On the basis of the decision of the manager of FIŠ doo and on the basis of Articles 24 and 25 of the Protection Act
of personal data (Uradni list RS, 86/04, 113/05 and 67/07) and enforceable provisions of the General Regulation on
personal data protection, is issued and published
THE RULE
on securing personal data
I. GENERAL PROVISIONS
Article 1
These regulations define organizational, technical and logical-technical procedures and measures for
security of personal data in FIŠ doo with the aim of preventing unauthorized access
destruction of data, its alteration or loss as well as unauthorized access, processing,
use or disclosure of personal data.
Employees and external colleagues who process and use personal data in their work,
they must be familiar with the Act on the Protection of Personal Data, with the regional legislation that governs it
individual area of their work and with the content of this policy.
Article 2
Terms used in this policy have the following meanings:
1. ZVOP-1 – Personal Data Protection Act (Official Gazette of the Republic of Slovenia, no. 86/04, 113/05 and 67/07);
2. Personal data – is any data relating to an individual, regardless of form, in
which is expressed;
3. Individual – is a specified or identifiable natural person to whom personal refers
information; a natural person is identifiable if he can be directly or indirectly identified,
primarily by reference to an identification number or to one or more factors which are
characteristic of it physically, physiologically, mentally, economically, culturally or socially
identity, whereby the method of identification does not cause or require large costs
a lot of time;
4. Collection of personal data – is any structured set of data that contains at least one personal data
data that is accessible based on criteria that allow use or aggregation
of data, regardless of whether the set is centralized, decentralized or dispersed on
on a functional or geographical basis; a structured data set is a data set that is
organized in such a way as to determine or enable the identification of an individual;
5. Processing of personal data – means any operation or set of operations that is carried out
in relation to personal data that is processed automatically or that is part of manual processing
collection of personal data or are intended to be included in a collection of personal data, in particular
collection, retrieval, entry, editing, storage, adaptation or modification,
viewing, using, disclosing by transmission, communication, dissemination or otherwise making available to
disposal, classification or linking, blocking, anonymization, deletion or destruction;
processing can be manual or automated (different means of processing);
6. Controller of personal data – is a natural or legal person or other person of public or
of the private sector, which alone or together with others determines the purposes and means of processing
personal data;
7. Sensitive personal data - are data on racial, national or ethnic origin,
political, religious, philosophical beliefs, trade union membership, health status,
sexual life, entry or deletion in or from the criminal record or misdemeanor record and
biometric characteristics of an individual;
2
8. User of personal data – is a natural or legal person or other public or
the private sector to which personal data is provided or disclosed;
9. Data carrier - are all types of means on which data is recorded or recorded (documents,
documents, materials, files, computer equipment including magnetic, optical or other
computer media, photocopies, audio and visual material, microfilm, transfer devices
data, etc.);
Article 3
The description of the collections of personal data, the manager of which is the company FIŠ doo, is kept in the catalog of collections
of personal data (description of personal data collections), which is managed in accordance with the provisions of Article 26 of ZVOP1. The catalog of personal data collections is attached to this policy.
Employees who process personal data can be familiar with the catalog of personal data collections
data, and access to the catalog of personal data collections must also be made available to anyone who
this is required (inspection authority, other employees due to ongoing business or contract implementation, etc.).
The employees of Fiš dooso were verbally informed by the site about the catalog of personal data collections
company director.
The company FIŠ doo maintains an up-to-date list, from which it is clear for each collection of personal data
it is clear which person is responsible for each collection of personal data and which persons
due to the nature of their work, they may process personal data relating to individual collections
personal data.
The following information is entered in the list: name of the personal data collection, personal name and work name
the place of the person who is responsible for the collection of personal data and the personal name and position of the persons,
who, due to the nature of their work, may process personal data relating to the collection
personal data.
II. SECURITY OF PREMISES AND COMPUTER EQUIPMENT
Article 4
Premises where personal data carriers, hardware and software are located (secured
premises), must be protected by organizational and physical and/or technical measures which
prevent unauthorized persons from accessing the data.
Access is only possible during regular working hours, and outside these hours only on the basis of permission
company manager. People who take care of sales, administration and procurators in the company have
verbal permission from the director of Fiš doo that they can access outside of working hours
secure premises and computer databases where collections of personal data are kept.
Keys are not left in the door lock from the outside.
Secured premises must not be left unattended, or must be locked in case of absence
workers they supervise.
