Data Protection
Privacy policy
The purpose of the privacy policy is to inform individuals, users of services, collaborators, employees, and other individuals (hereinafter referred to as "individuals") who interact with the public institution Tolmin Museum (hereinafter referred to as "the institution") about the purposes, legal bases, security measures, and rights of individuals regarding the processing of personal data carried out by the institution.
We value your privacy and always carefully protect your data.
We process your personal data in accordance with European legislation (Regulation (EU) 2016/697 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the "General Regulation")), Slovenian legislation on the protection of personal data, and other legislation that provides us with a legal basis for the processing of personal data.
The privacy policy contains information on how the institution, as the controller, processes personal data received from individuals on the basis of legal grounds.
1. Operator
The data operator is a public institution:
Tolminski muzej
Mestni trg 4
SI-5220 Tolmin
tel.: +386 05 381 13 60
e-mail: muzej@tol-muzej.si
www.tol-muzej.si
2. Data Protection Officer
In accordance with Article 37 of the General Data Protection Regulation, we have appointed the company as our Data Protection Officer:
DATAINFO.SI, d.o.o.
Tržaška cesta 85
SI-2000 Maribor
tel.: +386 02 620 4 300
e-mail: dpo@datainfo.si
www.datainfo.si
3. Personal Data
Personal data means any information relating to an identified or identifiable individual; an identifiable individual is one who can be directly or indirectly identified, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.
4. Purposes of Processing and Legal Bases for Processing Data
The institution collects and processes your personal data on the following legal bases:
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
- the data subject has given consent to the processing of their personal data for one or more specific purposes;
- processing is necessary to protect the vital interests of the data subject or of another natural person.
4.1 Fulfillment of Legal Obligations
Based on the provisions of the law, the institution processes data on its employees, which is enabled by labor and social security legislation. The institution, based on legal obligation, processes the following types of personal data primarily for employment purposes: name, surname, gender, date of birth, personal identification number, tax number, place of birth, citizenship, residence, etc. The legal basis for processing individuals' personal data is also the Law on the Realization of Public Interest in Culture and other legislation in the field of culture. In limited cases, the processing of personal data is also permissible in the institution based on public interest. All applicable sectoral regulations are available on the website of the relevant ministry: https://www.gov.si/drzavni-organi/ministrstva/ministrstvo-za-kulturo/zakonodaja/
4.2 Contract performance
When an individual enters into a specific contract with the institution, it represents a legal basis for the processing of personal data. Personal data may be processed for the conclusion and performance of the contract, such as for donations, purchases of materials, etc. If an individual does not provide personal data, the institution cannot enter into the contract, nor can it provide the service or deliver goods or other products according to the concluded contract, as it does not have the necessary data to carry out the transaction. Based on the performance of its legal activities, the institution may inform individuals and users of its services of its services, events, education, and other content via their email addresses. Individuals may request to terminate such communication and processing of personal data at any time and unsubscribe from messages by clicking the unsubscribe link in the received message or by sending an email request to muzej@tol-muzej.si or regular mail to the institution's address.
4.3 Legitimate Interest
The institution may also process personal data based on its legitimate interests, for which it strives. This is not permitted when such interests are overridden by the interests or fundamental rights and freedoms of the individual whose personal data is being processed, which require the protection of personal data. In the case of using legitimate interest, the institution always carries out an assessment in accordance with the General Data Protection Regulation. Processing personal data of individuals for direct marketing purposes is considered to be carried out in legitimate interest. The institution may process personal data of individuals, which it has collected from publicly available sources or within the scope of legitimate activities, also for the purposes of offering goods, services, employment, informing about events, etc. To achieve these purposes, the institution may use regular mail, telephone calls, email, and other telecommunications means. For direct marketing purposes, the institution may process the following personal data of individuals: name and surname of the individual, permanent or temporary address, telephone number, and email address. The institution may process the aforementioned personal data for direct marketing purposes even without the explicit consent of the individual. The individual may demand the cessation of such communication and processing of personal data at any time and revoke receiving messages via the unsubscribe link in the received message or as a request via email to muzej@tol-muzej.si or by regular mail to the institution's address.
