About the Agency |
Information on the Protection of Personal Data |
|
|
About the Controller
Slovenian Research and Innovation Agency
Bleiweisova cesta 30
1000 Ljubljana
Slovenia
E-mail: GlavnaPisarna@aris-rs.si
Your personal data are processed in accordance with the Regulation (EU) 2016/679
of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation, hereinafter referred to as "GDPR"), the applicable
national legislation on personal data protection (Personal Data Protection Act,
Official Gazette of the Republic of Slovenia, No. 163/22, hereinafter referred
to as "ZVOP-2") and other legislation providing a legal basis for the processing
of your personal data.
The Slovenian Research and Innovation Agency (ARIS) is committed to a high
standard of personal data protection. ARIS has adopted appropriate internal
protection rules and control mechanisms to ensure an adequate level of
protection and to prevent misuse or any unauthorised processing, i.e. Rules on
Procedures and Measures for Ensuring the Security of Personal Data at the
Slovenian Research and Innovation Agency, No. 007-9/2022-1, of 27 May 2022 and
Rules on Procedures and Measures for the Operation and Maintenance of the IT
Environment of the Slovenian Research and Innovation Agency, No. 007-15/2008-1,
of 11 November 2008, as amended. Your personal data are thus carefully stored
and protected by organisational, technical and logical-technical procedures and
measures. ARIS requires the same security commitments from its processors. You
can rest assured that we only work with trusted partners who will process your
data with the highest level of security.
Data Protection Officer
Barbara Jankovič
E-mail: Barbara.Jankovic@aris-rs.si
Phone: 01 400 5964
Purpose and Legal Basis for the Processing of Personal Data
Your personal data shall only be processed by ARIS for the purposes for which
they were collected and not for the purposes incompatible with those for which
they were collected. ARIS shall collect only those personal data which are
strictly necessary for the fulfilment of a specific purpose, in particular for
the purposes of carrying out the public tasks set out in the Scientific Research
and Innovation Activities Act (Official Gazette of the Republic of Slovenia, No.
186/21 and 40/23, hereinafter referred to as “ZZrID”) and in relevant by-laws in
relation to Article 167 of the Rules on the Procedures for the (Co)financing and
Assessment of Research Activities and on Monitoring the Implementation of
Research Activities (Official Gazette of the Republic of Slovenia, No. 166/22,
hereinafter referred to as “Rules on Procedures”) and to Article 47(5) of the
Decision Establishing the Slovenian Research and Innovation Agency (Official
Gazette of the Republic of Slovenia, No. 48/23), such as the Rules on the
Register of Private Researchers (Official Gazette of the Republic of Slovenia,
No. 12/05, 5/07, 84/08 and 186/21 – ZZrID), Rules on Procedures, and Rules on
the Block Funding of Scientific Research Activities (Official Gazette of the
Republic of Slovenia, No. 87/22 and 103/22, as amended). The legal basis for the
processing of personal data is also provided by employment protection
legislation, Protection of Documents and Archives and Archival Institutions Act
(Official Gazette of the Republic of Slovenia, No. 30/06 and 51/14), and other
relevant legislation.
Processing of personal data by ARIS shall take place when at least one of the
following conditions is met where:
- processing is necessary for compliance with a legal obligation to which ARIS
is subject, provided that the processing of personal data, the types of
personal data to be processed, the categories of data subjects, the purpose
of data processing, and the period for which the personal data will be
stored or the period for a periodic review of the need to store are provided
for by law;
- processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in ARIS,
under the same condition as applies to processing necessary to comply with a
legal obligation to which ARIS is subject (see point a.). Notwithstanding
the above condition, however, the processing of personal data strictly
necessary for the exercise of the legal powers, tasks or obligations of the
public sector may exceptionally be carried out in the case of the legal
basis under consideration, provided that such processing does not prejudice
the legitimate interests of the data subject;
- the data subject has given consent to the processing of their personal data
for one or more specified purposes, if the law so provides, or otherwise on
the basis of the consent, provided that the processing is not necessary for
the exercise of the legal powers, tasks or obligations of the public sector;
- processing is necessary for the performance of a contract to which the data
subject is party or in order to take steps at the request of the data
subject prior to entering into a contract;
- processing is necessary in order to protect the vital interests of the data
subject or of another natural person;
- processing is necessary for the purposes of the legitimate interests pursued
by ARIS, except where such interests are overridden by the interests or
fundamental rights and freedoms of the data subject which require protection
of personal data. This legal basis shall not apply to processing carried out
by ARIS in the performance of its public (official) tasks.