Outside of business hours, computers and other hardware must be turned off and physically or
software locked unless used by persons who can access outside of working hours
to secure rooms and computer databases where collections of personal data are kept.
Employees must not leave personal data carriers on desks in the presence of persons who do not have them
access rights to them.
3
Sensitive personal data must not be stored outside of secure areas.
Article 5
There must be data and computer media in the premises intended for dealing with customers
displays installed in such a way that customers cannot see them.
Article 6
Maintenance and repairs of computer hardware and other equipment are only permitted with knowledge
authorized persons, and it can only be carried out by authorized services and maintenance personnel, who are
the execution of the work sends an order (e-mail).
Article 7
Maintainers of premises, hardware and software, visitors and business partners laugh
move in secured premises only with knowledge and in the presence of an authorized person. Employees,
such as cleaners, security guards, etc., may move outside of working hours only in those protected areas
premises where access to personal data is disabled (data carriers are stored in
locked cabinets and desks, computers and other hardware are turned off or whatever
otherwise physically or software locked).
III. PROTECTION OF SYSTEM AND APPLICATION SOFTWARE COMPUTER EQUIPMENT AND
DATA PROCESSED WITH COMPUTER EQUIPMENT
Article 8
Access to the software must be protected in such a way as to allow access only for that in the future
certain employees or legal or natural persons who, on the basis of an order sent via
electronic message provide the agreed services.
Article 9
Repairing, changing and supplementing system and application software is
allowed only on the basis of the approval of an authorized person, and can only be carried out by authorized persons
services and organizations and individuals who have a confirmed order (via email).
Article 10
The contents of the disks of the network server and local workstations where personal data is located,
is continuously checked for the presence of computer viruses. When a computer virus appears,
this is eliminated as soon as possible with the help of the appropriate professional service, and at the same time the cause of the phenomenon is determined
of a virus in a computer information system.
All personal data and software intended for computer use
information system, and arrive at the company on other media for the transfer of computer data
or through telecommunication channels, must be checked for presence before use
computer viruses.
4
Article 11
Employees may not remove software from company headquarters unless authorized
director of the company Fiš doo
Article 12
Access to data via the application software is protected by a system of passwords for
authorization and identification of program users.
The authorized person determines the regime of assigning, storing and changing passwords.
Article 13
All passwords and procedures used to enter and administer the PC network
(control passwords), email administration and administration of application programs
kept in sealed envelopes and protected against access by unauthorized persons. Use it
them only in extraordinary circumstances or in cases of emergency. Any use of sealed content
of envelopes is documented. After each such use, a new password content is determined.
Article 14
For the needs of restoring the computer system in the event of breakdowns and other exceptional situations
ensures regular creation of copies of the content of the network server and local stations, if the data there
they find.
These copies are kept in designated places, which must be fireproof, secured against
to floods and electromagnetic disturbances, within the prescribed climatic conditions and locked.
IV. SERVICES PROVIDED BY EXTERNAL LEGAL OR NATURAL PERSONS
Article 15
With any external legal or natural person who performs individual tasks related to collection,
processing, storing or forwarding personal data and is registered for
performance of such activity (contractual processor), a written contract is concluded, provided for in
the second paragraph of Article 11 of ZVOP-1. In such a contract, the conditions must also be prescribed
and measures to ensure the protection of personal data and their security.
External legal or natural persons may only provide personal data processing services
within the framework of the client's authorizations and data may not be processed or otherwise used for anyone
another purpose.
An authorized legal or natural person who provides agreed services for the company outside the premises
operator, must have at least as strict a method of protecting personal data as it envisages
this policy.
V. ACCEPTANCE AND TRANSFER OF PERSONAL DATA
Article 16
The employee who is in charge of receiving and recording mail must hand over the mail with personal identification
information directly to the individual to whom this shipment is addressed, unless authorized
the recipient of this postal item so that he can open the postal item with his personal data.
5
The worker in charge of receiving and recording mail opens and inspects all mail items and
shipments that arrive at the company's office in another way - they are brought by customers or couriers, except for shipments
from the third and fourth paragraphs of this article.
The employee who is in charge of receiving and recording mail does not open those shipments that are addressed to
another authority or organization and are delivered by mistake, as well as shipments marked as personal
data or which from the markings on the envelope show that they refer to another person, unless he has
the permission of the recipient of this mail item to open the mail item with his personal
data.
