Privacy policy of MERCIS d.o.o.

The purpose of this Privacy Policy is to inform buyers of our products, potential new clients, suppliers, employees, job candidates and other persons (hereinafter individuals) who work with MERCIS d.o.o. about the purposes, legal bases, security measures and rights of individuals regarding the processing of personal data data provided by MERCIS d.o.o. (hereinafter the operator).

We process your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in the processing of personal data and on the free flow of such data and on the repeal of Directive 95/46/EC (hereinafter General regulation), the Personal Data Protection Act (Ur. l. RS, No. 163/22, hereinafter ZVOP-2) and other legislation that gives us the legal basis for processing personal data.

Data Protection Officer (DPO)

In accordance with Article 37 of the General Regulation, we have not appointed a Data Protection Officer (DPO). If you have any questions regarding the processing of your personal data, please write to us at the e-mail address: [email protected]

Methods of obtaining personal data

We obtain your personal data directly from you, namely by e-mail, over the phone or in person. We also obtain your personal data from your curriculum vitae (CV) and motivation letter as part of the employment process and when filling out our contact form.

This website also uses cookies. You can find out more about cookies here.

Purposes and legal bases for processing personal data

The company MERCIS d.o.o. collects and processes your personal data on the following legal bases:

1. The processing of personal data is necessary to fulfill the legal obligation that applies to us as the manager of personal data.

Based on legal provisions, the company MERCIS d.o.o. processes personal data about its employees and job candidates, which is allowed by labor law and social welfare legislation. Based on a legal obligation, the company mainly processes the following types of personal data for employment purposes: first and last name, gender, date of birth, EMŠO, tax number, city, municipality and country of birth, citizenship, residence, etc.

The company MERCIS d.o.o. for the purpose of monitoring monthly payments, it processes data on invoices issued, the amount of product payments and data on the payer (name and surname, TRR number). The Value Added Tax Act obliges us to do so.

2. The processing of personal data is necessary for the implementation of a contract to which the individual to whom the personal data relates is a contracting party, or for the implementation of measures at the request of such an individual prior to the conclusion of the contract.

In cases where an individual with MERCIS d.o.o. enters into a contract, this constitutes the legal basis for the processing of personal data. The company MERCIS d.o.o. may process personal data for the conclusion and implementation of the contract, such as e.g. selling goods, preparing offers, participating in various projects, etc. If the individual does not provide personal data, the company MERCIS d.o.o. cannot conclude a contract, nor can the company deliver products in accordance with the concluded contract, as it does not have the necessary information to execute the order. On this basis, the company processes only those personal data that are necessary for the conclusion and proper performance of contractual obligations.

3. The processing of personal data is necessary due to our legitimate interest.

The company MERCIS d.o.o. may also process personal data on the basis of the legitimate interest it pursues. In case of use of legitimate interest, the company shall carry out an assessment of compliance with the legislation.

4. The individual to whom the personal data relates has consented to the processing of his personal data for one or more specified purposes.

If the company MERCIS d.o.o. does not have a legal basis for the processing of personal data, demonstrated on the basis of the law, contractual obligation, legitimate interest or protection of the life of an individual, may ask the individual for consent to the processing of his personal data. When an individual consents to this, the company may also process certain of his personal data for the following purposes: residential address and email address for the purpose of information and communication, and photos, videos and other content for the purpose of documenting activities and informing the public about the company’s work and events.

If an individual gives his consent to the processing of his personal data and at some point no longer wishes to do so, he can send a request by email or regular mail to MERCIS d.o.o. requests the termination of the processing of his personal data. After receiving the cancellation or deletion request, his personal data will be deleted within fifteen days at the latest. The company can delete this data even before cancellation, when the purpose of processing this personal data has been achieved, or if the law so requires.

Exceptionally, the company may refuse a request to delete an individual’s personal data, namely for reasons from the General Regulation in cases of exercising the right to freedom of expression and information, fulfilling the legal obligation of processing, reasons of public interest in the field of public health, purposes of archiving in the public interest, scientific research or historical – research purposes, statistical purposes, implementation or defense of legal claims, etc.

Data are processed until cancellation or withdrawal of consent or until the purpose of processing is fulfilled. Revocation of consent does not affect the lawfulness of processing based on consent prior to its revocation.

5. Processing is necessary to protect the vital interests of the individual to whom personal data refer.

The company MERCIS d.o.o. may process the personal data of the individual to whom the personal data relates, insofar as this is necessary to protect his vital interests. In urgent cases, the company can search for an individual’s identity document, check whether this person exists in its database, study his medical history or establish contact with his relatives, for which the company does not need the individual’s consent.

Storage and deletion of personal data

The company MERCIS d.o.o. keeps personal data only as long as it is necessary to fulfill the purpose for which the personal data was collected and processed.

If we process personal data on the basis of the law, we only keep them for the period prescribed by law. Here, some personal data are stored only for the duration of cooperation with us, while some personal data are stored permanently.

We keep personal data that we process on the basis of a contractual relationship with an individual for the period necessary for the execution of the contract and for six years after its termination, except in cases where there is a dispute between the individual and the company regarding the contract. In such a case, we keep personal data for ten years after the finality of the court decision, arbitration or court settlement, or if there was no legal dispute, five years from the date of the peaceful resolution of the dispute.

Personal data that we process on the basis of the personal consent of the individual or on the basis of a legitimate interest are kept until we receive the revocation of the consent or until we receive the request to delete the data. After receiving the revocation of consent or the request for deletion, we delete personal data within fifteen days at the latest. The company MERCIS d.o.o. can delete this data even before cancellation, when the purpose of personal data processing has been achieved, or if the law stipulates so.