4.4 Processing based on consent
If the institute does not have a legal basis established by law, contractual obligation, or legitimate interest, it may request an individual's consent. In this way, it can process certain personal data of the individual for the following purposes when the individual gives their consent:
- Residential address and email address for communication purposes;
- Photographs, videos, and other content related to the individual (e.g. posting pictures of individuals on the institute's website) for documenting activities and informing the public about the institute's work and events;
- Other purposes for which the individual agrees with the consent.
If an individual gives consent for the processing of personal data and no longer wishes to do so at some point, they may request the termination of the processing of personal data by sending a request via email to muzej@tol-muzej.si or by regular mail to the institute's address. The revocation of consent does not affect the lawfulness of processing based on consent before its revocation.
4.5 Processing is necessary to protect vital interests
The institution may process an individual's personal data if it is necessary to protect their vital interests and the vital interests of others.
5. Storage and erasure of personal data
The institution will only keep personal data for as long as necessary to fulfill the purpose for which the data was collected and processed. If the institution processes data based on the law, it will be kept for the period specified by the law. Some data is kept for the duration of the individual's collaboration with the institution, while some data must be kept permanently. Personal data that the institution processes based on a contractual relationship with an individual will be kept for the period necessary to execute the contract and for an additional 6 years after its termination, unless there is a dispute between the individual and the institution regarding the contract. In such a case, the institution will keep the data for 10 years after the legal force of the court decision, arbitration or settlement, or if there was no legal dispute, for 5 years from the day of the peaceful resolution of the dispute. Personal data processed by the institution based on an individual's personal consent or legitimate interest will be kept until the consent is revoked or a request for deletion is made. Upon receipt of the revocation or request for deletion, the data is deleted no later than within 15 days. The institution may also delete this data before revocation, when the purpose of processing personal data has been achieved or if required by law.
In exceptional cases, the institution may refuse a request for erasure for reasons listed in the General Data Protection Regulation, such as exercising the right to freedom of expression and information, fulfilling the legal obligation to process, reasons of public interest in the field of public health, purposes of archiving in the public interest, scientific or historical research purposes, or statistical purposes, or for the exercise or defense of legal claims. After the storage period has expired, the institution must effectively and permanently delete or anonymize personal data so that it can no longer be linked to a specific individual.
6. Contractual processing of personal data and data transfer
The institution may entrust a data processor with the processing of personal data for specific purposes based on a contract for data processing. Data processors may only process the entrusted data on behalf of the controller, within the scope of their authorization, as defined in a written agreement or other legal act, and in accordance with the purposes defined in this privacy policy.
The data processors with whom the institution collaborates are primarily:
- accounting services and other providers of legal and business advice;
information system maintainers; - providers of email services and cloud software services (e.g. Arnes);
- providers of social networks and online advertising (Facebook).
Under no circumstances will the institution disclose an individual's personal data to unauthorized third parties. Data processors may only process personal data within the institution's instructions and may not use personal data for any other purposes.
As a controller, the institution and its employees do not transfer personal data to third countries (outside the European Economic Area - EU Member States, Iceland, Norway and Liechtenstein) and international organizations, except to the United States, where the relationships with data processors in the US are governed by standard contractual clauses (standard contracts adopted by the European Commission) and/or binding corporate rules (which are adopted by the institution and approved by supervisory authorities in the EU).
For the purpose of better oversight and control over data processors and the proper contractual relationship between them, the institution maintains a list of data processors that includes all specific data processors with whom the institution collaborates.
7. Cookies
The website of the institution operates with the help of so-called cookies. A cookie is a file that stores the settings of websites. Websites store cookies on users' devices that they use to access the internet in order to recognize individual devices and settings that users have used to access them. Cookies enable websites to recognize if a user has already visited a website. In advanced applications, individual settings can be appropriately adjusted with their help. Their storage is under the complete control of the browser used by the individual - it can limit or completely disable the storage of cookies as desired.
Cookies are essential for providing user-friendly web services. They are used to store data about the state of a particular web page, help collect statistics on users and website visits, etc. Cookies help us evaluate the effectiveness of the design of our website.
The institution's website uses the following cookies:
- tolmuz_zum, duration 1 year, function: determination of page zoom
- tolmuz_stil, duration 1 year, function: determination of page color combination
- tolmuz_kuki, duration 1 year, function: confirmation of cookie notice
Individuals can delete cookies stored by the browser (instructions can be found on the individual browser's website).