The employee who is in charge of receiving and recording mail may not open shipments addressed to
workers, on which it is stated on the envelope that they are to be served personally to the addressee, as well as shipments to
of which the personal name of the worker is stated first without indicating his official position and
only then the registered office of the company, unless he has the permission of the recipient of this postal item to open
postal item with his personal data.
Article 17
Personal data may be transferred by information, telecommunication and other means
funds only when implementing procedures and measures that prevent unauthorized persons
misappropriation or destruction of data and unauthorized access to their content.
Sensitive personal data are sent to addressees in sealed envelopes against a signature in the delivery
book or by registered mail.
Personal information is sent by registered mail.
The envelope in which personal data is transmitted must be made in such a way that the envelope
it does not allow the contents to be visible in normal light or when the envelopes are illuminated with normal light
envelopes. Also, the envelope must ensure that there is no opening of the envelope and familiarization with its contents
can be done without visible traces of opening the envelope.
Article 18
The processing of sensitive personal data must be specifically marked and secured. Society otherwise
does not currently hold sensitive personal data.
The information from the previous paragraph, to the extent that it will appear in the company's operations, is allowed
transmitted via telecommunication networks only if they are specially secured with cryptographic means
methods and electronic signature in such a way that the illegibility of the data between them is guaranteed
transfer.
Article 19
Personal data is provided only to those users who prove themselves to be legally authorized
basis or with the written request or consent of the individual to whom the data refer.
For each transfer of personal data, the beneficiary must submit a written application, which must include
a clearly stated provision of the law authorizing the user to obtain personal data, or
the application must be accompanied by a written request or the consent of the individual to whom the data is to be sent
relate.
6
Every transmission of personal data is recorded in the record of transmissions, from which it must be
it is clear which personal data were provided, to whom, when and on what basis (Article 22
ZVOP-1).
Original documents are never provided, except in the case of a written court order. Original
the document must be replaced by a copy during the absence.
VI. DATA DELETE
Article 20
After the storage period has expired, personal data is archived, unless otherwise specified by law or another act
otherwise.
The terms by which personal data are deleted from the database can be seen from point 6 of the catalogue
collection of personal data.
Article 21
To delete data from computer media, such a deletion method is used that it is impossible
restoration of all or part of deleted data.
Data on classic media (documents, files, register, list, etc.) are destroyed in a way that
makes it impossible to read all or part of the destroyed data.
Auxiliary material (e.g. matrices, calculations and charts, sketches, experimental
or unsuccessful printouts, etc.).
It is forbidden to throw waste data carriers with personal data into the trash cans.
When transferring personal data carriers to the place of destruction, it is necessary to ensure adequate
insurance also during the transfer.
VII. ACTION IN THE CASE OF SUSPECTED UNAUTHORIZED ACCESS
Article 22
Employees are responsible for activities related to detection or unauthorized destruction
confidential data, malicious or unauthorized use, appropriation, modification or
immediately notify an authorized person or the manager of the injury, and try to do so themselves
prevent activity.
VIII. RESPONSIBILITY FOR THE IMPLEMENTATION OF SECURITY MEASURES AND PROCEDURES
Article 23
Managers and
authorized persons appointed by the manager.
Supervision over the implementation of the procedures and measures specified in this rulebook is carried out on a case-by-case basis
sales manager in the company.
7
Article 24
Everyone who processes personal data is obliged to implement prescribed procedures and measures for
data security and to protect data that he learned about or was aware of at
doing their job. The obligation to protect data does not end with termination of employment
relations.
Before starting work at a workplace where personal data is processed, the employee must
sign a special declaration obliging him to protect personal data (Annex to the contract on
employment).
It must be clear from the signed statement that the signatory is familiar with the provisions of this rulebook and
the provisions of ZVOP-1, and the statement must also contain instructions on the consequences of the violation.
Article 25
Employees are subject to disciplinary liability for violation of the provisions of the previous article, while the rest are on grounds
contractual obligations.
IX. FINAL PROVISIONS:
Article 26
This policy was adopted on 05/05/2018 and comes into force on 05/15/2018.
Šentrupert, 05/05/2018 FIŠ doo
dir. Boris Fischer
Attachment:
– Catalog of the collection of personal data
8
9
PERSONAL DATA COLLECTION CATALOG – 1
1. TITLE OF THE COLLECTION
Records of customers who have concluded business with the company.
Record of potential customers who themselves have shown interest in the supply of goods or
provision of services.
