Privacy policy

At the Law Firm Križanec & Partners l.f. ltd., Dalmatinova ulica 2, 1000 Ljubljana, registration number: 6298206000 (hereinafter: the "controller"), we respect your privacy and strive to provide the highest level of protection for your personal data. We assure you that the personal data obtained through our website www.krizanecpartners.com (hereinafter: the "website") or in dealings with individuals through other telecommunications means, are collected, processed, protected, and stored in accordance with applicable European legislation (General Data Protection Regulation) and the legislation of the Republic of Slovenia (the current Personal Data Protection Act, Electronic Communications Act, and Electronic Business Conduct on the Market Act), as well as the provisions of this Privacy Policy (hereinafter: the "Privacy Policy").

The purpose of this Privacy Policy is, among other things, to inform individuals about (i) the purposes for which their personal data is obtained, (ii) the manner of its use, (iii) the rights of individuals related to the storage and processing of their personal data, and (iv) the methods for exercise of their rights.

We use collected personal data in accordance with this Privacy Policy and we ensure their appropriate confidentiality. Personal data of individuals are used exclusively for the purposes for which individuals provide them to us. Without the explicit permission of the individual, we do not disclose their personal data to unauthorized third parties.

We commit to doing everything in our power to protect the personal data of individuals from potential breaches and misuse.

1. Data controller information

The data controller for personal data is the Law Firm Križanec & Partners l.f. ltd., Dalmatinova ulica 2, 1000 Ljubljana, registration number: 6298206000, email address: info@krizanecpartners.com, phone number: +386 (0)59 097 400 or +386 59 097 410. The authorized person for data protection at the controller is Uroš Križanec. You can contact the controller and/or the authorized person for data protection using the above contacts.

Strict confidentiality applies to all content related to the protection of personal data of individuals.

2. Personal data collected and processed

Personal data is any information that identify a specific or identifiable individual. An individual is identifiable when he or she can be directly or indirectly identified, especially by specifying an identifier such as name, identification number, location data, online identifier, or by indicating one or more factors specific to the individual's physical, physiological, genetic, mental, economic, cultural, or social identity.

Depending on the circumstances of each case, the controller may collect and process the following personal data of individuals:

—contact and client data (name, address, email address, phone and mobile number, job title and position, employer's name, sector in which the client works, date, time, and content of postal or electronic communication);

—data about users of the controller's websites (IP address, dates, times, and duration of website visits, location data or internet access entry point, data about visited subpages, data about settings made, etc.);

—data of job applicants who submit their applications to controller’s contact information (e.g., data from a motivational letter and resume, including education, work experience, skills, etc.);

—data from entries in web forms (e.g., inquiries);

—other data provided voluntarily by individuals to the contact addresses published on the website www.krizanecpartners.com, which are processed for business or contractual purposes.

3. Legal basis and purpose of personal data processing

The controller does not collect or process personal data, except where individual gives his or her consent to do so. The controller also collects and processes personal data to the extent that the processing is necessary to comply with its legal obligations, in cases where the controller has a legitimate interest in processing the data (e.g. responding to enquiries) or where the processing of the personal data is the result of a business or contractual relationship with the individual as the holder of the personal data.

All personal data provided by the individual is treated confidentially and used only for the purposes for which it was provided and collected. By providing personal data, the individual consents to its processing and confirms the accuracy of all provided personal data.

The individual can revoke his or her consent for the processing of personal data at any time by sending a statement of withdrawal to the following email address: info@krizanecpartners.com. The withdrawal of consent by the individual shall not affect the provision of the services of the controller and the lawfulness of the processing based on the consent prior to its withdrawal.

4. Website visit and cookies

The website www.krizanecpartners.com uses "cookies" to facilitate the use of web pages. "Cookies" are small text files that the web browser saves to the visitor's computer. If the visitor reopens the corresponding page, cookies enable the recognition of the visitor's computer. During each visit to the website, by depositing a "cookie" in the visitor's computer's browser, certain data about visitor’s visit can be collected. This may include IP address, the name of the internet service provider, date and time of access to the website, pages visited by the visitor, the number of visits, and the internet address of the website from which the visitor came to our site, and similar information. The visitor cannot be uniquely identified solely using this data at the moment, considering the current state of technology. Before installing more invasive cookies, we always ask the visitor for renewed consent, while certain other data may be collected based on our legitimate interests. More information about the cookies used on the website can be found at the following link: https://www.krizanecpartners.com/si/piskotki.

