The aim of the Personal Data Protection Policy is to inform the individuals, users of services, employees, partners and other persons (hereinafter: individuals) who collaborate with the Bled Culture Institute (hereinafter: organization) about the purposes and legal groundwork, security measures and rights of data subjects regarding the processing of personal data provided by our organization.

We value your privacy so we always protect your data carefully.

Your personal data is processed in accordance with the EU legislation (Regulation (EU) 2016/697 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter: GDPR)) and the relevant data protection legislation (Personal Data Protection Act (ZVOP-1, Official Gazette of the Republic of Slovenia, No. 94/17) and other rules and regulations which provide the legal basis for the processing of personal data.

The Personal Data Protection Policy contains information for data subjects about the manner how our organization as the controller processes personal data which is receives from the individual on the basis of legal groundwork described hereafter.


The controller of personal data is the organisation:

Zavod za kulturo Bled (Bled Culture Institute), Cesta svobode 11, 4260 Bled
+386 (0)4 5729 770

Data Protection Officer

In accordance with Article 37 of the GDPR, we have appointed the following company as the Data Protection Officer:


Tržaška cesta 85, SI-2000 Maribor
+386 (0) 2 620 4 300

Personal data

Personal data means any information relating to an identified or identifiable individual (hereinafter: data subject) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Purposes and grounds for data processing

The organisation collects and processes your personal data on the basis of the following legal bases:

  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party;
  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • Processing is necessary in order to protect the vital interests of the data subject or of another individual.

Compliance with a legal obligation or performance of a task in the public interest

Under the provisions of the law, the organization mainly processes data about its employees, which it is permitted to do by the labour law. In compliance with its legal obligation, the organization mainly processes the following types of personal data: Name and surname, sex, date of birth, citizen personal identification number (EMŠO), tax number, place, municipality and country of birth, nationality, place of residence for the purpose of the employment contract and in order to ensure compliance with the related legal obligation.

Other legal acts that form the basis for the processing of personal data of employees include: Public Sector Salary Systems Act, Public Employees Act, Protection against Natural and Other Disasters Act.

In certain cases, the processing of personal data is also permissible in the organisation on the basis of public interest.

Performance of a contract

When you enter into a contract with the organization, this contract constitutes the legal basis for the processing of personal data. It is therefore permissible to process your personal data for the conclusion and performance of such contract, e.g. ticket sales, club membership, training, service agreement. In the event that the individual does not provide his or her personal data, the organization is unable to enter into the contract and, consequently, cannot carry out the service or deliver the goods or other products under the contract for failing to hold sufficient data for the execution of such. On the grounds of provision of legitimate activity, the organization may communicate information about its services, events, training, offers and other contents to the electronic mail of individuals and users of its services. A individual may at any time request the termination of such communication and processing of personal data. A individual may terminate such communication at any time via the link to unsubscribe in received messages, by a written request to the e-mail address, or by a written request sent by regular mail to the address of the organization.

Legitimate interest

The enforcement of the legitimate interest as the legal basis is limited to the processing carried out by public authorities in the exercise of their responsibilities. Nevertheless, the organization may also process personal data on the grounds of legitimate interest which the organization strives to pursue to a limited extent. The latter is not permissible when the interests and fundamental rights of the data subject override the interest of the data controller. In the event of exercising legitimate interest, the organization shall always carry out a careful assessment under the GDPR.

With a view to the above, individuals receive periodical information about our services, events, trainings, offers and other contents by electronic mail, telephone or regular mail. An individual may request the termination of such communication and personal data processing at any time via the link to unsubscribe in received messages, by a written request to the e-mail address, or by a written request sent by regular mail to the address of the organization.

Processing on the basis of consent

If the organization has no legal grounds arising from a legal act, exercise of an official authority, contractual obligation or legitimate interest, it may request the individual to consent to processing. When the individual gives consent to processing, the organization may also process certain personal data of the individual for the following purposes:

  • Residential address and e-mail address for the purposes of communication and notification,
  • The tax number or citizen’s personal identification number (EMŠO) for the purpose of forced execution in the event of failure to settle contractual obligations (e.g. non-payment of an invoice),
  • photographs, videos, and other contents relating to the individual (e.g. recordings made at public events) for the purpose of compiling photo documentation and informing the public about the organization’s activities and work;
  • For other purpose to which the individual gives consent.

When the individual wishes to withdraw the consent to the processing of personal data, they may request the termination of personal data processing by a written request to the e-mail address, or by a written request sent by regular mail to the address of the organization.

Processing is necessary in order to protect the vital interests of the data subject

The organisation may process the personal data of the data subject insofar as this is necessary to protect his or her vital interests. For example, the organisation may search for a personal document of the data subject, check whether that person exists in its database, examine his/her medical history or contact his/her relatives without the need for the consent of the data subject. The above applies in the case where it is strictly necessary to protect the vital interests of the individual.