8. Data protection and data accuracy
The institution takes care of information security and infrastructure security (premises and application software). Among other measures, our information systems are protected by antivirus programs and a firewall. We have implemented appropriate organizational and technical security measures designed to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and from other unlawful and unauthorized forms of processing. In the case of providing special types of personal data, we encrypt them and protect them with a password.
Individuals are responsible for ensuring that they provide their personal data safely and that the data provided is accurate and credible. The institution will make an effort to ensure that the personal data it processes is accurate and, if necessary, updated. Occasionally, we may contact individuals to confirm the accuracy of their personal data.
9. Individual rights regarding data processing
In accordance with the General Data Protection Regulation, individuals have the following rights regarding personal data protection:
- The right to request information about whether we have their personal data, and if so, what data we have, on what basis we have it, and why we use it;
- The right to access their personal data, which enables them to receive a copy of the personal data that the institution has and verify that the institution is processing it lawfully;
- The right to rectify their personal data, such as correcting incomplete or inaccurate personal data;
- The right to erasure of their personal data when there is no reason for further processing or when they exercise their right to object to further processing;
- The right to object to further processing of personal data where the institution relies on legitimate business interest (including legitimate interest of a third party) where there are grounds relating to the individual's particular situation; individuals have the right to object at any time where the institution is processing personal data for direct marketing purposes.
- They can request information about whether we have their personal data and, if so, which data we have, on what basis we have it, and why we use it;
- They can request access to their personal data, which allows them to receive a copy of the personal data held by the institution and verify whether the institution is processing it lawfully;
- They can request corrections to their personal data, such as correction of incomplete or inaccurate personal data;
- They can request deletion of their personal data when there is no reason for further processing or when they exercise their right to object to further processing;
- They can object to the further processing of personal data where the institution relies on a legitimate business interest (including the legitimate interest of a third party) when there are reasons related to the individual's particular situation. The individual has the right to object at any time if the institution processes personal data for direct marketing purposes.
- They can request restriction of the processing of their personal data, which means the interruption of processing personal data, for example, if the individual wants the institution to verify the accuracy or to verify the reasons for further processing personal data;
- They can request transfer of their personal data in a structured electronic format to another controller, where this is feasible and technically possible;
- They can revoke their consent given for the collection, processing, and transfer of their personal data for a specific purpose; after receiving notice of the withdrawal of their consent, the institution will cease processing personal data for the purposes originally agreed, unless the institution has another lawful basis for doing so.
If an individual wants to exercise any of the above rights, they can send a request by email to muzej@tol-muzej.si or by regular mail to the address of the institution. The institution will respond to the request related to individual rights without undue delay and in any event within one month of receipt of the request. If the deadline is extended, considering the complexity and number of requests (for up to two additional months), you will be notified. Access to an individual's personal data and the rights claimed are free of charge. However, the institution may charge a reasonable fee if the request by the individual is manifestly unfounded or excessive, especially if it is repeated. In such cases, the institution may also reject the request. In the case of claiming rights under this title, the institution may need to request certain information from the individual that will help confirm the individual's identity, which is a security measure that ensures that personal data is not disclosed to unauthorized persons.
When asserting rights under this title, an individual can use the form provided by the Information Commissioner, which is available on their website.
If an individual believes that their rights have been violated, they can seek protection or assistance from the supervisory authority (Information Commissioner).
If an individual has any questions regarding the processing of their personal data, they can always contact our institution via email at muzej@tol-muzej.si or by regular mail to the address of the institution.
10. Publication of Changes
Any changes to our Privacy Policy will be published on the website of our institution: www.tol-muzej.si. By using the website, the individual confirms acceptance and agreement with the entire contents of this privacy policy.
The new privacy policy has been adopted by the Director of Tolmin Museum, Mag. Damjana Fortunat Černilogar, on January 26, 2022.
Tuesday - Friday: 9 a.m. - 4 p.m.
Saturday, Sunday,
Holiday: 1 p.m. - 5 p.m.
Monday closed
Closed also Nov 1, Dec 24, 25, 26, 30 and 31, Jan 1, 2 and Saturdays, Sundays in January and Febuary
individuals
adults 5 €
children, students, seniors 4 €
preschool children free
families with chidren up to 15 years 10 €
disabled person
and personal assistant free
groups
adults 6 €
children, students, seniors 5 €
disabled persons 30 % discount
Tolmin museum, temporary exhibition
individual free
guided group (10 or more people) 3 €
disabled persons: 30 % discount