About the Controller

Slovenian Research and Innovation Agency
Bleiweisova cesta 30
1000 Ljubljana
Slovenia
E-mail: GlavnaPisarna@aris-rs.si

The Slovenian Research and Innovation Agency of the Republic of Slovenia (hereinafter: ARIS) processes your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR), the applicable legislation on personal data protection (Personal Data Protection Act, Official Gazette of the Republic of Slovenia, Nos. 163/22 and 40/25 – ZInfV-1, hereinafter: ZVOP-2), and other legislation that provides ARIS with a legal basis for the processing of personal data.

ARIS is guided by a high standard of personal data protection; therefore, to ensure an appropriate level of protection, ARIS has adopted internal rules on personal data protection and control mechanisms that prevent misuse or any unauthorized processing of data.

Data Protection Officer

Damjana Bogataj Demšar
e-pošta: Damjana.Bogataj-Demsar@aris-rs.si
tel.: (01) 555 53 81

Marjeta Janežič
e-pošta: Marjeta.Janezic@aris-rs.si
Tel.: (01) 400 59 89

Purpose and Legal Basis for the Processing of Personal Data

ARIS processes individuals’ personal data primarily for the following purposes:

• in connection with the implementation of public calls or invitations regarding the co-financing of scientific research and innovation activities, managing personal data collections, and performing tasks and purposes defined by the Scientific Research and Innovation Activities Act (Official Gazette of the Republic of Slovenia, Nos. 186/21, 40/23, 102/24, and 40/25; hereinafter: ZZrID), implementing regulations, and ARIS founding acts;
• handling various client applications and communication with clients;
• providing support to the functioning of ARIS expert bodies;
• conducting recruitment procedures and communication with job candidates;
• for the purposes of organizing and conducting various meetings, trainings, or events, and for public information purposes;
• carrying out public procurement procedures, concluding and performing contracts for the supply of goods or services;
• managing documentary material, including storage of documentary and archival material;
• ensuring efficient and secure operation of ARIS information systems and providing user support;
• monitoring and exercising control, particularly regarding the legality of the intended use of allocated financial resources for the implementation of scientific research activities financed by ARIS;
• responding to requests related to access to public sector information;
• ensuring individuals’ rights in accordance with personal data protection regulations;
• cooperation with state authorities or other holders of public authority or
• providing explanations or responses when individuals contact ARIS with questions or initiatives.

The processing of personal data by ARIS will be based on one of the following legal grounds:

• if processing is necessary to comply with a legal obligation of ARIS, provided that the law specifies the processing of personal data, the types of personal data to be processed, the categories of individuals to whom these personal data relate, the purpose of their processing, and the retention period or the period for regular review of the need for retention;
• if processing is necessary for the performance of tasks in the public interest or in the exercise of public authority conferred on ARIS under the same condition that applies to processing necessary for compliance with a legal obligation of ARIS (see previous point). Notwithstanding this condition, in the case of the legal basis under consideration, exceptionally, only those personal data that are strictly necessary for the exercise of lawful powers, tasks, or obligations of the public sector may be processed, provided that such processing does not infringe the legitimate interest of the individual to whom the personal data relate;
• if the individual has given consent for the processing of their personal data for one or more specific purposes, if such an option is provided by law, or otherwise based on consent where it does not concern the exercise of statutory powers, tasks, or authoritative obligations of the public sector;
• if the processing of personal data is necessary for the performance of a contract to which the individual is a party or for the implementation of measures at the request of such an individual prior to the conclusion of the contract;
• if processing is necessary to protect the vital interests of the individual to whom the personal data relate or of another natural person;
• when processing is necessary for the legitimate interests pursued by ARIS, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual to whom the personal data relate, which require the protection of personal data. This legal basis does not apply to processing by ARIS in the performance of its public (authoritative) tasks.

Types of Personal Data and Collection of Personal Data

ARIS collects only those personal data that are strictly necessary to achieve a specific purpose, primarily for the performance of ARIS’s public tasks and the purposes set out in Article 55 of the Scientific Research and Innovation Activities Act (ZZrID), as well as for the implementation of secondary legislation listed on the ARIS website. Certain types of personal data that may be processed in relation to you are defined by other regulations, for example, when their processing arises from labor law provisions, public procurement regulations, administrative procedure rules, document and archival material management regulations, personal data protection regulations, etc.

ARIS usually obtains your personal data directly from you. In certain cases prescribed by law, personal data may also be obtained from official records maintained by authorized bodies and organizations in the Republic of Slovenia, where such data acquisition is provided for by regulations. ARIS may also obtain personal data from other persons (e.g., research organizations, service providers, etc.) if they submit an application for a public call or intend to conclude a contract with ARIS.

As part of ensuring the secure and efficient operation of the information system for submitting applications and documents related to public calls for co-financing scientific research and innovation activities, ARIS may process personal data related to users of the information system on the basis of point (e) of Article 6(1) of the GDPR; specifically, data on the email address, username, time of use or access to the system, and activities performed by the individual user within the system (audit trail). This enables ARIS to ensure the proper functioning of the information system, monitor and maintain an appropriate level of information security, and provide user support where needed.

