Personal Data Protection Policy

This Personal Data Protection Policy aims to inform individuals, service users, partners, employees and other people (hereinafter referred to as »individual«) working with ORA Krasa in Brkinov d.o.o. (hereinafter referred to as »organization«) about the purpose and legal basis of, and security measures and individuals’ rights in the processing of their personal data carried out by our organization.

We value your privacy and always carefully protect your data.

We process personal data in accordance with the European legislation (Regulation (EU) 2016/697 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; hereinafter referred to as General Regulation – GDPR), the national personal data protection legislation, and other regulations that provide us with the legal basis for the processing of personal data.

The Personal Data Protection Policy contains information on how our organization, as the controller, processes personal data received from an individual on the basis of legal grounds.

1. Controller

The personal data controller is the organization:
Ora Krasa in Brkinov d.o.o.
Partizanska c. 4, 6210 Sežana
Phone +386 5 73 44 362

2. Personal data

Personal data is any information about a specific or identifiable individual; an individual is deemed identifiable when they can be identified, directly or indirectly, in particular by reference to an identifier, such as name, ID number, location data, online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

3. Purposes and grounds for data processing

The organization collects and processes your personal data on the basis of the following legal grounds:

  • ­processing is necessary for compliance with the legal obligation to which the controller is subject;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • ­processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party;
  • ­the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • ­processing is necessary in order to protect the vital interests of the data subject or of another natural person.

3.1 Compliance with a legal obligation

Under the provisions of the law, the organization mainly processes data about its employees, which it is permitted to do by the labour and social welfare legislation. In compliance with its legal obligation, the organization mainly processes the following types of personal data: name and surname, sex, date of birth, citizen personal identification number (EMŠO), tax number, place, municipality and country of birth, nationality, place of residence etc., for employment purposes. The legal basis for processing personal data of individuals also comprises the Promotion of Tourism Development Act, the Identity Card Act, the Residence Registration Act, the Protection of Documentary and Archival Materials and Archives Act, and other legislation from relevant fields. In limited cases, processing of personal data by the organization is also permissible on the grounds of public interest. All the sectoral regulations in force in the field are collected on the website of the competent ministry:

3.2 Contract implementation

Any contract that you conclude with the organization represents a legal basis for processing personal data. We are permitted to process your personal data for the purpose of concluding and performing contracts, e.g. rental of business premises, consignment sale of products, organization of events and shows, preparation and implementation of tourist programs and other development and promotional projects, etc. If an individual fails to provide personal data, the organization will be unable to conclude the contract, and subsequently provide a service or deliver goods or other products pursuant to that contract due to not having the information necessary for its implementation. The organization can also use e-mail addresses of individuals and users of its services to inform them about its services, events, training courses, promotions and other news in the course of its legitimate activities. An individual may at any time request that such communication and personal data processing be terminated, and unsubscribe from messages through the link in the received message, or by sending a request by email to or regular mail to ORA Krasa in Brkinov d.o.o., Partizanska cesta 4, 6210 Sežana.

3.3 Legitimate interest

The organization may also process personal data on the grounds of the legitimate interest, which the organization strives to pursue. The latter is not permissible when the interests and fundamental rights of the data subject override the interest of the data controller. In the event of exercising legitimate interest, the organization shall always carry out a careful assessment under the General Regulation (GDPR). The processing of personal data of individuals for the purposes of direct marketing is considered to be done in the legitimate interest. The organization may process personal data of individuals collected from publicly available sources or in the course of lawful activities, also for the purposes of offering goods, services, employment, information about benefits, events, etc. To achieve these goals, the organization may use ordinary mail, telephone calls, e-mail, and other means of telecommunications. For the purposes of direct marketing, the organization may process the following personal data of individuals: name and surname of the individual, address of permanent or temporary residence, telephone number and e-mail address. The above-listed personal data may also be processed by the organization for the purposes of direct marketing without the express consent of the individual. An individual may at any time request that such communication and personal data processing be terminated, and unsubscribe from messages through the link in the received message, or by sending a request by email to or regular mail to ORA Krasa in Brkinov d.o.o., Partizanska cesta 4, 6210 Sežana.

3.4 Processing on the basis of consent

If the organization’s processing of the data is not based on the law, a contractual obligation or legitimate interests, it may ask an individual for their consent. With the individual’s consent, the organization may process certain personal data for the following purposes:

  • ­residential and email address for the purpose of informing and communicating;
  • photos, videos and other content connected with an individual (e.g. posting pictures of individuals on the organization’s website) for the purpose of documenting the activities and informing the public about the organization’s work and events;
  • ­other purposes, for which the individual gave their consent.

