HomepagePrivacy Policy

Privacy policy

The purpose of the privacy policy is to inform users of our services, employees, and other natural persons (hereinafter: “individual”) who work with CRMT d.o.o. (hereinafter: “organization”) on the purposes, legal bases, security measures and rights of individuals regarding the processing of personal data carried out by our company.

We value your privacy, so we always protect your data carefully.

We process personal data in accordance with European legislation (Regulation (EU) 2016/679 of the European Parliament on the protection of natural persons with regard to the processing of personal data and on and on the free movement of such data (hereinafter: “General Regulation”)), current Slovenian legislation in the field of individual data protection and other legislation, which gives us the legal basis for processing personal data.

The personal data protection policy contains information on how our company, as an administrator, processes personal data received from individuals based on legal grounds.

1. Administrator:

The administrator of personal data is the company:

Name: CRMT d.o.o.
Adress: Ukmarjeva ulica 2, 1000 Ljubljana
https://www.crmt.com/
E-mail: dpo@crmt.com
Phone: +386 (0) 5 994 3 700

2. Authorized person

In accordance with Article 37 of the General Regulation, we have not appointed an authorized person, but if you have any questions regarding the processing of your personal data, you can always contact us at dpo@crmt.com.

3. Personal data

Personal data means any information relating to a specific or identifiable individual; an identifiable individual is one who can be identified directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, online identifier, or by reference to one or more factors that characterize the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

4) Purposes of processing and basis for data processing

The company collects and processes your personal data on the following legal bases:

  • processing is necessary to fulfill a legal obligation applicable to the controller;
  • the processing is necessary for the performance of a contract to which the individual to whom personal data relates is a contracting party, or for the implementation of measures at the request of such an individual prior to the conclusion of the contract;
  • processing is necessary due to the legitimate interests pursued by the controller or a third party;
  • the individual to whom the personal data relates has consented to the processing of his personal data for one or more specified purposes;
  • processing is necessary to protect the vital interests of the data subject or other natural persons.

4.1) Fulfillment of legal obligations

Based on the provisions of the law, the company processes data about its employees, which is allowed by labor law and social welfare legislation. Based on the legal obligation, the company mainly processes the following types of personal data for employment purposes: first and last name, gender, date of birth, ID number, tax number, city, municipality and country of birth, citizenship, residence, etc.

4.2) Execution of contracts

In the event that an individual enters into a contract with the company, this constitutes the legal basis for the processing of personal data. Personal data may be processed for the purpose of concluding and implementing a contract, such as e.g. sale of goods and services, membership in benefit clubs, participation in events, trainings, promotions, etc. If the individual does not provide personal data, the company cannot conclude a contract, nor can the company perform the service or deliver the goods in accordance with the concluded contract. Based on the performance of a legal activity, the company can inform individuals and users of its services to their email address about its services, events, trainings, offers and other content. The individual can at any time request the termination of this type of communication and processing of personal data and cancel receiving messages via the unsubscribe link in the received message, or as a request by e-mail to dpo@crmt.com or by regular mail to the company’s address.

4.3) Legitimate interest

The company may also process personal data on the basis of the legitimate interest it pursues. The latter is not permissible when such interests prevail over the interests or fundamental rights and freedoms of the individual to whom the personal data relate, which require the protection of personal data. In case of use of legitimate interest, the company always conducts an assessment in accordance with the General Regulation. The processing of personal data of individuals for the purposes of direct marketing is considered to be carried out in legitimate interest. The company may process the personal data of individuals that it has collected from publicly available sources or within the framework of the legal performance of activities, also for the purposes of offering goods, services, employment, informing about benefits, events, etc. To achieve these purposes, the company may use regular mail, telephone calls, e-mail and other means of telecommunications. For the purposes of direct marketing, the company may process the following personal data of individuals: first and last name of the individual, address of permanent or temporary residence, telephone number and e-mail address. For the purposes of direct marketing, the company may process the specified personal data even without the express consent of the individual. The individual can at any time request the termination of this type of communication and processing of personal data and cancel receiving messages via the unsubscribe link in the received message, or as a request by e-mail to dpo@crmt.com or by regular mail to the company’s address.

4.4) Processing on consent

Insofar as the company does not have a legal basis demonstrated on the basis of law, contractual obligation, or legitimate interest, it may ask the individual for consent or consensus. Thus, it can process certain personal data of an individual also for the following purposes, when the individual gives this consent:

residential address and email address for notification and communication purposes;
photos, video recordings, and other content relating to individuals (e.g. publication of images of individuals on the company’s website) for the purposes of documenting activities and informing the public about the company’s work and events;
other purposes for which the individual agrees with consent.

If an individual gives his consent to the processing of personal data and at some point no longer wishes to do so, he can request the termination of the processing of personal data by sending a request by e-mail to dpo@crmt.com or by regular mail to the company’s address. Revocation of consent does not affect the lawfulness of processing based on consent prior to its revocation.