Exceptionally, we can refuse the request to delete personal data, namely for reasons from the General Regulation, such as: exercising the right to freedom of expression and information, fulfilling the legal obligation of processing, reasons of public interest in the field of public health, purposes of archiving in the public interest, scientific research, historical -research or statistical purposes and the exercise or defense of legal claims. After the retention period has expired, personal data is effectively and permanently deleted or anonymized so that it can no longer be linked to a specific individual.

Contractual processing of personal data

The company MERCIS d.o.o. can trust a contractual processor for individual processing of personal data on the basis of a contractual processing agreement. Contractual processors can process confidential data exclusively on behalf of the controller, within the limits of his authority, which is written in a written contract or other legal act, and in accordance with the purposes defined in this privacy policy.

Contract processors with whom MERCIS d.o.o. participates are mainly:

• provider of accounting services,
• providers of personnel, legal and other business consulting,
• infrastructure maintainers (security, cleaning services),
• providers and maintainers of information systems,
• external website maintainers,
• email service providers, cloud software and service providers,
• web analytics providers (Google).

The company MERCIS d.o.o. for the purpose of better inspection and control over contractual processors and the arrangement of mutual contractual relations, it keeps a record of contractual processors, which lists all specific contractual processors with whom we cooperate.

The company does not forward an individual’s personal data to unauthorized third parties under any circumstances. Contract processors may only process personal data within the scope of our instructions and may not use personal data for any other purposes.

Transfer of personal data to a third country or international organization

The company MERCIS d.o.o. as an operator and its employees do not export personal data to third countries (outside the member states of the European Economic Area – EU members and Iceland, Norway and Liechtenstein) and to international organizations.

Protection and accuracy of personal data

The rights of the individual regarding the processing of his personal data

In accordance with the General Regulation, you as an individual have the following rights regarding the processing of your personal data:

1. Right of access

You can request information about whether we hold your personal data and, if so, you have the right to know what data we hold, on what legal basis we process it and what we use it for. You can also request access to your personal data, which allows you to receive a copy of the personal data we hold about you and to check whether we are processing it lawfully.

2. Right to rectification

You can request the correction of incomplete or inaccurate personal data that we process about you.

3. Right to erasure (“right to be forgotten”)

Under certain conditions, you have the right to delete personal data. The deletion of your personal data is possible when:

• the purpose of personal data processing has been fulfilled and the data is no longer needed,
• withdraw your consent,
• you object to the processing of your personal data and there are no overriding legitimate reasons for the processing of your personal data,
• there is illegal processing of your personal data or
• the deletion of your personal data is necessary to fulfill a legal obligation.

4. The right to limit the processing of personal data

Under certain conditions, you can request the restriction of the processing of your personal data. You can request the restriction of the processing of your personal data:

• when you request correction of personal data,
• when the processing of your personal data is illegal, but you object to its deletion,
• when the controller no longer needs your personal data to fulfill the purpose, but you want to keep your personal data for the purposes of exercising certain rights,
• for the duration of the assessment of the objection to the processing that you have filed.

The restriction of personal data processing is always temporary and ends when the reason for the restriction ceases.

5. The right to object to the processing of personal data

Under certain conditions, you have the right to object to the processing of your personal data. In the event of an objection, we will consider your objection substantively and examine it according to our legitimate interest. You can object to the processing of your personal data when the processing is based on a legitimate interest.

6. The right to provide personal data

You have the right to request that your personal data, which you have provided to us, be forwarded to another controller in a structured, commonly used and machine-readable format. You can request the transmission of your personal data for personal data that is processed on the basis of a contractual relationship or consent and is carried out by automated means. We can only transfer your personal data to another controller if this is technically feasible. Otherwise, we will pass on the personal data to you.

7. Right to withdraw consent

When we process your personal data based on the legal basis of consent, you always have the option to withdraw your consent. After receiving notification that you have withdrawn your consent, we will stop processing your personal data. Revocation of consent does not affect the retroactive validity of personal data processing.

You can exercise all of the listed rights by sending the completed Form for the exercise of rights in connection with the processing of personal data to the e-mail address: [email protected]. The form is available here. If you do not submit the request on the form, we reserve the right to contact you and obtain additional information from you, if this is necessary to ensure reliable identification.

We will respond to a request relating to individual rights without undue delay, and in any case within one month of receiving the request. In the event that, taking into account the complexity and number of requests, this deadline is extended (by a maximum of two additional months), we will inform you about this. Access to an individual’s personal data and exercising rights is free for the individual. However, MERCIS d.o.o. can charge a reasonable fee if the data subject’s request is manifestly unfounded or excessive, especially if it is repeated. In such a case, the company may reject the request. In the case of exercising the rights under this title, the company may have to request certain information from the individual that will help it confirm the identity of the individual, which is only a security measure to ensure that personal data is not disclosed to unauthorized persons.
If you have any questions regarding the processing of your personal data, you can contact us at any time by e-mail at [email protected] or by regular mail to the company’s address.

The right to file a complaint with a supervisory authority

If, as an individual, you believe that your rights have been violated, you can contact the supervisory authority for protection or assistance, which in the Republic of Slovenia is represented by:

Information Commissioner
Dunajska cesta 22
1000 Ljubljana
e-mail: [email protected]
website: www.ip-rs.si

The existence of automated decision-making

The company MERCIS d.o.o. does not perform automated decision-making or profiling.

Announcement of changes to the privacy policy

Any changes to this privacy policy will be posted on our website. By using the website, the individual confirms that he accepts and agrees with the entire content of Mercis d.o.o.’s Privacy Policy.

The privacy policy of Mercis d.o.o. was accepted by the responsible person of Mercis d.o.o. and is valid from May 15, 2024 onwards.