Personal data may also be processed in accordance with Article 9 of the GDPR.
Recipients, Categories of Recipients, and Processors of Personal Data
The processing of your personal data is strictly limited to those ARIS employees
who strictly need to process your personal data in order to carry out their work
tasks. All employees are committed to maintaining confidentiality and to
respecting the protection of personal data. In certain cases, your personal data
are processed by the processors with whom ARIS has concluded a written contract,
by the competent official authorities and public authorities in the exercise of
their legal powers, and by other persons who have a legal basis for obtaining
and processing your personal data. In no case will ARIS transmit personal data
to unauthorised third parties or to third countries, except in the cases
provided for by law or regulation.
The processors shall process the data entrusted to them exclusively in the name
and on behalf of ARIS, within the limits of the authorisation enshrined in a
written contract or other legal act and in accordance with the purposes defined
in the contract or legal act. The main contractual processors cooperating with
ARIS are: IZUM, Špica International d.o.o., Zaslon Telecom d.o.o., Nova Vizija
d.o.o., an undertaking providing e-infrastructure and services in the ARNES
network, and STROKA PRODUKT d.o.o.
Transmitting Data to Third Countries or International Organizations
In cases where, in accordance with the legal rules, a proposal for research
(co)funding is evaluated by a reviewer from a third country, ARIS shall transmit
personal data to reviewers in third countries in accordance with the principle
of data minimisation. ARIS shall ensure appropriate safeguards and shall only
cooperate with reviewers from the third countries that ensure adequate
protection of personal data.
In cases of (co)funding international research (e.g. Lead Agency), ARIS shall
process personal data (e.g. ARIS is obliged to notify the Lead Agency that a
proposal fulfils the entry requirements) in accordance with the rules on
personal data protection and with the specific contracts concluded or other
relevant (international) rules.
Types of Personal Data Not Obtained from the Data Subject
In accordance with the purposes and legal bases set out above, ARIS shall also
collect personal data that have not been directly obtained from the data
subject. ARIS shall only process such personal data where there is a legal basis
for doing so (e.g. Article 56 of the ZZrID).
Period for Which the Personal Data Are Stored
The period for which personal data will be stored depends on the legal basis and
the purpose of the processing of each category of personal data. Personal data
shall be kept for as long as necessary for the fulfilment of the purpose for
which they were collected or for the period required by law or regulation.
Personal data processed by ARIS on the basis of your personal consent shall be
stored by ARIS until the consent is withdrawn or for as long as necessary for
the fulfilment of the purpose.
For the purpose of determining the storage period, the periods laid down by the
regulations and the Classification Scheme of the Slovenian Research and
Innovation Agency, No. 020-9/2023-1, of 2 June 2023 shall be taken into account.
If the storage periods are not specifically laid down by the regulations, the
storage shall be limited to the shortest possible period, taking into account
the principle of proportionality. After the storage period has ended, personal
data shall be erased, destroyed, blocked or anonymised, unless classified as
archival materials on the basis of the law governing archives and archival
materials or unless provided otherwise by law for specific types of personal
data. ARIS may process certain personal data for scientific and historical
research, statistical and archiving purposes, subject to the adoption of
appropriate measures in accordance with the GDPR and ZVOP-2.
Rights of the Data Subject:
In accordance with the GDPR, ARIS shall grant you the right of access to
personal data, the right to withdrawal of consent, the right to rectification,
the right to erasure ("right to be forgotten"), the right to restriction of
processing, the right to data portability, the right to object, and the right to
lodge a complaint with the Information Commissioner, as detailed below.
Your rights in relation to personal data can be exercised:
- orally on record, by prior appointment, during office hours from 9:00 to
12:00 and from 13:00 to 15:00 on Mondays to Thursdays, and from 9:00 to
12:00 and from 13:00 to 14:00 on Fridays;
- in writing addressed to the Data Protection Officer indicated above or
directly to ARIS. If you submit your request by electronic means, the
information will be provided to you by electronic means where possible,
unless you request otherwise.
In case you exercise your rights in relation to personal data, ARIS may request
additional information necessary to confirm your identity.
ARIS shall respond to your request to exercise your rights in relation to
personal data without undue delay an at the latest within one month of receipt
of the request. That period may be extended by two further months where
necessary, taking into account the complexity and number of the requests.
All information provided as well as any communication and any actions relating
to personal data protection shall be provided in a single copy free of charge.
Where requests from a data subject are manifestly unfounded or excessive, in
particular because of their repetitive character, ARIS may either charge a
reasonable fee taking into account the administrative costs of providing the
information requested or refuse to act on the request.