In the case of communication via email, ARIS’s email system processes data about your email address, the time of sending or receiving your message, the subject line, the content of the message, and other data you disclose to ARIS.

Users, Categories of Users, and Personal Data Processors

The processing of your personal data is strictly limited to those ARIS employees who necessarily require access to your personal data to perform their work tasks. All employees are bound by confidentiality and by compliance with personal data protection rules.

Your personal data may be processed by competent state authorities and holders of public authority in the exercise of their statutory powers, as well as by other persons who have a legal basis for obtaining and processing personal data (e.g., for the purposes of audits, supervisory, inspection, misdemeanor, and other procedures).

In certain cases, your personal data are processed by processors with whom ARIS has concluded a written contract. Processors process the entrusted data exclusively on behalf of and for ARIS, within the limits of the authorization specified in the written contract or other legal act, and in accordance with the purposes defined therein. ARIS cooperates with contractual service providers who maintain software or solutions in which individuals’ personal data are processed and which are used in the process of application submission, evaluation, cost monitoring within calls, communication with individuals, and data management, various reports, and data management.

ARIS will under no circumstances disclose an individual’s personal data to unauthorized third parties, except in cases provided for by law.

Transfers of Data to Third Countries or International Organizations

ARIS will, in the event of transferring data to third countries or international organizations, ensure that procedures are followed and measures are implemented as prescribed by the applicable regulations for such transfers.

Data Security

ARIS protects your personal data with appropriate technical and organizational measures. Technical measures include adequate actions to address web security, the security of information system use, and the management of risks related to data loss, alteration, or unauthorized access, taking into account the risks posed by processing and the nature of the personal data being processed. Organizational measures include restricting access to personal data solely to authorized persons who have a legitimate need to access them for processing purposes.

Data Retention Period

The retention period for personal data depends on the legal basis and the purpose of processing for each category of personal data. Personal data are kept for as long as necessary to fulfill the purpose for which they were collected or for the period prescribed by law or other regulations. Personal data processed by ARIS on the basis of your consent are retained until the consent is withdrawn or as long as necessary to fulfill the purpose.

Retention periods are determined in accordance with the deadlines set by regulations and the Classification Plan of the Slovenian Research and Innovation Agency. If retention periods are not specifically defined by regulations, storage must, in accordance with the principle of proportionality, be limited to the shortest possible period. After the retention period expires, personal data are deleted, destroyed, blocked, or anonymized, unless they are classified as archival material under the law governing archival records and archives, or unless the law provides otherwise for certain types of personal data. ARIS may process some personal data for scientific research, historical research, statistical, and archival purposes, provided that appropriate measures are implemented in accordance with the GDPR and ZVOP-2.

Obligation to provide Data

Providing personal data within the framework of a public call or invitation, a selection procedure, or other procedures conducted by ARIS in which decisions are made regarding individuals’ applications constitutes a legal obligation. If an individual fails to provide the required data, ARIS cannot carry out the prescribed procedures, which may result in a request to supplement the application, a decision to reject the application, or the inability to participate in the selection process.

Providing personal data is also a contractual obligation when the acquisition and processing of personal data are necessary for concluding a contract with ARIS, executing payments, and monitoring the performance of the contract.

Information on the existence of Automated Decision-Making

ARIS does not process personal data or make decisions based solely on automated processing that would have legal effects concerning an individual or similarly significantly affect them. Nor does ARIS process data for the purpose of creating individual profiles.

Questionnaires

ARIS may also collect data through questionnaires sent to individuals (e.g., reviewers, researchers) for completion. This allows ARIS to obtain data directly from individuals or to ensure accuracy, update data previously obtained from them, research organizations, or publicly available sources. The questionnaires include personal data as specified by the provisions of the ZZrID law, as well as other information gathered in the context of mutual cooperation and exchange of opinions (e.g., presentations of public tenders or calls). For conducting online surveys, ARIS may use various tools. In particular, it uses the 1KA online questionnaire provided by its contracted processor - University of Ljubljana, Faculty of Social Sciences, Center for Social Informatics. Detailed information on personal data protection related to survey implementation is available at: https://www.1ka.si/d/en/about/terms-of-use/privacy-policy. ARIS will inform individuals of this information in advance whenever questionnaires are sent and will also obtain confirmation that they have been informed.

Organization of events and public Communication

In accordance with Article 93 of ZVOP-2, ARIS may use contact details of individuals collected from publicly available sources or in the course of performing its public tasks, or voluntarily disclosed by the individuals concerned or provided with their consent, for the purposes of organizing official meetings, trainings, workshops, and events; determining the composition or functioning of commissions, councils, delegations, and other similar public sector activities; and issuing public statements. For the purposes mentioned above, ARIS may use only the following personal data: name, telephone number, email address or other communication identifier, employer or organization details, and information on the field of work, position, function, membership in a club, or hobby of the individual concerned. For any other types of personal data, ARIS must obtain the individual’s explicit consent.

