitter®” or “the Controller”), we prioritise our responsibility in handling the personal data of our clients, potential customers, and visitors to our website, www.languagesitter.si (hereinafter referred to as “the LanguageSitter® website”), and all individuals who entrust us with their personal data (hereinafter referred to as “user” or “users”). That is why we have created this Personal Data Protection and Privacy Policy (hereinafter referred to as “the Policy”) to provide our users with transparent, understandable, and concise information about the purposes, legal basis, and rights related to processing their personal data, as guaranteed by the applicable Personal Data Protection Act of the Republic of Slovenia and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “the General Data Protection Regulation”).
The terms used in this Policy, including but not limited to controller, processing, restriction of processing, processor, profiling, pseudonymisation, third party, and company, are defined in accordance with the General Data Protection Regulation.
The Policy, in accordance with the General Data Protection Regulation, covers the following areas:
– the contact information of the Controller,
– the purposes and legal bases for processing various types of personal data of users, including the profiling of personal data of users,
– users of personal data, contractual processing, and transfer of data to third countries,
– the retention period for individual types of personal data,
– care for the security of personal data,
– the rights of users concerning the processing of personal data,
– the procedure for exercising the user’s rights with regard to the processing of personal data,
and the right to lodge a complaint concerning the processing of personal data.
2. Controller Information
The Controller of the personal data of users is LANGUAGESITTER d. o. o., located at Litostrojska cesta 40, 1000 Ljubljana. For any inquiries related to the protection of personal data and privacy, please contact us at office@languagesitter.si.
3. Personal Data
Personal data refers to information relating to an identified or identifiable individual. An individual is considered identifiable if they can be identified either directly or indirectly. This can be achieved through an identifier such as a name, identification number, location data, web identifier, or by one or more factors that are characteristic of the individual’s physical, physiological, genetic, mental, economic, cultural, or social identity. The Controller collects the following personal data in accordance with the purposes defined in this Policy:
– basic information about the user (name and surname, title, workplace, and other information about the employer),
– contact data and data on the user’s communication with the Controller (e-mail address, telephone number, date, time and content of postal or electronic communication, or date, time, and duration of telephone calls),
– information about the attendance at events organised by LanguageSitter® (information on the event attended, place, and date of the event),
– channel and campaign—the method of obtaining the user or the source through which the user came into contact with the Controller (website and advertising campaign),
– data on the user’s use of the website of the Controller (dates and times of visits to the website, pages visited or URLs, time spent on each page, number of pages visited, total time spent on the site, settings made on the site) and data on the response to the messages received from the Controller (e-mail, text),
– data from voluntarily completed forms by the user, e.g. in the context of giveaways or requests for services offered by the Controller,
– other data that the user voluntarily provides to the Controller when requesting certain services that require such data.
The Controller will only collect and process the user’s personal data if the user has allowed or given consent, such as when ordering products or services, subscribing to a newsletter, or participating in a giveaway. Additionally, personal data may be collected if there is a legal basis for it, if the processing is necessary to fulfil contractual obligations, or if the processing is necessary due to legitimate interests pursued by the Controller (hereinafter referred to as “legitimate interest”).
4. Grounds and Purposes for Processing Personal Data
LanguageSitter® processes personal data for the purposes further explained in this Policy based on the following legal grounds:
– user’s agreement or explicit consent,
– fulfilment of legal obligations of the Controller,
– processing based on legitimate interests,
– fulfilment of contractual obligations.
LanguageSitter® ensures that the user’s personal data will only be processed for the specific purposes for which they were obtained and will not be processed for purposes that are incompatible with those purposes. Additionally, LanguageSitter® only collects personal data from the user that are strictly necessary for the achievement of a particular purpose.
4.1. Processing Based on Consent or Agreement
LanguageSitter® will process user’s personal data based on their written consent for the following purposes:
– sending emails to inform the user about LanguageSitter®’s training, news, content, services, and events of the Controller or third parties,
– contacting the user by phone to present educational solutions to them or their employer (by prior arrangement also at their address),
– publishing user’s information in professional media and on websites to promote the user and their employer,
– monitoring the reading of emails sent, including which emails the user has opened or not, which links they have clicked on, and how long they have spent reading or viewing each content,
– segmenting users based on the facts referred to in the previous line and sending personalised emails, which can result in different users receiving emails with different content to provide more relevant information and achieve a higher level of response to sent emails,
– analysing the user’s website activity, such as how they arrived on the website (source of traffic), which pages they visited and how long they stayed on them, and which content they downloaded or viewed,
– segmenting users based on the facts referred to in the previous line and sending customised messages through multi-channel communication, which means that different users can receive messages with different content to better inform individuals and achieve a higher level of user engagement,
– any other purposes for which the user specifically agrees when cooperating with the Controller.
If the user has given their consent to the processing of their personal data, they have the right to revoke this consent at any time. This can be done by sending an email to office@languagesitter.si.