5. Inquiries and Other Communication

When an individual submits an inquiry regarding legal services to the contact details (physical address, email addresses, phone numbers) published on the website, we process the personal data of that individual exclusively for the purposes of (i) preparing a response to the inquiry, (ii) providing necessary or missing information, or (iii) delivering services requested by the individual. We also process the personal data of the individual for the purposes of (iv) managing our business and (v) internal administration. For the described purposes, we only collect those personal data that the individual voluntarily provides. Based on our legitimate interest, we may also process the provided contact details for basic tailored electronic communication with the individual, with the aim of presenting our services or providing information that might be of interest to the individual based on their past interactions. We do not use any form of (automatic) profiling.

6. Job applications, responses to openings

If an individual spontaneously sends us a job application or responds to an opening using the contact information published on the website, the data provided by the individual (such as a motivational letter and resume, proof of meeting requirements) are entirely under the control of such individual.

We process the obtained personal data solely for the purpose of conducting selection procedures for potential candidates for job positions, contacting individuals regarding (non)selection, inviting to a potential interview, preparing a draft employment contract, and for the defence of our claims in case of disputes related to alleged discrimination in the conduct of the selection process.

7. Disclosure of personal data

Without the explicit consent of the individual, we do not disclose their personal data to third unauthorized parties, unless required otherwise by applicable law. At the request of law enforcement authorities, in the event of any abuse or violation, personal data, email addresses and IP addresses of website visitors may be provided to the police and other competent authorities for further action.

Specific tasks related to individuals' personal data are entrusted to our business partners (so-called data processors), who process the specified data exclusively on our behalf and within the scope of our authorization (provided in a written contract or another legal act), and in accordance with the purposes defined in this Privacy Policy. The mentioned partners carefully safeguard the disclosed personal data, do not store them unnecessarily, and do not use them for their own purposes. Processors are only entitled to use the disclosed data for the execution of their work.

The controller ensures that they collaborate only with those data processors who provide sufficient guarantees for the implementation of adequate technical and organizational measures to ensure compliance with all regulations governing the protection of personal data. Within the legal powers, individuals' personal data may be disclosed to the following data processors:

—IT service providers for software servicing and maintenance;

—website administrator and webmaster;

—accounting service;

—cloud computing service providers and providers of email services (e.g., Mailchimp and others);

—providers of document and data carrier destruction services.

Personal data of individuals are generally processed within the European Union. Despite this, data processors may be located in countries outside the European Union, including the USA, where the level of data protection may not be as comprehensive as in the European Union or in countries for which the European Commission has or has not made a decision confirming that these countries provide an adequate level of data protection (hereinafter: the "Third Countries"). In the case of data transfers to Third Countries, the Data Controller will ensure in advance that appropriate safeguards are put in place to protect the user's personal data and that transfers to Third Countries are carried out in full compliance with the General Data Protection Regulation or the legislation of the Republic of Slovenia.

8. Personal data storage limitation

The controller undertakes to store and use the collected personal data only for the time necessary to achieve the purpose for which the individual data was collected and subsequently used. After the expiration of the retention period, the personal data of individuals are effectively and permanently deleted or anonymized so that the identification of the individual is no longer possible.

Data processed based on the law are stored for the period prescribed by law. Data processed for the execution of a business or contractual relationship with an individual are kept for the time necessary to fulfil the contract and throughout the statutory limitation period for claims arising from such a concluded contract, except in the case of a dispute related to the contractual relationship.

If there is a different legal retention period for certain data processed for the realization of contracts (e.g., accounting or tax data), the retention period is extended to 10 years from the year of issuing the invoice. During this time, data processing is restricted.

Spontaneous job applications or applications for job openings are retained for two years. In the case of an invitation to an interview, they are retained for the entire duration of the selection process for employment and an additional 30 days after the individual receives notice of (non)selection or for the duration of any potential legal proceedings. If we assess that an individual's job application is interesting for another position and we wish to retain the application for a longer period, we inform the individual in advance and request their consent.

9. Data protection measures

We carefully safeguard the data provided by individuals through the website, telecommunication channels, or any other means, protecting it against loss, misuse, unauthorized access, disclosure, alteration, or destruction. Personal data is stored on secure computer devices and servers, with data being encrypted where possible.

We regularly review our information security procedures and processes, ensuring that our IT systems are secure and protected. Once the need to retain data ceases, i.e., after fulfilling the purpose for which the data was collected, the data is promptly, irrevocably, and permanently deleted.