4.5) Processing is necessary to protect the vital interests of the individual

Processing is necessary to protect the vital interests of the individual

The company can process the personal data of the individual to whom the personal data relates, insofar as this is necessary to protect their vital interests. In urgent cases, the company can search for an individual’s personal documents, check whether the individual exists in its database, examine their medical history, or establish contact with their relatives, without the individual’s consent. The above applies when it is necessary to protect the individual’s vital interests.

4.6) Partner events, co-organised events and sharing of attendee data with event partners

From time to time, CRMT may organise events, webinars, training sessions or similar activities together with business partners (e.g., co-organisers, sponsors, speakers, technology vendors) (collectively: “Event Partners”). In such cases, CRMT may share specific personal data related to event registration and attendance with the relevant Event Partners, strictly to the extent necessary for the purposes described below.

(a) Categories of personal data
Depending on the event and your interaction with us, we may share the following categories of data: name and surname, company name, job title, business email address, business phone number, country, registration status, attendance status, event preferences relevant for logistics (e.g. session selection, dietary requirements if provided), and related communication history regarding the event (confirmation, reminders, materials).

(b) Purposes of sharing
CRMT may share the above data with Event Partners for the following purposes:

  • enabling event delivery and administration (e.g. registration management, attendee lists for check-in, issuance of badges/certificates, providing access to event materials);
  • ensuring event logistics and support (e.g. room capacity planning, catering, technical support);
  • post-event communication strictly related to the event (e.g. sending materials, follow-up regarding questions raised at the event);
  • reporting and improvement of events (e.g. aggregated statistics and feedback analysis).

(c) Legal bases
CRMT will share personal data with Event Partners only when there is a lawful basis under the General Regulation (GDPR):

  • Performance of a contract/steps prior to entering into a contract (Article 6(1)(b) GDPR): where the processing is necessary to register you for an event you requested and to provide access to the event.
  • Legitimate interests (Article 6(1)(f) GDPR): where the sharing is necessary to organise and deliver a jointly organised event, ensure its security, prevent abuse, and keep internal records, provided that your interests or fundamental rights and freedoms do not override such interests.
  • Consent (Article 6(1)(a) GDPR): where Event Partners wish to use your contact details for their own direct marketing purposes (e.g. contacting you about their products/services after the event). In such cases, your data will be shared only if you have provided explicit opt-in consent (e.g., via an unticked checkbox at registration). You may withdraw such consent at any time, without affecting the lawfulness of processing before withdrawal.

(d) Roles of the parties (controllers / joint controllers)
Depending on the specific event setup and delivery model, CRMT and Event Partners may act as independent controllers or, where they jointly determine the purposes and means of processing related to the event, as joint controllers in accordance with Article 26 of the GDPR. In such cases, CRMT will ensure that an appropriate arrangement is in place and that its essence is made available to data subjects upon request.

(e) Transparency
Where practicable, CRMT will identify the relevant Event Partners at or before registration (e.g. on the event landing page and/or registration form) and provide links to their privacy notices.

5. Storage and deletion of personal data

The company will retain personal data only for as long as necessary to fulfil the purpose for which it was collected and processed. If the company processes data in accordance with the law, it will retain it for the period prescribed by law. Here, some data is kept for the duration of cooperation with the company, while some data must be kept permanently. Personal data that the company processes in the context of a contractual relationship with an individual is retained by the company for the period necessary to execute the contract and for an additional 6 years after its termination, except in cases where a dispute arises between the individual and the company regarding the agreement. In such a case, the company keeps the data for 10 years after the finality of a court decision, arbitration, or court settlement, or, if there was no court dispute, for 5 years from the date of the peaceful resolution of the conflict. The personal data that the company processes with the individual’s consent or based on legitimate interest will be retained by the company until the consent is revoked or the data is deleted. Upon receiving a cancellation or deletion request, the data will be deleted within 15 days at the latest. The company can delete this data even before cancellation, if the purpose of personal data processing has been achieved or if required by law.

Exceptionally, the company may refuse a request for deletion for reasons from the General Regulation, such as: exercise of the right to freedom of expression and information, fulfillment of the legal obligation of processing, reasons of public interest in the field of public health, purposes of archiving in the public interest, scientific or historical research purposes or statistical purposes, the exercise or defense of legal claims. After the retention period has expired, the company must effectively and permanently delete or anonymise personal data so that it can no longer be linked to a specific individual.

6. Contractual processing of personal data and data export

The company can entrust a contractual processor with the processing of personal data on the basis of a contractual processing agreement. Contractual processors may process confidential data exclusively on behalf of the controller, within the limits of their authority, as set out in a written contract or other legal act, and in accordance with the purposes defined in this privacy policy.

The contractual processors with whom the company cooperates are mainly:

  • accounting services and other providers of legal and business advice;
  • maintainers of information systems;
  • email service providers and software providers, cloud services;
  • providers of social networks and online advertising (e.g., Google, Facebook, LinkedIn).

