Gameart’s Privacy Policy

Last Updated: 26/01/2023

The purpose of the Personal Data Protection Policy is to inform individuals, users of services, colleagues, employees and other persons (hereinafter: “an individual”) who cooperate with GAMEART računalniško programiranje d.o.o. (hereinafter: “the company”) about the purposes, legal bases, security measures and rights of individuals with regard to personal data processing performed by our company.

We value your privacy, so we always carefully protect your data.

We process personal data in accordance with the European legislation (Regulation (EU) 2016/697 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter: “the General Regulation”)), the current Slovenian legislation in the field of personal data protection and other legislation, which gives us the legal basis for processing of personal data.

The personal data protection policy contains information on how our company, as the controller, processes personal data received from individuals on the basis of legal grounds.

1) Controller

Personal data controllers are the following companies:

GAMEART računalniško programiranje d.o.o.

Cesta 25. junija 1B, Kromberk, Nova Gorica

e-mail: security@gameart.net

telephone: +386 (0) 5 903 5 801



GameArt Limited

4th Floor, Kingsway Palace

Republic Street

1115, Valletta

Malta

e-mail: security@gameart.net



2) Personal data protection officer

Pursuant to the provisions of Article 37 of the General Regulation, we have appointed the following company as the personal data protection officer:

DATAINFO.SI, d.o.o.

Tržaška cesta 85, SI-2000 Maribor

www.datainfo.si

e-mail: dpo@datainfo.si

telephone: +386 (0) 2 620 4 300



3) Personal data

Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.



4) Processing purposes and data processing bases

The Company collects and processes your personal data on the following legal bases:

­ – processing is necessary to fulfil a legal obligation applicable to the controller;

­ – processing is necessary for the performance of a contract to which the data subject is a contracting party, or for the implementation of measures at the request of the data subject prior to the conclusion of the contract;

­ – processing is necessary due to legitimate interests, pursued by the controller or a third party;

­ – the data subject has consented to the processing of their personal data for one or more specified purposes;

­ – processing is necessary to protect the vital interests of the data subject or other natural persons.



4.1) Compliance with legal obligations

Based on the provisions of the law, the company processes data about its employees, which is allowed by the labour and social welfare legislation. Based on the legal obligation for the purposes of employment, the company mainly processes the following types of personal data: name, surname, tax number, PIN (EMŠO), place and date of birth, address, address from which the employee arrives to work, e-mail address, landline and/or mobile phone number, skype address, information on previous professional experience, bank account number, information on your state of health and dependent family members, job, title/level of education, job code, tariff grade, pay grade, information on assigned and used annual leave, information from working time records, information about business trips, date of employment and other information that you provide with your resume.



4.2) Implementation of the contract

If an individual enters into a contract with the company, this constitutes a legal basis for personal data processing. Personal data may thus be processed for the purpose of concluding and implementing a contract, such as the sale of goods and services, membership in benefit clubs, participation at events, trainings, promotions, etc. If an individual does not provide personal data, the company cannot conclude the contract, nor can the company perform the service or deliver the goods in accordance with the concluded contract. Based on the performance of a legitimate activity, the company can inform data subjects and users of its services via e-mail about its services, events, trainings, offers and other content. An individual may at any time request the termination of such communication and personal data processing and cancel the receipt of messages via the unsubscribe link in the received message or through a request by e-mail to security@gameart.net or by regular mail to Cesta 25. junija 1B, Kromberk, 5000 Nova Gorica.



4.3) Legitimate interest

The company may also process personal data on the basis of the legitimate interest it pursues. The latter is not admissible where such interests outweigh the interests or fundamental rights and freedoms of a data subject which require the protection of personal data. In case of use of legitimate interest, the company always conducts an assessment in accordance with the General Regulation. The processing of personal data of data subjects for direct marketing purposes is regarded as carried out for a legitimate interest. The company may process personal data of data subjects, collected from publicly available sources or within the framework of the legitimate performance of activities, also for the purposes of offering goods, services, employment, informing about benefits, events, etc. To achieve these purposes, the company may use ordinary mail, telephone calls, e-mail and other means of telecommunication. For the purposes of direct marketing, the company may process the following personal data of data subjects: first and last name of an individual, address of permanent or temporary residence, telephone number and e-mail address. The company may process such personal data for direct marketing purposes without an explicit consent of an individual. An individual may at any time request the termination of such communication and personal data processing and cancel the receipt of messages via the unsubscribe link in the received message or through a request by e-mail to security@gameart.net or by regular mail to Cesta 25. junija 1B, Kromberk, 5000 Nova Gorica.