List of collections:
o Collection of existing and potential customers KAMIONI ARABIA; Responsible person: Tadej Fischer -
Sales Manager; Access: Luka Deberšek – business process analyst and work organizer, Žiga
Kerin - seller, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer - director.
o Collection of existing and potential customers EURO5 TRUCKS; Responsible person: Tadej Fischer -
Sales Manager; Access: Luka Deberšek – business process analyst and work organizer, Žiga
Kerin - seller, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer - director.
o Collection of existing and potential customers RO/SK/BG TRUCKS; Responsible person: Tadej Fischer -
Sales Manager; Access: Luka Deberšek – business process analyst and work organizer, Žiga
Kerin - seller, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer - director.
o Collection of existing and potential customers TRUCKS; Responsible person: Tadej Fišer – Manager
sales; Access: Luka Deberšek - business process analyst and work organizer, Žiga Kerin -
seller, Tatjana Novak – secretary, Andrej Fišer – procurator, Boris Fišer – director.
o Collection of existing and potential customers PARTNERS TRUCKS; Responsible person: Tadej Fischer -
Sales Manager; Access: Luka Deberšek – business process analyst and work organizer, Žiga
Kerin - seller, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer - director.
o Collection of existing and potential EKOKAMINI customers; Responsible person: Luka Deberšek –
Business process analyst and work organizer; Access: Tadej Fišer - sales manager, Žiga Kerin
- seller, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer - director.
o Collection of existing and potential customers MACHINE RENTAL; Responsible person: Žiga Kerin –
seller; Access: Tadej Fišer - Sales Manager, Luka Deberšek - Business Process Analyst
and work organizer, Tatjana Novak - secretary, Andrej Fišer - procurator, Boris Fišer - director.
o Collection of existing and potential customers of KRUHOREZNICA; Responsible person: Tatjana Novak –
secretary; Access: Tadej Fišer - Sales Manager, Luka Deberšek - Business Process Analyst and
work organizer, Žiga Kerin – salesman, Andrej Fišer – procurator, Boris Fišer – director.
o Collection of existing and potential clients RENT OF BUSINESS PREMISES; Responsible person
Luka Deberšek – Business process analyst and work organizer; Access Tadej Fišer - manager
of sales, Žiga Kerin – seller, Tatjana Novak – secretary, Andrej Fišer – procurator, Boris Fišer –
director.
o A collection of existing and potential customers DEMAND ECOKAMINI; Responsible person Luka
Deberšek – Business process analyst and work organizer; Access Tadej Fišer – sales manager,
Žiga Kerin – seller, Tatjana Novak – secretary, Andrej Fišer – procurator, Boris Fišer – director.
10
o Collection of existing and potential customers CONTACTS; Responsible person Luka Deberšek – Analyst
business processes and work organizer; Access Tadej Fišer - sales manager, Žiga Kerin -
seller, Tatjana Novak – secretary, Andrej Fišer – procurator, Boris Fišer – director.
o Collection of existing and potential clients EMPLOYMENT CANDIDATES; Responsible person: Tatiana
Novak – secretary; Access: Tadej Fišer - Sales Manager, Luka Deberšek - Business Analyst
processes and work organizer, Žiga Kerin – salesman, Andrej Fišer – procurator, Boris Fišer –
director.
2. LEGAL BASIS
For concluding contracts – law or personal consent of the party who is a natural person.
3. CATEGORIES OF INDIVIDUALS TO WHICH THE PERSONAL DATA IN THE COLLECTION REFER
Persons who have shown an interest in the supply of goods or services.
4. TYPES OF PERSONAL DATA
First and last name, address, telephone, e-mail.
5. PURPOSE OF PROCESSING
To carry out the economic activity of trade, rental of property.
6. STORAGE PERIOD
Until the cancellation of the person to whom the personal data relates or for as long as it is
necessary to achieve the purpose for which the personal data was collected. After completion
purpose, personal data is deleted or destroyed, taking into account tax regulations
regarding the obligation of the archive of transactions concluded with customers.
7. USERS OR CATEGORIES OF USERS OF PERSONAL DATA
Employees employed by the company in the field of sales, company secretariat and other persons who
they have the authority of the manager to conclude deals.
8. GENERAL DESCRIPTION OF SECURITY OF PERSONAL DATA COLLECTIONS
Personal data is stored, processed and protected in accordance with the Rules on Insurance
of personal data dated 5/5/2018. Personal data in written form is kept in a file or
regulations relating to concluded transactions. Personal data in the computer system se
stored on individual units, which are accessed with personal passwords.
Šentrupert, 5/5/2018 FIŠ doo
dir. Boris Fischer