4.2. Legal Obligations that Require Processing of Personal Data by LanguageSitter®
We process users’ personal data when it is required by law, such as for the purpose of judicial or administrative proceedings.
4.3. Legitimate Interest Pursued by LanguageSitter® for Processing Personal Data
The Controller may process personal data based on a legitimate interest, as long as the interests do not override the user’s fundamental rights and freedoms. When processing personal data based on a legitimate interest, LanguageSitter® will always conduct an assessment in accordance with the General Data Protection Regulation.
LanguageSitter® may implement certain measures, such as pseudonymisation, encryption, and deletion of certain types of personal data, to safeguard the processing of personal data based on legitimate interest. These measures will be applied in addition to the legal bases of consent or contract that the personal data was collected on.
Legitimate interest is one of the legal bases on which LanguageSitter® will process users’ personal data for the following purposes:
– Conducting marketing, business, and technical analyses to identify from which organisations the participants of events and training come, as well as the positions they hold in these organisations. LanguageSitter® will also keep records of the number and types of events and training the user attended and the certificates of participants.
– Preventing abuse, ensuring security, and asserting or defending against claims in administrative and judicial proceedings. If there is any suspected misuse, the Controller may process the user’s personal data appropriately and proportionally to prevent potential fraud or misuse. The data may also be disclosed to the police, public prosecutor’s office, or other competent authorities if necessary.
– Conducting direct marketing, including the creation of user profiles based on previously obtained personal data, which the user can object to at any time in accordance with the Right to Object section of this Policy.
4.4. Processing Personal Data to Meet Contractual Obligations
In some instances, processing personal data is necessary to fulfil the contractual obligations of the Controller. Failure to provide the required data may prevent the Controller from entering into a contract or providing services to the user.
The Controller will process the user’s personal data to fulfil contractual obligations for the following purposes:
– contractual arrangement of business cooperation,
– implementation of activities specified in the cooperation contract, such as consulting, preparing language course programmes and materials, implementing language course programmes and materials, and computerisation of processes,
– implementation of activities based on the purchase and/or participation in our training, such as consulting, preparing language course programmes and materials, implementing language course programmes and materials, and computerisation of processes,
– communication with contractors and other contact persons of the client for carrying out the activities specified in the cooperation contract,
– registration of the user for an event or training organised by LanguageSitter®, including the awarding of certificates to participants in events and training.
5. Processing of Personal Data, Contractual Obligations, and Transfer to Non-EU/EEA Countries
At LanguageSitter®, we take the users’ personal data privacy and security seriously. Only authorised employees, associates, and processors with a direct need to access their information will be granted access.
We will never transfer users’ personal data to unauthorised third parties.
By using our website and services, the user acknowledges and agrees that we may entrust specific tasks related to their data to external processors. However, these processors are bound by strict contractual agreements to process their data solely on our behalf and in accordance with our written instructions and purposes outlined in our Policy. Additionally, they are prohibited from using the user’s personal data for their own interests.
For more information on the external processors we work with, please contact us at office@languagesitter.si.
6. Personal Data Retention Duration
The Controller is committed to processing personal data only for as long as necessary to achieve the purpose for which it was collected and further processed.
When processing personal data for contract performance, we will retain it for the duration of the contract and 5 years following its termination, unless a dispute arises. In such a case, LanguageSitter® retains the data for 5 years after the final and binding court or arbitration decision or settlement, or if there was no court dispute, for 5 years from the date of the peaceful settlement of the dispute.
Personal data processed by LanguageSitter® on the basis of the law is stored by LanguageSitter® for the period prescribed by law.
Personal data processed by the Controller on the basis of the user’s personal consent or legitimate interest is kept permanently by LanguageSitter® until the withdrawal of the user’s consent or request to terminate the processing. LanguageSitter® deletes such data before revocation only if the purpose of the processing of personal data has already been achieved or if required by law.
After the retention period expires, LanguageSitter® will delete, destroy, or anonymise the user’s personal data so that it can no longer be linked to them.
7. Personal Data Security Measures
At LanguageSitter®, we take the security of users’ personal information seriously. To prevent unauthorised access, use, and disclosure of the data, we implement the following measures:
– data is protected through secure premises, equipment, and system software,
– unauthorised access to personal data during transmission, including via telecommunications means and networks, is prevented,
– an effective way to block, destroy, delete, or anonymise personal data when it is no longer needed for its intended purpose is provided.
The security of personal data is maintained through a variety of technologies and procedures to prevent unauthorised access, use, and disclosure. These measures include:
-strict control of physical access to premises and equipment,
-locking rooms, cabinets, and computers to prevent unauthorised access,
-storing personal data carriers in secure premises,
-restricting access to personal data for maintenance personnel, customers, and other visitors to the processor’s premises,
-ensuring that passwords are only used by authorised individuals and for approved purposes,
-limiting data outputs by employees,
-monitoring copies and data outputs,
-transmitting data over telecommunications networks using limited, recorded, and secure methods,
-collecting data from individuals whose contract with the processor has been terminated,
-strictly separating personal data from any other Controllers’ data.