4.4) Processing on the basis of consent or agreement

Insofar as the company does not have a legal basis demonstrated on the basis of law, contractual obligation or legitimate interest, it may ask an individual for consent or agreement. Thus, it may also process certain personal data of an individual for the following purposes, given the individual’s consent:

­ – residential address and an e-mail address for the purposes of information and communication;

­ – photos, video recordings and other content relating to an individual (e.g. publication of images of data subjects on the company’s website) for the purposes of documenting activities and informing the public about the company’s work and events;

­ – other purposes for which an individual grants consent.

If an individual agrees to the processing of personal data and at some point wishes to withdraw their consent, an individual can request the termination of personal data processing by e-mail to security@gameart.net or by regular mail to Cesta 25. June 1B, Kromberk, 5000 Nova Gorica. Withdrawal of consent will not affect the processing lawfulness on the basis of consent prior to its revocation.



4.5) Processing is necessary for the protection of the data subject’s vital interests

The company may process personal data of a data subject in so far as it is necessary for the protection of their vital interests. In urgent cases, the company may search for an individual’s personal document, check whether this person exists in its database, examine the medical history or establish contact with the relatives, for which the company does not need the data subject’s consent. The above applies in cases where this is absolutely necessary to protect the vital interests of an individual.



5) Retention and deletion of personal data

The company will only store personal data for as long as it is necessary for the realisation of the purpose for which the personal data was collected and processed. If the company processes the data on the basis of the law, it will store the data for the period prescribed by the law. In doing so, some data is stored for the period of cooperation with the company, and some data must be kept permanently. Personal data, processed by the company on the basis of a contractual relationship with an individual, is to be kept by the company for the period necessary for the execution of the contract and for 6 years after its termination, except in cases where a dispute arises between an individual and the company. In such event, the company must keep the data for 10 years after the finality of the court decision, arbitration or court settlement or, if there was no court dispute, for 5 years from the date of amicable dispute resolution. Personal data, processed by the company on the basis of an individual’s personal consent or on the basis of legitimate interest will be retained by the company until the withdrawal of consent or the request to delete the data. Upon receipt of a revocation or deletion request, the data is to be deleted within 15 days at the latest. The company may delete such data even before the revocation, if the purpose of the personal data processing has been achieved or if stipulated by law. Exceptionally, the company may refuse a request for deletion for reasons referred to in the General Regulation, such as: exercise of the right of freedom of expression and information, compliance with the legal obligation of processing, reasons of public interest in the area of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, exercise or defence of legal claims. After the retention period, the company must effectively and permanently delete or anonymise personal data, so that it can no longer be associated with a particular individual.



6) Contractual processing of personal data and data output

The company can entrust individual processing of personal data to a contractual processor on the basis of a contractual processing agreement. Contractual processors can process confidential data exclusively on behalf of the controller, within the limits of the controller’s authority, which is laid down in a written contract or other legal document, and in accordance with the purposes defined in this privacy policy. Contractual processors with whom the company participates, are mainly:

­ – accounting services and other legal and business consulting providers;

­ – infrastructure maintenance workers (video surveillance, security services);

­ – IT system maintenance workers;

­ – e-mail service providers and software providers, cloud services (e.g. Arnes, Microsoft, Google);

­ – providers of social networks and online advertising (Active Campaign, Google, Facebook, Instagram, etc.).

For the purposes of better inspection and supervision of contractual processors and the regulation of a mutual contractual relationship, the company also manages a list of contractual processors, where all the contractual processors, with which the company cooperates, are listed.

Under no circumstances will the company provide personal data of individuals to any unauthorised third parties. Contract processors may only process personal data within the framework of the company’s instructions and may not use personal data for any other purpose.

As a controller, the company and its employees do not export personal data to third countries (outside the member states of the European Economic Area – EU members and Iceland, Norway and Liechtenstein) and to international organisations, except in the USA, whereby relations with contract processors from the USA are regulated on the basis of standard contractual clauses (standard contracts adopted by the European Commission) and/or binding business rules (adopted by the company and approved by supervisory authorities in the EU).



7) Cookies

The company’s website operates with the help of so-called cookies. A cookie is a file that saves web page settings. Websites store cookies on users’ devices with which they access the internet in order to identify individual devices and the settings used to access the website. Cookies allow websites to recognise if the user has already visited the website. With advanced applications, cookies can aid in adjusting individual settings. Their storage is entirely controlled by the browser an individual is using – they can limit or completely disable the storage of cookies as desired. Cookies are of fundamental importance for providing user-friendly online services. They are used to store information about the state of an individual website, help collect statistics about users and website visits, etc. We use cookies to evaluate the effectiveness of our website design.

