Privacy policy

Protecting your privacy is important to us. With this information, we want to help you understand which of your personal data we collect, why we collect it, how we use it, which processing procedures we carry out, and what your rights are and how you can exercise them. 

The purpose of the Personal Data Protection Policy is to inform individuals, users of services, partners, employees, and other persons (hereinafter: "individual") who cooperate with the Public Institute Notranjska Regional Park (hereinafter: "organization") about the purposes, legal bases, security measures, and rights of individuals regarding the processing of personal data carried out by our organization.  

We value your privacy, which is why we always carefully protect your data. 

We process personal data in accordance with European legislation (Regulation (EU) 2016/697 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: "General Regulation")), applicable Slovenian legislation in the field of personal data protection, and other legislation that provides us with a legal basis for the processing of personal data. 

The Personal Data Protection Policy contains information on how our organization, as the controller, processes personal data received from an individual on the basis of valid legal grounds. 

1. Controller 

The controller of personal data is the organization: 

  • Public Institute Notranjska Regional Park 
  • Address: Tabor 42, 1380 Cerknica 
  • Email: info@notranjski-park.si  
  • Telephone: (01) 70 90 636 

2. Data Protection Officer 

In accordance with Article 37 of EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, we appointed a public employee, Tjaša Sterle, as the Data Protection Officer. She can be contacted via email at tjasa.sterle@notranjski-park.si,  by regular mail at Notranjski regijski park, Tabor 42, 1380 Cerknica, marked "for DPO", or by telephone at +386 (41) 702 078. 

3. Personal Data 

Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. 

4. Purposes and Legal Bases for Data Processing 

The organization collects and processes your personal data on the following legal bases: 

  • processing is necessary for compliance with a legal obligation applicable to the controller; 
  • processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract; 
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party; 
  • the data subject has consented to the processing of his or her personal data for one or more specific purposes; 
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person. 

4.1 Compliance with Legal Obligation 

Based on legal provisions, the organization processes data about its employees, as permitted by labor and social legislation. For employment purposes, the organization processes, among others: first and last name, gender, date of birth, personal identification number, tax number, place, municipality, and country of birth, nationality, residence, etc. The legal basis also includes the Public Sector Salary System Act, the Public Employees Act, and the Collective Agreement for the Environmental and Spatial Sector – tariff section. In limited cases, processing of personal data may also be allowed on the basis of public interest. 

4.2 Contract Performance 

When an individual concludes a contract with the organization, this contract serves as the legal basis for data processing. Personal data may be processed for concluding and performing the contract, such as ticket sales, subscriptions, guided experiences, guiding services, reservations, and tours, etc. Without providing personal data, the organization cannot conclude the contract or provide services, products, or deliveries. 
The organization may, based on its lawful activity, notify individuals and service users by email about its services, events, trainings, offers, and other content.  

Individuals may request to stop such communications and withdraw their consent at any time via the unsubscribe link in the message, by email at info@notranjski-park.si, or by regular mail to the organization’s address (Notranjski regijski park, Tabor 42, 1380 Cerknica). 

4.3 Legitimate Interest 

The legal basis of legitimate interest is limited for processing by public authorities when performing their tasks. However, the organization may process personal data on the basis of legitimate interest in a limited scope, provided that such interest does not override the rights and freedoms of individuals. In such cases, the organization always carries out an assessment in accordance with the General Regulation.  
Thus, individuals may occasionally be informed about services, events, trainings, subscription offers, and other content via email, phone calls, or postal mail. 
Individuals may request to stop such communications and withdraw their consent at any time via the unsubscribe link in the message, by email at info@notranjski-park.si, or by regular mail to the organization’s address (Notranjski regijski park, Tabor 42, 1380 Cerknica).  

4.4 Processing Based on Consent 

If the organization has no other legal basis, it may request the consent of the individual. Based on consent, the organization may process personal data for the following purposes: 

  • residential address and email address for communication and notifications; 
  • photographs, videos, and other content related to the individual (e.g., publishing photos on the organization’s website) for documenting activities and informing the public; 
  • other purposes with the individual’s explicit consent. 

Consent may be withdrawn at any time via the same channels; withdrawal does not affect the lawfulness of processing carried out before the withdrawal. 