If an individual who gave their consent does not want their personal data to be further processed, they may at any time withdraw their consent by sending a request by email to or by regular mail to ORA Krasa in Brkinov d.o.o., Partizanska cesta 4, 6210 Sežana. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.

3.5 Processing is necessary in order to protect the vital interests of the data subject

The organization may process the personal data of the individual, when this is necessary to protect the vital interest of the data subject. This means that in case of emergency the organization may inspect the data subject’s identity document, check whether the data subject is entered in the organization’s database, study the data subject’s medical history and get in contact with the data subject’s relatives, for which the organization requires no further consent. The above only applies when such processing is crucial to protect the vital interests of the individual.

4. Retention and erasure of personal data

The organization will retain your personal data only for as long as necessary for the realization of the purpose for which the personal data was collected and processes. The personal data which the provider processes on the basis of the law will be retained by the organization for the period provided by the law. In this respect, certain data will be retained for the duration of cooperation with the organization, while certain data must be retained permanently. Personal data which the organization processes on the basis of a contractual relationship with the individual will be retained for the term of the contract and for 6 years after its termination, except in the event of a dispute arising between the organization and the individual in relation to the contract. In this event, the organization will retain the data for a period of 10 years from the date of finality of the court decision, or, in the absence of litigation proceedings, for 5 years from the date of amicable settlement of the dispute. Those personal data which the organization processes on the basis of the individual’s personal consent or legitimate interest will be retained by the organization until the individual’s revocation of this consent or until his request for erasure. The organization will erase the data within 15 days from the date of receipt of the revocation of consent or the request for erasure. The organization may erase the data before receiving the revocation if the purpose of processing has been met or when so stipulated by the law.

Exceptionally, the organization may reject the request for erasure for the following reasons listed in the General Regulation (GDPR): for exercising the right of freedom of expression and information, for compliance with a legal obligation, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims. After the expiry of the retention period, the organization must erase the personal data efficiently and permanently, and render them anonymous so they can no longer be linked to a certain individual.

5. Contractual personal data processing and output of data

The organization may entrust individual tasks relating to your data to contractual data processors. Contractual data processors may process confidential data only on behalf of the controller, within its authorizations (in a written agreement or other legal act) and pursuant to the purposes defined in this privacy policy.

The contractual data processors with whom the provider collaborates are:

  • accounting service and other providers of legal and business advice;
  • ­providers of infrastructure maintenance (video surveillance, security services);
  • ­providers of information system maintenance;
  • ­email, software and cloud service providers (e.g. Arnes, Microsoft, Google);
  • managers of social networks, online advertising and web analytics (Google, Facebook, Instagram, etc.)

The organization collects and processes personal data of individuals on the basis of legitimate interests (Article 6 (1f) of the General Regulation (GDPR). For the purposes of preparing individual offers, the organization outsources your personal data needed to prepare individual offers. The individual offer will be also forwarded to the organization, for information, with the purpose of assistance and possible additional adjustments in case of questions, ambiguities or desire to change the offer. Your data will not be used for further direct marketing without your explicit consent. Under no circumstances will the organization pass on the individual's personal data to other unauthorized third parties.

The contractual processors may only process personal data in accordance with the instructions of the organization, and they shall not use personal data to fulfil any of their own interests.

The organization as the data controller and its employees will not transfer personal data to third countries (outside the countries of the European Economic Area – EU member states, Iceland, Norway and Liechtenstein) or international organizations, with the exception of the USA, wherein the relations with contractual processors from the US are governed by standard contract clauses (model contracts adopted by the European Commission) and/or binding corporate rules (adopted by the organization and approved by supervisory authorities in the EU).

For the purpose of a better overview and control over contractual data processors, and orderliness of mutual contractual relations, the organization keeps a list of contractual data processors, which contains all specific contractual processors with whom the organization cooperates.

6. Cookies

The organization’s website uses cookies. Cookies are files that contain website settings. Websites save the cookies on the device used to access the web with the purpose of recognizing devices and settings that users selected for the access. Cookies allow websites to recognize whether the user has already visited the website in the past. Advanced apps use them to adjust individual settings. Cookies are controlled by the browser, and the user can at any time restrict or completely disable them.

