Personal data protection

The website www.aetas.si is owned by AETAS d.o.o., pharma solutions, and ideas, Redelonghijeva ulica 28, 1000 Ljubljana.

1.) The purpose of this privacy policy

The purpose of this privacy policy (hereinafter: policy) is to communicate the purpose and legal basis for the processing of personal data by AETAS d.o.o., pharma solutions and ideas, to the customers and visitors of website www.aetas.si. AETAS d.o.o., pharma solutions and ideas, Redelonghijeva ulica 28, 1000 Ljubljana, Slovenian e-mail address info@aetas.si (hereinafter: AETAS or the company or provider or personal data controller) ensure the protection of your personal data and guarantees safety throughout the business interaction.

At the same time, this Policy further clarifies the consent to data collecting and processing. In the Policy in accordance with European legislation (Regulation (EU) 2016/697 on the protection of natural persons with regard to the processing of personal data and the free movement of such data (The EU General Data Protection Regulation (GDPR)) and Treaty Conventions ETS 108, ETS 181, ETS 185, ETS 189) and national legislation of the Republic of Slovenia (Personal Data Protection Act (ZVOP-1, Ur. l. RS, no. 94/07)) following data is being collected and processed:

  • contact information of the company and contact of the authorized person for data protection,
  • purposes, bases and types of processing of various types of personal data of Individuals, including profiling of personal data of Individuals,
  • transmission of data to third parties and third countries,
  • retention time of individual types of personal data,
  • the rights of individuals concerning the processing of personal data,
  • the right to complain about the processing of personal data.

Where appropriate, the provisions relating to Individuals shall also apply to questions of secrecy and confidentiality of communications of users who are legal persons.

2.) Controller and authorized person for data protection

The personal data controller is the company AETAS d.o.o., pharma solutions and ideas, Redelonghijeva ulica 28, 1000 Ljubljana.

If you have any questions regarding the use of this policy or in connection with the exercising of your rights under this policy, please contact us via email at info@aetas.si or in writing at AETAS d.o.o., pharma solutions and ideas, Redelonghijeva ulica 28, 1000 Ljubljana.

3.) The purpose of processing and basis of data processing

Contract processing:

The company processes personal data of individuals for:

  1. purposes of informing about new content on the website www.aetas.si (subscription to weekly newsletters),
  2. notification of the latest developments on social portals, YouTube channel, podcast, …,
  3. direct marketing purposes (live and online workshops, events, presentation of new products),
  4. Segmentation purposes (personalized emails and ads on social media).

In the framework of exercising rights and fulfilling contractual obligations, the company processes personal data of Individuals for the following purposes:

  • Email address and name (for information purposes, sending email newsletters, advertising on Facebook, Instagram)
  • Telephone number (for information purposes in case of events, courses)
  • Home address (for fulfilling the duties under the sales contract – creating and sending invoices)
  • Information about the company (for fulfilling the obligations under the sales contract – creating and sending invoices)

Law-based processing:

The Company processes the personal data of Individuals for the purposes of concluding, implementing, monitoring, and terminating the subscription relationship.

The data considered is any data processed for the purpose of transmitting a communication over an electronic communications network or for advertising. These include, for example:

  • Name and surname of the client
  • E-mail
  • Phone Number
  • Home address
  • Company data (optional)

Other purposes of the processing, such as border crossing notifications in accordance with the rules on national roaming arrangements, may also derive from the legislation in force at any given time.

Processing on the grounds of legitimate interest:

The Company may also process data on the basis of a legitimate interest pursued by the Company or a third party, except where such interests are outweighed by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data relating to the child. When it comes to the continued use of data collected about an Individual, the company conducts an assessment in accordance with the General Data Protection Regulation. Such further use of data in a pseudonymous or aggregated form, for example, constitutes the lawful use of data for marketing and other business or technical analyzes of the Company. The deletion of certain data may also be used as an additional measure in some forms of further analysis of processed data.

An Individual may object to the processing in accordance with point 6 / iv of the Policy.

Based on a legitimate interest, the company may contact Individuals for the purpose of improving services for the purpose of determining their satisfaction with the services or user experience, even in cases where this is not absolutely necessary for the performance of the contract. Due to the weighing of this interest with the interests of the Individual, the Company does not contact those Individuals who objected to this.

The Company keeps aggregated data on turnover, including data on roaming, for the purposes of determining the predominant domestic use or the predominant domestic presence of the Individual in Slovenia, for a period of six months.