Retention and erasure of personal data

The organization will retain your personal data only for as long as necessary for the realization of the purpose for which the personal data was collected and processes. The personal data which the provider processes on the basis of the law will be retained by the organization for the period provided by the law. In this respect, certain data will be retained for the duration of cooperation with the organization, while certain data must be retained permanently.

Personal data which the organization processes on the basis of a contractual relationship with the individual will be retained for the term of the contract and for 6 years after its termination, except in the event of a dispute arising between the organization and the individual in relation to the contract. In this event, the organization will retain the data for a period of 5 years from the date of finality of the court decision, or, in the absence of litigation proceedings, for 5 years from the date of amicable settlement of the dispute.

The personal data which the organization processes on the basis of the individual’s personal consent or legitimate interest will be retained by the organization until the individual’s revocation of this consent or until his request for erasure. The organization will erase the data within 15 days from the date of receipt of the revocation of consent or the request for erasure. The organization may erase the data before receiving the revocation if the purpose of processing has been met or when so stipulated by the law.

In exceptional cases, the organization may reject the request for erasure for the following reasons listed in the GDPR: for exercising the right of freedom of expression and information, for compliance with a legal obligation, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

After the expiry of the retention period, the controller will erase the personal data efficiently and permanently, and render them anonymous so they can no longer be linked to a certain individual.

Contractual processing of personal data and data transfer

The organization may entrust individual tasks relating to your data to other persons (contractual data processors). Contractual data processors may process confidential data only on behalf of the controller, within its authorizations (in a written agreement or other legal act) and pursuant to the purposes defined in this privacy policy.

The contractual data processors with whom the provider collaborates are:

  • accounting service and other providers of legal and business advice;
  • IT system maintainers;

The organization shall not forward your personal data to unauthorized third parties.

The contractual processors may only process personal data in accordance with the instructions of the organization, and they shall not use personal data to fulfil any of their own interests.

The organization as the data controller and its employees will not transfer personal data to third countries (outside the countries of the EEA area, EU member states, and Iceland, Norway and Liechtenstein) or international organizations, with the exception of the USA, wherein the relations with contractual processors from the US are governed by standard contract clauses (model contracts adopted by the European Commission) and/or binding corporate rules (adopted by the organization and approved by supervisory authorities in the EU).

Data protection and data accuracy

The organization shall ensure the information security and the safety of infrastructure (spaces and application system software). Our information systems are protected, inter alia, with antivirus software and firewall systems. Several technical and organizational security measures were put in place that are aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of processing. As regards the transfer of special categories of personal data, these data are communicated in encrypted and password-protected format.

It is your responsibility to ensure that the data is communicated to us safely and that the data is accurate and authentic. We will do our best to ensure that your personal data being processed is accurate and updated, if necessary, and will turn to you on occasion to confirm the accuracy of your personal data.

Rights of the data subject with regard to data processing

Under the GDPR, the data subject shall have the following rights:

  • You may request information whether we hold certain personal data on you and if we do, what data we have, what is the legal basis for having such data, and what the data are used for.
  • You may request access to your personal data which enables you to receive a copy of the personal data we hold relating to you and check whether data processing is legitimate.
  • You may request that we correct inaccurate personal data relating to you or refine them in consideration with purposes of the processing.
  • You may request us to erase your personal data when there is no longer any need for processing for a specific purpose, or if you object to further processing.
  • You may object to further processing of the personal data, which relies on legitimate business interest (even in the event of a third person’s legitimate interest), when there are reasons related to your special position; notwithstanding the provisions of the previous sentence, you have the right to object if your personal data are processed for the purpose of direct marketing.
  • You may request us to limit the processing of your personal data, which means the termination of processing personal data relating to you, for example, if you wish us to determine the accuracy of data or verify the reasons for their further processing.
  • You may request that your personal data is transmitted to another controller in a structured electronic format, if this is possible and technically feasible.
  • You may withdraw the consent previously given for personal data collection, processing and transfer for a specific purpose; after receiving the notification that your consent has been revoked, we will terminate the processing of your personal data for the purposes that were originally approved, unless other legitimate legal basis exists for us to do that legally.

In order to exercise any of the rights stated above, send us a request to the e-mail address or by post to the organization’s address.

Access to your personal data or exercising your rights is free of charge for you. However, if your request was manifestly unfounded, repetitive or excessive you will be charged with reasonable costs. In such case, your request can also be denied.


In the event of exercising your corresponding rights, we may have to request certain information from you which will help us confirm your identity, which is just a precautionary measure that ensures that personal data are not disclosed to unauthorized persons.

In order to exercise the rights under this title, you may use the form of the Information Commissioner, which can be downloaded from the website. Link:

If you believe your rights have been violated, you can contact the supervisory authority or the Information Commissioner for protection or assistance. Link:

Should you have any further queries regarding the processing of your personal data, do not hesitate to contact us.

Publication of amendments

ny amendment to the Personal Data Protection Policy will be published on our website. By using the website, the individual confirms that they accept and agree to the full content of this Personal Data Protection Policy.

The Personal Data Protection Policy was adopted by the management of the organization, November 2020.