Cookies are essential for providing a user-friendly online service. They are used to save data on the website’s status, collect statistics about users and visits, etc. Cookies also help us evaluate the effectiveness of our website’s design

Our organization’s website uses the following cookies:

1. Necessary cookies for the operation of the website  

Name of cookie
Lifetime Description
1 Year Stores user’s preferences
ASP.NET_SessionId Session duration Identifier of user session
.ASPXANONYMOUS 3 months Functional cookie
DotNetNukeAnonymous 1 hour Functional cookie
language 1 year Stores information regarding your language settings
ARRAffinitySameSite Session duration Functional cookie
ARRAffinity Session duration Functional cookie
CookieSettings 1 year Cookie settings
dnn_IsMobile Session duration Is the user browsing from a mobile device


2. Web analytics cookies

Name of cookie Lifetime Description
_ga 2 years Google Analytics
Used to distinguish between users and sessions
_gid 24h Google Analytics
Used to distinguish between users
_gat 10m Google Analytics
Used to throttle Google Analytics request rate
_gat_gtag_UA_56523543_1 1m Google Analytics
Used to regulate the speed of the request


Cookies saved by the browser can be disabled by the individual (instructions can be found on the web pages of each browser).

7. Data protection and data accuracy

The organization shall ensure the information security and the safety of infrastructure (spaces and application system software). Our information systems are protected, inter alia, with antivirus software and firewall systems. Several technical and organizational security measures were put in place that are aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of processing. As regards the transfer of special categories of personal data, these data are communicated in coded and password-protected format.

It is the individual’s responsibility to ensure that the data is communicated to us securely and that the data is accurate and authentic. The organization will strive to ensure that the individual’s personal data being processed is accurate and updated, if necessary, and will turn to the individual to confirm the accuracy of the given personal data.

8. Rights of an individual with regard to data processing

In accordance with the General Regulation (GDPR), an individual has the following rights regarding their personal data protection:

  • ­to request information whether we hold their personal data, and if we do, what data we have, what is the legal basis for having such data, and what the data are used for;
  • ­to request the access to their personal data which enables them to receive a copy of the personal data the organization has and check whether data processing is legitimate.zahteva lahko popravke osebnih podatkov, kot je popravek nepopolnih ali netočnih osebnih podatkov;
  • ­to request the correction of incomplete or inaccurate personal data;
  • ­to request the erasure of their personal data when there is no longer any need for its processing, or if the individual exercises their right to object to further processing;
  • to object to further processing of the personal data, which relies on legitimate business interest (even in the event of a third person's legitimate interest), when there are reasons related to an individual’s special position; the individual has the right to object if their personal data are processed for the purpose of direct marketing;
  • ­to request to limit the processing of their personal data, which means the termination of processing personal data, for example, if the individual wants the organization to determine the accuracy of data or verify the reasons for their further processing;
  • to request the transmission of their personal data in a structured electronic form to another controller, if possible and technically feasible.
  • to withdraw the consent previously given for personal data collection, processing and transfer for a specific purpose; after receiving the notification that the individual’s consent has been revoked the organization will terminate the processing of your personal data for the purposes that were originally approved, unless other legitimate legal basis exists for the organization to do that legally.

In order to exercise any of the rights stated above, the individual may send a request by e-mail to or by regular mail to ORA Krasa in Brkinov d.o.o., Partizanska 4, 6210 Sežana. The organization will respond to a request relating to an individual's rights without undue delay and in any case within one month of receiving the request. In the event that this deadline is extended (by a maximum of two additional months), taking into account the complexity and number of requirements, you will be notified.

Access to the individual's personal data or exercising your rights is free of charge for the individual. However, the organization may charge a reasonable fee if the data subject's request is manifestly unfounded or excessive, especially if repeated. In such a case, the organization may also reject the individual’s request. In the event of exercising the individual’s corresponding rights, the organization may have to request certain information from the individual which will help in confirming their identity, which is just a precautionary measure that ensures that personal data are not disclosed to unauthorized persons.

In order to exercise the rights under this title or if the individual believes that their rights have been violated, the individual can contact the supervisory body, i.e. the Information Commissioner, for support or assistance on the website:

If an individual has any queries regarding the processing of their personal data, they can always contact our organization via e-mail at or by regular mail to ORA Krasa and Brkinov d.o.o., Partizanska 4, 6210 Sežana.

9. Publication of amendments

Any amendment to the Personal Data Protection Policy will be published on the organization’s website: By using the website, the individual confirms that they accept and agree to the full content of this Personal Data Protection Policy.

The Personal Data Protection Policy was adopted by Aleš Vodičar, director of the organization, on 13 January 2022.

Projekt je sofinanciran v okviru Programa čezmejnega sodelovanja Slovenija-Italija 2007-2013 iz sredstev Evropskega sklada za regionalni razvoj in nacionalnih sredstev.  |  Progetto finanziato nell'ambito del Programma per la Cooperazione Transfrontaliera Italia-Slovenia 2007-2013, dal Fondo europeo di sviluppo regionale e dai fondi nazionali.