The website may also contain links to external websites. The controller encourages you to review the privacy and security policies of such linked external websites, as their practices in personal data protection may differ from this Privacy Policy. The controller assumes no responsibility for the collection, processing, or disclosure of data on external websites that visitors may access through the controller's website. Users are advised to check the privacy policies of these external websites before providing their personal data.

10. Responsibilities of data subject

The individual retains control over the information provided to us. If an individual decides not to disclose certain data to us, they may be restricted from accessing certain areas or functions of our website. In such cases, we may also be unable to respond to inquiries or contact the individual for employment purposes.

11. Rights of the data subject

The controller consistently ensures the exercise of all rights individuals are entitled to in connection with the processing of their personal data, as per applicable legal regulations. The specific rights granted to an individual depend on the circumstances of the specific data processing, so it is not necessary that all the rights listed below apply to an individual in a particular case.

Right to access personal data

An individual can request at any time that the controller confirms whether data concerning him or her is being processed. Upon such a request, the controller allows the individual access to their personal data and provides the following information regarding the processing of their personal data:

—purpose of processing;

—types of relevant personal data;

—recipients or categories of recipients to whom the personal data has been or will be disclosed, especially recipients in third countries or international organizations;

—if possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;

—the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing concerning the individual;

—the right to lodge a complaint with a supervisory authority;

—where personal data is not collected from the data subject, all available information as to their source;

—the existence of automated decision-making, including profiling.

Upon meeting the conditions of the General Data Protection Regulation (GDPR), the controller will inform the individual whose personal data has been disclosed of any corrections or erasures of personal data or restrictions on processing.

Right to rectification

An individual can request at any time that the controller allows the correction of inaccurate personal data concerning them or the completion of incomplete personal data.

Right to erasure

In specific cases defined in Article 17 of the GDPR, an individual has the right to request that the controller allows the erasure of his or her personal data (the right to be forgotten).

Right to restriction of processing

An individual whose personal data is processed has the right to request that the controller restrict processing when one of the following applies:

—the accuracy of the personal data is contested by the individual for a period enabling the controller to verify the accuracy of the personal data;

—the processing is unlawful, and the individual opposes the erasure of the personal data and requests the restriction of their use instead;

—the controller no longer needs the personal data for the purposes of the processing, but the individual requires them for the establishment, exercise, or defence of legal claims;

—the individual has objected to processing pending the verification of whether the legitimate grounds of the controller override those of the individual.

Right to data portability

An individual can request at any time that the controller provides them with personal data concerning them in a structured, commonly used, and machine-readable format. The individual has the right to transmit those data to another controller without hindrance from the controller.

Right to object

An individual whose personal data is processed has the right to object, at any time, to the processing of personal data concerning them for reasons related to their particular situation, where the controller processes personal data:

—for the performance of a task carried out in the public interest;

—in the exercise of official authority vested in the controller;

—for purposes of the legitimate interests pursued by the controller.

The controller will cease processing these personal data unless the controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the individual or if the processing is necessary for the establishment, exercise, or defence of legal claims.

Right to withdraw consent

An individual whose personal data is processed has the right to withdraw their consent at any time in the manner specified in point 3 of this Privacy Policy. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right to lodge a complaint with the supervisory authority

An individual has the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia if he or she believe that their personal data is being processed in violation of the applicable regulations governing the protection of personal data. In case of violation of rights related to the processing of personal data, you can file a complaint with the Information Commissioner, Zaloška 59, 1000 Ljubljana, or at: gp.ip@ip-rs.si.

Individuals can submit requests regarding the exercise of the above-mentioned rights to the authorized person for the protection of personal data of the controller mentioned in point 1 of this Privacy Policy.

12. Additional information

For inquiries regarding the confidentiality of individuals' data, the methods of data collection and processing, or requests to exercise rights related to personal data, the responsible person at the controller will provide answers. They can be contacted at the phone numbers: +386 (0)59 097 400 or +386 (0)59 097 410, or via email at: info@krizanecpartners.com. We commit to responding to individuals' requests without undue delay, and at the latest within the legally prescribed deadlines.

13. Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy periodically as needed to reflect actual circumstances and legislation related to the protection of personal data. For this reason, we kindly ask individuals and website visitors to check the current version before providing any personal data.

In the event of significant changes that affect the processing of individuals' personal data, we will inform them in advance through an appropriate method (e.g., notice on the website or via email).

Last updated: February 2024