3.2. Guest personal consent

• for direct marketing of the Company's products
• to inform individuals about special action offers
• for notification of sweepstakes
• to participate in surveys

Giving personal consent is completely voluntary and is not a condition for entering a contract. In these cases, the processing takes place in the context of a statement of the intended purpose and agreed means of communication, until cancellation.

4. IDENTIFICATION OF PERSONAL DATA

We want to earn and maintain your trust, so we handle your information with the utmost care. In principle, your personal data are processed only by our employees who are committed to confidentiality and are regularly educated and trained to handle data safely.

We do not share your personal information with anyone unless we are required to do so by law, if you explicitly allow us to do so or if you authorize a third party to provide your personal information, respectively.

Due to a legal obligation, we provide some information about your overnight stay to AJPES (Agency of Republic of Slovenia for Public Legal Records and Related Services) and (on basis of a reasoned written request) also to other state bodies, which require it for conducting specific procedures.

If necessary, we will authorize other companies and individuals to perform certain works that contribute to our services. In such a case, the company may also transfer personal data to such carefully selected external processors that will enter into a personal data processing agreement with the company, or in substance the same agreement or other binding document (hereinafter:  »processing contract«). For external processors, such data will be transmitted or made accessible only to the extent required by a specific purpose. Such data may not be used by external processors for any other purpose, meeting at least all the processing standards of personal data provided for in the applicable law. External processors are contractually committed to the company to respect confidentiality of your personal information.

5. PERSONAL DATA PROTECTION

We use strict security procedures to protect your personal information in order to protect it from accidental loss, destruction or misuse.

The premises of physical storage media, hardware and software are protected by organizational and technical measures that prevent unauthorized persons from accessing the data. The premises are locked and personal data lists are protected by passwords on the devices.

6. PERSONAL DATA STORAGE PERIOD

The data retention period is determined according to the category of individual data. The data shall be kept for as long as necessary to achieve the purpose for which they were collected or further processed or until the expiration of the limitation periods for fulfillment of the obligation or the statutory retention period.

For the purpose of fulfilling contractual obligations, the accounting data and the associated contact information on individuals may be kept until the full payment of the service or at the latest until the expiration of the limitation period in relation to an individual claim, which can be statutory from one to five years. Accounts are kept for 10 years after the expiration year to which the bill relates in accordance with the law governing value added tax.

Other information that we obtain on the basis of your consent is kept for duration of the business relationship and for 5 years after the termination, unless the law provides for a longer retention period. If the individual who gave his consent to the processing of personal data has not entered into a business relationship with us, his consent is valid for 2 years from the date of his or her cancellation.

After the expiry of the retention period, the data is deleted, destroyed, blocked or anonymized, unless the law specifies otherwise for the particular type of data.

7. INDIVIDUAL'S RIGHTS RELATING TO PERSONAL DATA PROCESSING

We provide the following rights regarding the processing of your personal information:

• right to access personal data: You may familiarize yourself with all of your personal data collected in connection with you and with their processing and verify its legality;
• right for correction or addition to personal data: will be corrected immediately or missing data will be filled in;
• right to delete personal information: without undue delay, we will delete personal information concerning you, to the extent permitted by applicable law (the information we need to perform the contract you have entered with us and the information we need to carry out our legal obligations, we will not be able to be deleted, despite your request);
• right to restrict processing of personal data: you can request that we restrict processing of your personal information (when you dispute the accuracy of personal information, when the processing is illegal, in cases where Kovego d.o.o. no longer requires your data to process, but you need to use it to enforce, execute or defend legal claims, or if you raised an objection to processing, based on the legitimate interests of the business until it is verified that our legitimate reasons outweigh your reasons);
• right to transfer personal data: You have the right to receive your personal information that you have provided in a structured, widely used and machine-readable form, and the right to forward this information to another controller without being hindered in case where the processing is based on your consent and is carried out by automated means. At your request, where technically feasible, personal data may be transferred directly to another controller.
• right of objection: You may also object to the processing of your personal data at any time when it is processed for direct marketing purposes, including the creation of profiles, if it is related to such direct marketing.