Right of Access
You shall have the right to obtain from ARIS confirmation as to whether or not
personal data concerning you are being processed, and, where that is the case,
access to the personal data and the following information: (a) the purposes of
the processing; (b) the categories of personal data concerned; (c) the
recipients or categories of recipient to whom the personal data have been or
will be disclosed, in particular recipients in third countries or international
organisations; (d) where possible, the envisaged period for which the personal
data will be stored, or, if not possible, the criteria used to determine that
period; (e) the existence of the right to request from ARIS rectification or
erasure of personal data or restriction of processing of personal data
concerning the data subject or to object to such processing; (f) the right to
lodge a complaint with the Information Commissioner; (g) where the personal data
are not collected from the data subject, any available information as to their
source; (h) the existence of automated decision-making, including profiling,
and, at least in those cases, meaningful information about the logic involved,
as well as the significance and the envisaged consequences of such processing
for the data subject; (i) the appropriate safeguards, where personal data are
transferred to a third country or to an international organisation.
Right to Withdrawal of Consent
You can withdraw your consent to the processing of your personal data at any
time, just as easily as it was given. Withdrawal of consent does not affect the
lawfulness of processing based on consent before its withdrawal.
Right to Rectification, Erasure (“Right to be Forgotten”) and
Restriction of Processing
You shall have the right to request and obtain from ARIS without undue delay:
- the rectification of inaccurate personal data concerning you or, taking into
account the purposes of the processing, the completion of incomplete
personal data;
- the erasure of personal data concerning you, namely: where the personal data
are no longer necessary in relation to the purposes for which they were
collected or otherwise processed; where the data subject withdraws consent
on which the processing is based and where there is no other legal ground
for the processing; where you object to the processing, which is necessary
for the legitimate interests, for the performance of a task carried out in
the public interest or in the exercise of official authority vested in ARIS,
and there are no overriding legitimate grounds for the processing, or you
object to the processing pursuant to Article 21(2) of the GDPR (direct
marketing); where the personal data have been unlawfully processed or where
the personal data have to be erased for compliance with a legal obligation
in the European Union or in Slovenia. ARIS shall not grant a request for
erasure in the cases provided for in Article 17(3) of the GDPR;
- the restriction of personal data processing, namely: where the accuracy of
your personal data is contested, for a period enabling ARIS to verify the
accuracy of your personal data; where the processing is unlawful and you
oppose the erasure of the personal data and request the restriction of their
use instead; where ARIS no longer needs the personal data for the purposes
of the processing, but you require them for the establishment, exercise or
defence of legal claims; or where you have objected to processing pending
the verification whether the legitimate grounds of ARIS override your
grounds.
Right to Data Portability
You shall have the right to receive the personal data, which you have provided
to ARIS, in a structured, commonly used and machine-readable format and have the
right to transmit those data to another controller, where: (a) the processing is
based on consent or on a contract and (b) the processing is carried out by
automated means.
In exercising your right to data portability, you shall have the right to have
the personal data transmitted directly from ARIS to another controller, where
technically feasible. That right shall not apply to processing necessary for the
performance of a task carried out in the public interest or in the exercise of
official authority vested in ARIS. The right to data portability shall not
adversely affect the rights and freedoms of others.
Right to Object
You shall have the right to object, on grounds relating to your particular
situation, at any time to processing of your personal data which is necessary
for the legitimate interests pursued by ARIS or for the performance of a task
carried out in the public interest or in the exercise of official authority.
ARIS shall no longer process the personal data unless demonstrating compelling
legitimate grounds for the processing which override your interests, rights and
freedoms or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you shall have
the right to object at any time to processing of personal data concerning you
for such marketing, which includes profiling to the extent that it is related to
such direct marketing. In this case, the personal data shall no longer be
processed.
Where personal data are processed for scientific or historical research purposes
or statistical purposes you, on grounds relating your particular situation,
shall have the right to object to processing of personal data concerning you,
unless the processing is necessary for the performance of a task carried out for
reasons of public interest.
Right to Lodge a Complaint with the Information Commissioner
Without prejudice to any other administrative or judicial remedy, every data
subject shall have the right to lodge a complaint with the Information
Commissioner, Dunajska cesta 22, Ljubljana, if you consider that the processing
of personal data concerning you infringes the GDPR. The Information Commissioner
shall inform you on the progress and the outcome of the complaint, including the
possibility of a judicial remedy against the outcome of the complaint lodged.
Validity
ARIS reserves the right to amend or supplement the Information on the Protection
of Personal Data. The Information shall be valid and applicable from 22 August
2024.
|