The website uses the following cookies:

Cookie – Time Duration – Function

_ga – 2 years – The main cookie used by Google Analytics, enables the service to distinguish one visitor from another.

_gid – 24 hours – Registers a unique ID that is used to generate statistical data on how the visitor uses the website.

_gat – 1 minute – This cookie is used for Google Analytics to throttle request rate.

Cookies saved by the browser can be deleted by an individual (instructions can be found on the websites of individual browsers).



8) Data protection and data accuracy

The company takes care of information and infrastructure security (on premises and through system software). Our information systems are protected by anti-virus programs and a firewall, among other things. We have implemented appropriate organisational and technical security measures aimed at protecting personal data against accidental or illegal destruction, loss, modification, unauthorised disclosure or access, as well as against other illegal and unauthorised forms of processing. If specific types of personal data are provided, they are transmitted in an encrypted form and protected by a password.

Data subjects are responsible for providing their personal data in a secure manner and for the accuracy and authenticity of the data provided. The company will make every effort to ensure that the personal data it processes is accurate and, if necessary, updated, and from time to time we may also contact the individual to confirm the accuracy of their personal data.



9) Individual’s rights regarding data processing

In accordance with the General Regulation, an individual has the following personal data protection rights:

­ – to request information about whether we have their personal data and, if so, what data we have, on what basis and why we use such data;

­ – to request access to their personal data, which allows an individual to receive a copy of the personal data held by the company and to check whether the company is processing it legally;

­ – to request the correction of personal data, for example, a correction of incomplete or inaccurate personal data;

­ – to request the deletion of their personal data when there is no reason for further processing or when an individual exercises the right to object to further processing;

­ – to object to further personal data processing when the company refers to a legitimate business interest (even in the case of a third party’s legitimate interest), when there are reasons related to an individual’s special situation; the individual has the right to object at any time if the company processes personal data for direct marketing purposes;

­ – to request personal data processing restriction, which means an interruption of personal data processing, for example, if an individual wants the company to establish the accuracy or to check the reasons for further personal data processing;

­ – to request the transfer of their personal data in a structured electronic form to another controller, as far as this is possible and feasible;

­ – to revoke the consent or agreement given to collecting, processing and transfer of their personal data for a specific purpose; upon receiving notice that the consent has been withdrawn, the company will cease processing such personal data for the purposes for which it was originally accepted, unless the company has no other legitimate basis for doing so lawfully.



If an individual wishes to exercise any of the aforementioned rights, they may send a request by e-mail to gameart.dpo@gdplink.si or by regular mail to Cesta 25. junija 1B, Kromberk, 5000 Nova Gorica. The company will respond to a request relating to the rights of an individual without undue delay and in any case within one month of receiving the request. You will be duly informed in case this deadline is extended (by a maximum of two additional months), due to the complexity and number of requests. Data subjects may freely access their personal data and assert their rights. However, the company may charge a reasonable fee if a data subject’s request is manifestly unfounded or excessive, in particular if it is repeated. In such a case, the company may also reject the request. In case of exercising the rights under this title, the company may have to request certain information from an individual that will help the company confirm the identity of the individual, which is only a security measure to ensure that personal data is not disclosed to unauthorised persons.

When exercising the rights under this title, an individual can use the Information Commissioner’s form, available on their website. Link to: https://www.ip-rs.si/fileadmin/user_upload/doc/obrazci/ZVOP/Zahteva_za_seznanitev_z_lastnimi_osebnimi_podatki.docx.

If an individual believes that their rights have been violated, they may contact the supervisory authority (Information Commissioner) for protection or assistance. Link to: https://www.ip-rs.si/varstvo-osebnih-podatkov/pravice-posameznika/vlo%C5%BEitev-prijave.

If an individual has any questions regarding the processing of their personal data, you can always contact our company by e-mail at security@gameart.net or by regular mail to Cesta 25. junija 1B, Kromberk, 5000 Nova Gorica.

10) Publication of changes

Any change to our Privacy Policy will be published on the company’s website at: www.gameart.net (https://gameart.net/gamearts-privacy-policy/). By using the website, an individual confirms to accept and agree with the entire content of this Personal Data Protection Policy.



GAMEART d.o.o. and GameArt Limited