ARIS may process, including publish, personal names, titles, photographs, and video recordings of individuals obtained at events organized by ARIS within its tasks, competences, or activities, unless the individual has prohibited such processing.

Data Subject Rights

In accordance with GDPR and ZVOP-2, individuals are guaranteed the following rights:

• access to personal data processed in relation to them;
• rectification of data if the data held by ARIS are (i) incorrect or incomplete, (ii) no longer necessary for the purposes for which they were collected or otherwise processed; (iii) when the individual withdraws consent and there is no other legal basis for processing; (iv) when an objection to processing necessary for legitimate interests or for the performance of tasks in the public interest or in the exercise of public authority assigned to ARIS has been lodged and there are no overriding legitimate grounds for processing; (v) when personal data have been unlawfully processed; or (vi) when personal data must be erased to comply with a legal obligation under EU or Slovenian law. Notwithstanding the above, ARIS will not comply with an erasure request in cases specified in Article 17(3) of the GDPR;
• erasure of data, unless there is a legal basis preventing ARIS from deleting the personal data;
• restriction of processing of personal data if the data are inaccurate or if ARIS should not use the personal data; specifically, for a period enabling ARIS to verify the accuracy of the individual’s personal data; when processing is unlawful and the individual requests restriction instead of erasure; when ARIS no longer needs the personal data for processing purposes but the individual requires them for the establishment, exercise, or defense of legal claims; or when an objection to processing has been lodged, pending verification of whether ARIS’s legitimate grounds override those of the individual;
• data portability to another controller in a structured, commonly used, and machine-readable format, where (i) processing is based on consent or a contract and (ii) processing is carried out by automated means. When exercising the right to data portability, the individual has the right to have personal data transmitted directly from ARIS to another controller, where technically feasible. This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of public authority assigned to ARIS;
• objection to the processing of personal data necessary for legitimate interests pursued by ARIS or for the performance of tasks in the public interest or in the exercise of public authority. ARIS will cease processing personal data unless it demonstrates compelling legitimate grounds for processing that override the interests, rights, and freedoms of the individual or for the establishment, exercise, or defense of legal claims. Where personal data are processed for scientific, historical, or statistical purposes, the individual has the right to object to processing on grounds relating to their particular situation, unless processing is necessary for the performance of a task carried out for reasons of public interest.

If you have given consent for the processing of your personal data, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out based on your consent before its withdrawal.

How to exercise your rights:

• Orally, recorded in writing, by prior appointment during office hours: Monday and Wednesday from 10:00 to 12:00 and 13:00 to 15:00; Fridays from 10:00 to 12:30;
• In writing, to the contact details of the Data Protection Officer or directly to ARIS. If you submit your request electronically, information will be provided electronically where possible, unless you request otherwise.

For reliable identification, ARIS may require additional data necessary to confirm your identity when exercising rights related to personal data.

ARIS will respond to your request without undue delay and no later than one month after receipt, in accordance with ZVOP-2 procedural provisions. The deadline may be extended by up to two additional months considering the complexity and number of requests.

All information, communications, and actions related to personal data protection will be provided free of charge in one copy. Where requests are manifestly unfounded or excessive, particularly due to their repetitive nature, ARIS may charge a reasonable fee considering administrative costs or refuse the request.

Right of Access to Public Sector Information and Personal Data Protection

ARIS may exceptionally disclose data relating to individuals when handling requests for access to public information submitted in accordance with the Access to Public SectorInformation Act (Official Gazette of the Republic of Slovenia, Nos. 51/06 – official consolidated text, 117/06 – ZDavP-2, 23/14, 50/14, 19/15 – Constitutional Court decision, 102/15, 7/18, 141/22, and 40/25 – ZInfV-1; hereinafter: ZDIJZ). Access to the requested information is granted under ZDIJZ provisions if the data concern the use of public funds or data related to the performance of a public function or the employment relationship of a public servant, except in cases of exceptions provided by ZDIJZ and in cases where the law governing public finance or the law governing public procurement stipulates otherwise.

In all other cases where exceptions to access to public information do not apply, ARIS will redact personal data of the individuals concerned when providing information containing personal data. In accordance with the second paragraph of Article 74 of ZVOP-2, ARIS may publicly disclose such data when the law stipulates their publicity or when the data constitute public information.

Right to file a Complaint with the Information Commissioner of the Republic of Slovenia

You have the right to file a complaint with the Information Commissioner of the Republic of Slovenia, Dunajska cesta 22, Ljubljana, or via email at gp.ip@ip-rs.si, if you believe that the processing of your personal data violates the provisions of the GDPR or ZVOP-2.

Validity

ARIS reserves the right to amend or supplement the Information on Personal Data Protection. This information is valid and applicable as of 20 November 2025.