8. User Rights for Personal Data Protection
As per General Data Protection Regulation, LanguageSitter® ensures the following rights for the protection of personal data, which are elaborated in this Policy:
– the right to access data,
– the right to rectification,
– the right to erasure (“right to be forgotten”),
– the right to restriction of processing,
– the right to data portability,
– the right to object.
8.1. Right to Access Data
The user is entitled to receive confirmation from LanguageSitter® regarding the processing of their personal data. If LanguageSitter® is processing the user’s personal data, the user has the right to access their personal data and the following information related to the processing of their personal data:
– the purposes of the processing,
– the categories of personal data concerned,
– the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations,
– where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
– the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the user or to object to such processing,
– where the personal data are not collected from the user, any available information as to their source,
– the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the user.
Upon the user’s request, LanguageSitter® will provide the user with one free copy of their processed personal data. For any additional copies, LanguageSitter® may charge a fee based on administrative costs.
8.2. Right to Rectification
The user shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the user shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
8.3. Right to Erasure (Right to Be Forgotten)
The user shall have the right to obtain from LanguageSitter® the erasure of personal data concerning them without undue delay and LanguageSitter® shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
– the user withdraws consent on which the processing is based and where there is no other legal ground for the processing,
– the user objects to the processing based on the legitimate interest of the Controller and there are no overriding legitimate grounds for the processing,
– when the user objects to processing for direct marketing purposes,
– the personal data have to be erased for compliance with a legal obligation in accordance with EU law or Slovenian law.
When LanguageSitter® publishes the user’s personal data in accordance with the Policy, we take reasonable steps, including technical measures, to notify the controllers who are processing the personal data about the request to delete any links to or copies of this personal data.
8.4. Right to Restriction of Processing
The user shall have the right to obtain from LanguageSitter® the restriction of processing where one of the following applies:
– the accuracy of the personal data is contested by the user, for a period enabling the Controller to verify the accuracy of the personal data,
– the processing is unlawful and the user opposes the erasure of the personal data and requests the restriction of their use instead,
– LanguageSitter® no longer needs personal data for the purposes of the processing, but they are required by the user for the establishment, exercise, or defence of legal claims,
– the user has objected to processing, pending the verification of whether the legitimate grounds of the Controller override those of the user.
8.5. Right to Data Portability
The user shall have the right to receive the personal data concerning them, which the user has provided to LanguageSitter®, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from LanguageSitter®, to which the personal data have been provided, where:
– the processing is based on consent or on a contract,
– and the processing is carried out by automated means.
8.6. Right to Object
The user shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them which is based on legitimate interests pursued by LanguageSitter® or a third party. LanguageSitter® shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the user or for the establishment, exercise, or defence of legal claims. Where personal data are processed for direct marketing purposes, the user shall have the right to object at any time to the processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. If direct marketing is based on consent, the user can exercise their right to object by withdrawing their consent for the processing of personal data.
9. Process for Exercising Personal Data Rights
The user has the option to exercise all of their personal data rights by either sending an email to office@languagesitter.si or by mailing a letter to LANGUAGESITTER d. o. o., Litostrojska cesta 40, 1000 Ljubljana.
In the event that the user chooses to submit a request electronically, the Controller will strive to provide the information in an electronic format as much as possible.
To ensure accurate identification when exercising the user’s personal data rights, we may ask for additional data to confirm the user’s identity. Refusal to take action in accordance with this chapter will only occur if we are unable to reliably verify the user’s identity.
We will promptly respond to the user’s request for exercising their personal data rights, and no later than one month from the date of receipt. LanguageSitter® reserves the right to extend the deadline for the exercise of rights by up to two additional months, depending on the complexity and number of requests received. In the event that LanguageSitter® extends the deadline for responding to the user’s request, we will inform the user of the extension within one month of receiving the request, along with the reasons for the delay.
If the user’s requests under this chapter are considered manifestly unfounded or excessive, especially if they are repetitive, LanguageSitter® may take the following actions:
– charge a reasonable fee, taking into account the administrative costs of providing the information, messaging, or implementing the measure requested,
– or refuse to act on the request altogether.
10. Personal Data Processing Complaint Rights
To file a complaint regarding the processing of their personal data, the user may send an email to office@languagesitter.si or mail the complaint to LANGUAGESITTER d. o. o., Litostrojska cesta 40, 1000 Ljubljana.
Additionally, the user has the right to lodge a complaint with the Information Commissioner directly if they believe that the processing of their personal data violates Slovenian or EU regulations related to personal data protection.
11. Policy Validity
This Policy is effective from 25 May 2018 onwards and may be subject to amendments or updates at any time. Please note that the Controller is not required to notify the users of any changes made to the Policy.