For better inspection and control over contract processors and regulation of the mutual contractual relationship, the company also maintains a list of contract processors, including all specific contract processors with which the company cooperates.

Under no circumstances will the company disclose an individual’s personal data to unauthorised third parties. Contract processors may process personal data only within the framework of the company’s instructions and may not use it for any other purpose.

As a controller, the company and its employees do not export personal data to third countries (outside the member states of the European Economic Area – EU members and Iceland, Norway and Liechtenstein) and to international organizations, except in the USA, whereby relations with contractual processors from the USA are regulated based on standard contractual clauses (standard contracts adopted by the European Commission) and/or binding business rules (adopted by the company and approved by supervisory authorities in the EU).

Event Partners as recipients (independent controllers / joint controllers)
For partner events (as described in section 4.6), CRMT may disclose limited attendee data to Event Partners. In such cases, Event Partners typically act as independent controllers for their own processing activities, or as joint controllers with CRMT where applicable. CRMT will not permit Event Partners to use attendee data for their own direct marketing unless you have provided explicit consent for such sharing (see section 4.6(c)).

Data sharing safeguards
Where personal data is shared with Event Partners, CRMT will take reasonable contractual and organisational measures to ensure that the data is used only for the purposes communicated to you and in accordance with applicable law.

7. Cookies

Cookies saved by the browser can be deleted by the individual (instructions can be found on the websites of the individual browsers).

8. Data security and data accuracy

The company takes care of information security and infrastructure security (premises and application system software). Our information systems are protected by anti-virus programs and a firewall, among other things. We have implemented appropriate organisational and technical security measures to protect personal data against accidental or unlawful destruction, loss, modification, unauthorised disclosure, or access, as well as against other illegal or unauthorised processing. In the case of transmission of special types of personal data, they are encrypted and protected by a password.

The individual is responsible for securely providing their personal data and ensuring that the data they provide is accurate and authentic. The company will make every effort to ensure that the personal data it processes is accurate and, if necessary, updated, from time to time we may also contact the individual to confirm the accuracy of the personal data.

9. Individual rights regarding data processing

In accordance with the General Regulation, an individual has the following personal data protection rights:

  • He may request information about whether we have his personal data and, if so, what data we have, on what basis we have it and why we use it;
  • he can request access to his personal data, which allows him to receive a copy of the data held by the company and to check whether it is being processed legally;
  • may request corrections of personal data, such as correction of incomplete or inaccurate personal data;
  • may request the deletion of his personal data when there is no reason for further processing or when he exercises his right to object to further processing;
  • may object to the further processing of personal data where the company refers to a legitimate business interest (even in the case of a third party’s legitimate interest), when there are reasons related to the individual’s special situation; the individual has the right to object at any time if the company processes personal data for direct marketing purposes;
  • can request the restriction of the processing of his personal data, which means the interruption of the processing of personal data, for example, if the individual wants the company to establish the accuracy or to check the reasons for the further processing of personal data;
  • may request the transfer of their personal data in a structured electronic form to another controller, insofar as this is possible and feasible;
  • can revoke the consent or consent he gave to the collection, processing and transfer of his personal data for a specific purpose; upon receiving notice that he has withdrawn his consent, the Company will cease to process the personal data for the purposes for which it was initially accepted, unless the Company has no other lawful basis for doing so lawfully.

If an individual wishes to exercise any of the rights above, they can send a request by email to dpo@crmt.com or by regular mail to the company’s address. The company will respond to a request regarding an individual’s rights without undue delay and, in any case, within one month of receiving the request. If this deadline is extended (by a maximum of two additional months), taking into account the complexity and number of requests, you will be notified. Access to the individual’s personal data and the exercise of asserted rights are free for the individual. However, the company may charge a reasonable fee if the data subject’s request is manifestly unfounded or excessive, especially if it is repeated. In such a case, the company can also reject the request. When exercising rights under this title, the company may need to request certain information from the individual to confirm the individual’s identity, which is a security measure to ensure that personal data is not disclosed to unauthorised persons.

When exercising the rights under this title, or if an individual believes his rights have been violated, he can contact the supervisory authority, i.e., the Information Commissioner, via the website: https://www.ip-rs.si/.

If an individual has any questions regarding the processing of their personal data, they can always contact our company by email at dpo@crmt.com or by regular mail to the company address.

(a) Partner marketing opt out
If you have consented to receive direct marketing from an Event Partner, you can withdraw your consent at any time. You may do so via the unsubscribe mechanism provided in the partner’s messages and/or by contacting CRMT at dpo@crmt.com (where CRMT collected the consent during registration). Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

10. Announcement of changes

Any changes to our Privacy Policy will be posted on the company website: https://www.crmt.com/. By using the website, the individual confirms that he accepts and agrees with the entire content of this personal data protection policy.

The personal data protection policy was adopted by the company’s responsible person on 11.10.2022.