Privacy Policy
1. Introductory Provisions
These Rules on the Protection and Processing of Personal Data (hereinafter: the Rules) govern the rules for the protection and processing of personal data processed by the Contractor in the course of providing the application and related services to customers in a business-to-business (B2B) environment.
The Rules are prepared in accordance with:
• Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR),
• the Personal Data Protection Act (ZVOP-2),
• applicable labour legislation of the Republic of Slovenia,
• other applicable legislation of the European Union.
The Rules are publicly available on the Contractor’s website. Contracts, purchase orders or general terms and conditions of the Contractor may expressly refer to these Rules, in which case the Rules form an integral part thereof to the extent defined by the contract.
2. Definitions
• Contractor means a legal or natural person providing the application and acting as a data processor in this context.
• Customer means a business entity using the application and acting as the data controller.
• Application means the information system solution of the Contractor.
• Personal Data has the meaning as defined in the GDPR.
• Special Categories of Personal Data means the data referred to in Article 9 of the GDPR.
• Audit Trail means an electronic record of access, viewing, modification and deletion of personal data within the application.
3. Roles in the Processing of Personal Data
(1) With regard to the personal data of the Customer’s employees:
– the Customer acts as the data controller,
– the Contractor acts as the data processor in accordance with Article 28 of the GDPR.
(2) The Contractor processes personal data solely on the basis of the Customer’s instructions and exclusively for the purpose of providing contractual services.
4. Data Controller and Data Processor
Data Processor (Contractor):
Kopa, računalniški inženiring d.d.
Kidričeva 14
2380 Slovenj Gradec
Slovenia
Phone: +386 2 88 39 700
Email: info@kopa.si
Data Controller:
Each Customer as specified in the respective contract.
5. Categories of Data Subjects and Types of Personal Data
5.1 Categories of Data Subjects
Employees and other individuals in an employment or comparable relationship with the Customer.
5.2 Types of Personal Data
The application may process the following personal data:
• identification and contact data,
• employment-related data,
• data on the use of the application,
• special categories of personal data within the meaning of Article 9 of the GDPR, lawfully maintained in the Customer’s HR records (e.g. health data, disability data, trade union membership).
The Contractor does not determine the content, purpose or lawfulness of such data.
6. Purpose of Processing
Personal data is processed solely for the purposes of:
• maintaining and managing the Customer’s records,
• ensuring the operation of the application,
• managing user access,
• ensuring information security,
• providing technical support and error resolution,
• fulfilling the Contractor’s contractual obligations.
7. Legal Basis
(1) The legal basis for the processing of personal data, including special categories of personal data, arises from:
• labour legislation,
• the legitimate interests of the Customer,
• the contract between the Contractor and the Customer,
• Article 9(2)(b) of the GDPR for special categories of personal data.
(2) The Customer, as the data controller, is responsible for ensuring the existence of an appropriate legal basis.
8. Obligations of the Contractor as Data Processor
The Contractor undertakes to:
• process personal data only in accordance with the Customer’s instructions,
• ensure the confidentiality of persons authorised to process personal data,
• implement appropriate technical and organisational measures to protect personal data,
• ensure an audit trail of all access, viewing, modification and deletion of personal data within the application,
• allow the Customer access to audit records to a reasonable extent,
• notify the Customer without undue delay of any personal data breaches,
• delete or return personal data upon termination of the contractual relationship, unless otherwise required by law.
9. Sub-processors
The Contractor may use sub-processors solely for technical services (e.g. hosting, maintenance), provided that it:
• ensures that agreements pursuant to Article 28 of the GDPR are concluded,
• ensures an equivalent level of personal data protection,
• remains fully liable for the actions of its sub-processors.
10. International Transfers
Transfers of personal data to third countries or international organisations shall be carried out only where the conditions set out in Chapter V of the GDPR are met and where the Customer has been informed thereof in advance.
11. Rights of Data Subjects
Employees of the Customer exercise their rights in relation to the Customer as the data controller.
The Contractor provides reasonable assistance to the Customer in fulfilling these obligations.
12. Monitoring and Audit
The Customer has the right, upon prior notice and within a reasonable scope, to verify the Contractor’s compliance with these Rules, including the review of documentation and audit trails.
13. Relationship with Contracts
These Rules apply together with the contracts concluded between the Contractor and the Customer.
In the event of any inconsistency, the contractual provisions shall prevail if they impose stricter obligations on the Customer.
14. Amendments and Entry into Force
The Contractor reserves the right to amend these Rules. The current version is always published on the Contractor’s website.
These Rules enter into force on 1 January 2026. The Rules on the Protection and Processing of Personal Data apply when expressly referred to in the Contractor’s contracts or general terms and conditions.