In accordance with the legitimate interest, the Company may process personal data to the extent strictly necessary and proportionate to ensure the continuity of operation, network and information security, and the ability of the network or information system to prevent accidental events or illegal or malicious acts that jeopardize the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data and the security of related services offered or accessed through networks and systems. This includes, for example, the prevention of unauthorized access to electronic communications networks, the spread of malicious code, denial-of-service attacks, and damage to computer and electronic communications systems. This may include the processing of network diagnostic data (technical data or readings from equipment) and history data in diagnostic tools that could allow the re-identification of the individual.

The company has a legitimate interest in anonymizing or aggregating the data until the expiry of the legal retention period and further using it for analysis and research for the purposes of marketing, network planning, and the like.

Other legitimate interests may include the prevention of abuse, the enforcement of claims, or the defense against claims in administrative and judicial proceedings. The legitimate interest also includes the legal verification of the solvency of Individuals.

In the event of suspected abuse, the Company may process data on Individuals to an appropriate and proportionate extent for the purpose of identifying and preventing possible fraud or abuse, and may, if appropriate, pass this information on to certain other persons, e.g. business partners, the police, the public prosecutor’s office or other competent authorities for the purpose of preventing future abuses or fraud.

The Company reserves the right to process data on the fulfillment of contractual obligations of Individuals (data on bill payments) in order to ensure a higher quality of its services.

Processing based on the individual’s consent:

Data processing may be based on the consent given by the individual to the company. Consent may, for example, relate to the communication of the offer and services, the preparation of an offer tailored to the individual’s user habits, or the provision of value-added services. The notification is carried out through the channels selected by the Individual in the consent. Notification using an email address involves forwarding the email address to an external processor in order to display the company’s advertising messages while browsing the web.

The Individual, that is the data subject may at any time withdraw or change his or her consent in the same way as the consent was given or in another way defined by the Company, while the Company reserves the right to identify the Customer. Withdrawal or change of consent refers only to data processed on the basis of consent. The last given consent of the Individual received by the company is valid. The possibility of revoking the consent does not constitute a right of withdrawal in the business relationship of the Individual with the company.

Consent may be given by one of the parents, guardian, or custodian of a minor child who, in accordance with the applicable legislation, cannot give consent himself. Such consent will be valid until one of the parents, guardian or custodian or the child himself, when he acquires, revokes or changes this right in accordance with the applicable legislation.

4.) Transmission of data to third parties and transmission of data to third countries (countries not members of the european union or the european economic area)

If this is in accordance with the purpose for which personal data is processed under EU law and Slovenian regulations, the company may provide personal data on Individuals to:

(i) persons who perform individual processing tasks for the undertaking, such as the preparation and transmission of invoices or data analytics, the maintenance, and development of services, where those tasks involve the processing of personal data to the extent necessary;
(ii) persons providing sales and marketing services for the undertaking, including sales and marketing in the field, or cooperating with the undertaking in the marketing and sale of its services or the services of third parties, to the extent necessary for such purposes and under the bases set out in this Policy.

If the company is connected or taken over by another company, personal data is transferred to the transferee in accordance with the law. By using our services, you consent to the further processing of your personal data by the acquirer.

5.) Storing personal data

Billing data and related contact data on Individuals may be kept for the purpose of fulfilling contractual obligations until the full payment of the service or until the expiration of the statute of limitations in relation to an individual claim, which may amount to one to five years. The invoices shall be kept for 10 years after the end of the year to which the invoice relates in accordance with the law governing value-added tax.

If traffic data are processed with the consent of the Individual for the purpose of marketing services, selling goods, or providing value-added services, such data may be processed to the extent necessary for such marketing or services.

6.) Rights of the individual regarding data processing

The Company ensures that Individuals exercise their rights without undue delay and in any case within one month of receiving the request. The company may extend the deadline for exercising the rights of the Individual by a maximum of two additional months, taking into account the complexity and number of requirements. If the company extends the deadline, it shall notify the Individual of any such extension within one month of receiving the request, together with the reasons for the delay.

The company accepts requests regarding the rights of the Individual by e-mail to info@aetas.si or by regular post to AETAS d.o.o., pharma solutions, and ideas, Redelonghijeva ulica 28, 1000 Ljubljana.

Where the data subject submits the request by electronic means, the information shall, where possible, be provided by electronic means, unless the data subject requests otherwise.