Individuals may request to stop such communications and withdraw their consent at any time via the unsubscribe link in the message, by email at info@notranjski-park.si, or by regular mail to the organization’s address (Notranjski regijski park, Tabor 42, 1380 Cerknica). 

4.5 Processing Necessary to Protect Vital Interests 

The organization may process personal data when necessary to protect the vital interests of the individual. In urgent cases, the organization may check identification documents, verify data in its database, review medical history, or contact relatives, without requiring the individual’s consent. 

5. Retention and Deletion of Personal Data 

The organization retains personal data only as long as necessary to fulfill the purpose for which they were collected. Legal obligations determine retention for statutory periods. Some data must be kept permanently. 

  • Contract-based data: retained for the duration of the contract plus 6 years, or 10 years in case of disputes. 
  • Consent- or legitimate-interest-based data: retained until withdrawal or request for deletion (deleted within 15 days after such request).  

Exceptionally, requests for deletion may be denied for reasons such as freedom of expression, legal obligations, public health, research, or legal claims. After the retention period, data must be permanently deleted or anonymized. 

6. Contractual Processing and Data Transfers 

The organization may entrust contractual processors with data processing under written contracts. They may process data only within the scope of the organization’s instructions. 

Processors include: 

  • accounting services and other legal/business consultants; 
  • infrastructure maintainers (video surveillance, security services); 
  • IT system maintainers; 
  • email service providers and cloud/software providers (e.g., Arnes, Microsoft, Google, Mailchimp, Meta); 
  • social media and online advertising providers (Google, Meta, LinkedIn, etc.). 

The organization maintains a list of processors. Data is not transferred outside the EEA, except to the USA, where standard contractual clauses or binding corporate rules apply.  

7. Cookie Policy 

The organization’s website uses cookies to store user settings and improve functionality. Cookies enable recognition of returning users, adjusting website settings, collecting statistics, and assessing design effectiveness. 

More information is available in the Cookie Policy: https://notranjski-park.si/en/cookies  

Users can delete cookies via their browser settings. 

8. Video Surveillance 

The organization uses video surveillance to monitor entries and exits, protect individuals (users, employees, visitors), and safeguard property. Surveillance may also be used for detecting or resolving incidents, crimes, or claims. Recordings are kept for 7 days. Surveillance does not allow unusual further processing or sound intervention. 

Authorized persons may view live footage.  

More information is available from the organization’s contact details or the Data Protection Officer. 

9. Data Security and Accuracy 

The organization ensures IT and infrastructure security with antivirus software, firewalls, and organizational/technical measures to prevent unauthorized access, disclosure, alteration, or destruction. Special categories of personal data are transmitted in encrypted and password-protected form. 

Individuals are responsible for providing accurate and secure data. The organization strives to ensure data is accurate and may occasionally request confirmation of accuracy. 

10. Rights of Individuals 

In accordance with the General Regulation, individuals have the right to: 

  • request information on whether their personal data is processed and why; 
  • access their personal data (obtain a copy); 
  • request corrections; 
  • request deletion; 
  • object to processing based on legitimate interest or for direct marketing; 
  • request restriction of processing; 
  • request data portability; 
  • withdraw consent at any time. 

Requests may be submitted via email at info@notranjski-park.si or by post to the organization’s address. The organization will respond without undue delay, and within one month. Extensions (up to 2 months) are possible in complex cases.  

Exercising rights is free of charge, unless requests are manifestly unfounded or excessive. For security reasons, the organization may request identity verification. 

Complaints may be submitted to the supervisory authority:  

Information Commissioner (https://www.ip-rs.si/). 

11. Publication of Changes 

Any changes to this policy will be published on the organization’s website: www.notranjski-park.si. By using the website, individuals confirm acceptance of the policy. 

The Personal Data Protection Policy was adopted by the CEO of the organization in 2025. 

Letters from Notranjska Park

Discover the most inspiring stories and updates from our very special piece of the world. Sign up for our newsletter and let's stay connected.

Sign up for e-newsletters

Support the work of Notranjska Park

Help us preserve our very special piece of the world for future generations. With your support, we can continue to protect the unique natural and cultural heritage of the mystical land of Lake Cerknica.

Donations