Terme Krka, d. o. o., Novo mesto (hereinafter referred to as Terme Krka), as a company controlled by Krka, d. d., Novo mesto commits to respecting all the rules that apply within the Krka Group.

Terme Krka’s commitment

Terme Krka commits to the secure and confidential processing of personal data of its employees, guests, contracting parties, website users and other interested persons, and furthermore ensure that the personal data is processed in a legal, fair and transparent manner – by respecting individuals’ rights.

Personal data protection policy

To put this commitment into action, Terme Krka adopted new Rules on the Protection of Personal Data, which is harmonised with the of the European Parliament and of the Council (General Data Protection Regulation, GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council) and other applicable legislation. The Rules, in conjunction with other internal regulations and measures, represent Krka Group’s policy with which we ensure that we will collect and process personal data for specific purposes and to the smallest extent necessary and store them only for the length of time necessary to fulfil the purpose for which they were collected.

Areas of use

Our policy applies to anyone who submits any personal data: Terme Krka guests, employees, job candidates, buyers, suppliers, etc.

Who is affected by this policy

Generally speaking, this policy applies to anyone we work with or who acts on our behalf and may occasionally need access to personal data. It must be followed by Terme Krka employees and employees of its subsidiary, as well as contractors, consultants and other external personal data processors.

Parts of the policy

We must also obtain and process personal data to be able perform our processes. This information includes any data that enables the identification of a person, such as: names, addresses, usernames and passwords, digital footprint, photographs, ID document numbers, special types of personal data, financial data, etc.

Our company collects this information in a transparent way and only with the full cooperation and awareness of the interested party. Once we have obtained this information, the following rules apply:

Our data will be:

• Obtained honestly and only for legal purposes,
• Accurate and up-to-date,
• Processed within legal and moral boundaries,
• Protected against any unauthorised or illegal access by internal or external parties.

Our data will not be:

• Informally forwarded,
• Stored for more than the determined time,
• Transferred to organisations or countries that do not have suitable rules on data protection,
• Communicated to any party that the owner of the data has not given consent to
  (except for the legal requirements of law enforcement authorities).

In addition to the appropriate handling of data, Terme Krka also have direct obligations to the people who own the data. In accordance with the General Data Protection Regulation (GDPR) and other applicable legislation relating to personal data protection, Terme Krka will, among other things:

• Enable any interested party to find out which pieces of their personal data we collect and for what purpose, how long we store them and whether we transfer them to anyone else, etc.;
• Enable any interested party to correct any of their incorrect personal data;
• Delete all personal data where the conditions for deletion are met, e.g. if you withdraw your personal consent;
• Initiate proceedings in cases of lost or damaged data or data at risk.

Activities

We are committed to perform activities such as the following for the protection of personal data:

• Restrict and supervise access to special types of personal data;
• Develop and perform transparent data collection procedures;
• Train employees to be able to perform personal and technical security precautions;
• Set up a safe network to protect personal data against cyber attacks;
• Establish clear procedures for reporting privacy violations or misuse of data;
• Include contract clauses or clear instructions on how we process personal data;
• Establish good data protection practices (clear desk and clear screen policy, document shredding, secure locking, data encryption, regular safety backups, access authorisations, etc.).

Terme Krka will adhere to the good data protection practices that apply to the Krka Group.

Our provisions concerning data protection are set out in the following documents:

• Special policy for personal data protection on the website;
• Rules on personal data protection, which define the personal data protection system in more detail;
• Appendix to the rules on the  General procedures on the protection and safeguarding of personal data, which includes a brief description of the technical and organisational measures for protecting personal data;
• Records of personal data processing – Descriptions of personal data databases.

Disciplinary consequences

All principles described in this policy must be strictly followed by all Terme Krka employees. Violations of the rules on data protection may result in disciplinary and other measures.

Authorised person

Krka has appointed an authorised person for personal data protection (DPO - Data Protection Officer). In addition to other tasks that are set out in the General Data Protection Regulation, one of the key tasks of the DPO is to establish and implement certain procedures and supervise all procedures that must be performed by Krka to exercise the rights of data subjects.

Terme Krka, d. o. o., Novo mesto

Novi trg 1

8000 Novo mesto

Saša Kos

E-mail: dataprotection.officer.TK@terme-krka.si

Rights of the data subject

You can send requests (for access, amendments, deletion and withdrawal of personal consent, limitation of processing, objection to processing and right to data portability) to us personally or in the form of a certified document, which ensures that the right person is exercising their right. Among the key objectives of the General Data Protection Regulation are also the protection of personal data against unauthorised access and ensuring the accuracy of the personal data, therefore data subjects must accept our identification requirements. Otherwise any person could request, for example, an extract or correction of the personal data, which could lead to an unauthorised disclosure or use of incorrect personal data.

When an data subject completes the online consent, they will also be able to withdraw their consent, whereby their identity is verified through an e-mail confirmation.

Each request by an individual will be dealt with and the appropriate procedures will be performed or we will notify them that this is not possible and state the reasons for this.

Requests should be sent to the above address.

Records of personal data processing

Terme Krka have identified all databases that contain data subjects’ personal data.

In the description of each personal data database (i.e. records of processing) we state:

• The legal basis for the processing of personal data;
• Categories of the individual to which the personal data refer;
• Types of personal data in the personal data database;
• Purpose of processing;
• Storage period of the personal data;
• Users or categories of users of the personal data in the personal data database;
• Whether the personal data is being transferred to a third country or an international organisation, where and to whom, as well as the legal basis of the transfer;
• General description of how the personal data is protected:
• Physical databases and the premises in which the personal data from the database is located;
• Transferring personal data between databases (interfaces);
• Who is the owner of the database and who has user rights for the job positions with access to the data;
• Contractual processors of the personal data;
• Records of transfers;
• Description of technical and organisational measures.