Where there is reasonable doubt as to the identity of an Individual making a request in respect of any of his rights, the company may request the provision of additional information necessary to confirm the identity of the data subject.

If the data subject’s requests are manifestly unfounded or excessive, in particular, because they are repetitive, the company may:

  • charge a reasonable fee, taking into account the administrative costs of providing the information or communication or implementing the required action, or
  • refuses to act on the request.

As an individual, you have the following rights regarding fair and transparent processing, based on regulation:

(i) The right to withdraw consent
(ii) The right to access personal data
(iii) The right to rectify personal data
(iv) The right to deletion of personal data (“the right to be forgotten”)
(v) The right to restriction of processing
(vi) The right to data portability
(vii) The right to object to data processing
(viii) The right to lodge a complaint with a supervisory authority

(ii) The right to access personal data

As an individual, you have the right to obtain from confirmation from the provider (the processor of personal data) as to whether or not your personal data are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing, the categories of personal data concerned, its users, the period for which the personal data will be stored, or the criteria used to determine that period, the right to request rectification or erasure of personal data or restriction of or objection to the processing of personal data, the right to lodge a complaint with a supervisory authority, the source of the data if the data were not collected from you, the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you, in accordance to Article 15 of GDPR.

(iii) The right to rectify personal data

As an individual, you have the right to obtain from the provider without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

(iv) The right to deletion of personal data (“the right to be forgotten”)

You have the right to obtain from the provider without undue delay the deletion of your personal data when one of the below reason exists:

  • the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed,
  • you have withdrawn your consent, and there is no legal basis for further processing,
  • you have objected to the processing of your personal data, and there are no overriding legitimate grounds for the processing,
  • your personal data have been unlawfully processed,
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the provider is subject,
  • the personal data has been collected in relation to the offer of an information society.

As an individual under certain circumstances, as defined in Article 17, paragraph 3, you do not have the right to data deletion.

(v) The right to restriction of processing

As an individual, you have the right to obtain from the provider restriction of processing where one of the following applies:

  • you contest the accuracy of the personal data for a period enabling the provider to verify the accuracy of the personal data,
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead,
  • the provider no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims,
  • you have objected to processing pending the verification whether the legitimate grounds of the provider override yours.
(vi) The right to data portability

You have the right to receive the personal data concerning you, which you have provided to the provider, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the provider to which the personal data have been provided, where:

  • the processing is based on consent or a contract, and
  • the processing is carried out by automated means.

In exercising your right to data portability, you have the right to have your personal data transmitted directly from one controller (provider) to another, where technically feasible.

(vii) The right to object to data processing

As an individual, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the provider (Article 6 (1), point (e) of GDPR), the processing is necessary for the purposes of the legitimate interests pursued by the provider or by a third party (Article 6 (1) point (f) of GDPR), including profiling based on the data; the provider shall no longer process your personal data unless the provider demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise or defense of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing; where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Where data are processed for scientific or historical research purposes or statistical purposes, you have the right, on grounds relating to your particular situation, to object to the processing of your data, unless it is necessary for the performance of a task carried out in the public interest.

(viii) The right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of your personal data infringes data protection regulations.

Without prejudice to any other administrative or non-judicial remedy, you have the right to an effective judicial remedy, against a legally binding decision of a supervisory authority concerning it, as well as where the competent supervisory authority does not handle a complaint or does not inform you within three months on the progress or outcome of the complaint lodged. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

The individual may address all her or his requests regarding personal data in written form to the provider, through an e-mail: info@aetas.si.

In order to ensure reliable identification in case of a user exercising his or her rights regarding personal data, the provider may request additional data from the user and shall not refuse to act on the request of the individual, unless the provider demonstrates that it is not in a position to identify the user.

The provider must, by user’s request to exercise his or her rights in regards to data processing, provide information without undue delay and in any event within one month of receipt of the request.

Notifying the supervisory authority of personal data breach

In the case of a personal data breach, the provider is obligated to notify the supervisory authority without undue delay, unless the provider is able to demonstrate that the data breach is unlikely to result in a risk to the rights and freedoms of individuals. When there is a suspicion of a criminal offense, the provider is obligated to notify the police and/or prosecutor.

In the case of a breach that is likely to result in a high risk to the rights and freedoms of natural persons, the provider is obligated to notify the individual immediately or, if that’ is not possible, without undue delay. The notification should be in clear and comprehensible language.

7.) Validity of the policy

This Policy is published on the website www.aetas.si and enters into force on June 13, 2020.