About the Agency

Information on the Protection of Personal Data

About the Controller

Slovenian Research and Innovation Agency
Bleiweisova cesta 30
1000 Ljubljana
Slovenia
E-mail: GlavnaPisarna@aris-rs.si

Your personal data are processed in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "GDPR"), the applicable national legislation on personal data protection (Personal Data Protection Act, Official Gazette of the Republic of Slovenia, No. 163/22, hereinafter referred to as "ZVOP-2") and other legislation providing a legal basis for the processing of your personal data.

The Slovenian Research and Innovation Agency (ARIS) is committed to a high standard of personal data protection. ARIS has adopted appropriate internal protection rules and control mechanisms to ensure an adequate level of protection and to prevent misuse or any unauthorised processing, i.e. Rules on Procedures and Measures for Ensuring the Security of Personal Data at the Slovenian Research and Innovation Agency, No. 007-9/2022-1, of 27 May 2022 and Rules on Procedures and Measures for the Operation and Maintenance of the IT Environment of the Slovenian Research and Innovation Agency, No. 007-15/2008-1, of 11 November 2008, as amended. Your personal data are thus carefully stored and protected by organisational, technical and logical-technical procedures and measures. ARIS requires the same security commitments from its processors. You can rest assured that we only work with trusted partners who will process your data with the highest level of security.

Data Protection Officer

Barbara Jankovič
E-mail: Barbara.Jankovic@aris-rs.si
Phone: 01 400 5964

Purpose and Legal Basis for the Processing of Personal Data

Your personal data shall only be processed by ARIS for the purposes for which they were collected and not for the purposes incompatible with those for which they were collected. ARIS shall collect only those personal data which are strictly necessary for the fulfilment of a specific purpose, in particular for the purposes of carrying out the public tasks set out in the Scientific Research and Innovation Activities Act (Official Gazette of the Republic of Slovenia, No. 186/21 and 40/23, hereinafter referred to as “ZZrID”) and in relevant by-laws in relation to Article 167 of the Rules on the Procedures for the (Co)financing and Assessment of Research Activities and on Monitoring the Implementation of Research Activities (Official Gazette of the Republic of Slovenia, No. 166/22, hereinafter referred to as “Rules on Procedures”) and to Article 47(5) of the Decision Establishing the Slovenian Research and Innovation Agency (Official Gazette of the Republic of Slovenia, No. 48/23), such as the Rules on the Register of Private Researchers (Official Gazette of the Republic of Slovenia, No. 12/05, 5/07, 84/08 and 186/21 – ZZrID), Rules on Procedures, and Rules on the Block Funding of Scientific Research Activities (Official Gazette of the Republic of Slovenia, No. 87/22 and 103/22, as amended). The legal basis for the processing of personal data is also provided by employment protection legislation, Protection of Documents and Archives and Archival Institutions Act (Official Gazette of the Republic of Slovenia, No. 30/06 and 51/14), and other relevant legislation.

Processing of personal data by ARIS shall take place when at least one of the following conditions is met where:

  1. processing is necessary for compliance with a legal obligation to which ARIS is subject, provided that the processing of personal data, the types of personal data to be processed, the categories of data subjects, the purpose of data processing, and the period for which the personal data will be stored or the period for a periodic review of the need to store are provided for by law;
  2. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in ARIS, under the same condition as applies to processing necessary to comply with a legal obligation to which ARIS is subject (see point a.). Notwithstanding the above condition, however, the processing of personal data strictly necessary for the exercise of the legal powers, tasks or obligations of the public sector may exceptionally be carried out in the case of the legal basis under consideration, provided that such processing does not prejudice the legitimate interests of the data subject;
  3. the data subject has given consent to the processing of their personal data for one or more specified purposes, if the law so provides, or otherwise on the basis of the consent, provided that the processing is not necessary for the exercise of the legal powers, tasks or obligations of the public sector;
  4. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  5. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  6. processing is necessary for the purposes of the legitimate interests pursued by ARIS, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. This legal basis shall not apply to processing carried out by ARIS in the performance of its public (official) tasks.

Personal data may also be processed in accordance with Article 9 of the GDPR.

Recipients, Categories of Recipients, and Processors of Personal Data

The processing of your personal data is strictly limited to those ARIS employees who strictly need to process your personal data in order to carry out their work tasks. All employees are committed to maintaining confidentiality and to respecting the protection of personal data. In certain cases, your personal data are processed by the processors with whom ARIS has concluded a written contract, by the competent official authorities and public authorities in the exercise of their legal powers, and by other persons who have a legal basis for obtaining and processing your personal data. In no case will ARIS transmit personal data to unauthorised third parties or to third countries, except in the cases provided for by law or regulation.

The processors shall process the data entrusted to them exclusively in the name and on behalf of ARIS, within the limits of the authorisation enshrined in a written contract or other legal act and in accordance with the purposes defined in the contract or legal act. The main contractual processors cooperating with ARIS are: IZUM, Špica International d.o.o., Zaslon Telecom d.o.o., Nova Vizija d.o.o., an undertaking providing e-infrastructure and services in the ARNES network, and STROKA PRODUKT d.o.o.

Transmitting Data to Third Countries or International Organizations

In cases where, in accordance with the legal rules, a proposal for research (co)funding is evaluated by a reviewer from a third country, ARIS shall transmit personal data to reviewers in third countries in accordance with the principle of data minimisation. ARIS shall ensure appropriate safeguards and shall only cooperate with reviewers from the third countries that ensure adequate protection of personal data.

In cases of (co)funding international research (e.g. Lead Agency), ARIS shall process personal data (e.g. ARIS is obliged to notify the Lead Agency that a proposal fulfils the entry requirements) in accordance with the rules on personal data protection and with the specific contracts concluded or other relevant (international) rules.

Types of Personal Data Not Obtained from the Data Subject

In accordance with the purposes and legal bases set out above, ARIS shall also collect personal data that have not been directly obtained from the data subject. ARIS shall only process such personal data where there is a legal basis for doing so (e.g. Article 56 of the ZZrID).

Period for Which the Personal Data Are Stored

The period for which personal data will be stored depends on the legal basis and the purpose of the processing of each category of personal data. Personal data shall be kept for as long as necessary for the fulfilment of the purpose for which they were collected or for the period required by law or regulation. Personal data processed by ARIS on the basis of your personal consent shall be stored by ARIS until the consent is withdrawn or for as long as necessary for the fulfilment of the purpose.

For the purpose of determining the storage period, the periods laid down by the regulations and the Classification Scheme of the Slovenian Research and Innovation Agency, No. 020-9/2023-1, of 2 June 2023 shall be taken into account. If the storage periods are not specifically laid down by the regulations, the storage shall be limited to the shortest possible period, taking into account the principle of proportionality. After the storage period has ended, personal data shall be erased, destroyed, blocked or anonymised, unless classified as archival materials on the basis of the law governing archives and archival materials or unless provided otherwise by law for specific types of personal data. ARIS may process certain personal data for scientific and historical research, statistical and archiving purposes, subject to the adoption of appropriate measures in accordance with the GDPR and ZVOP-2.


Rights of the Data Subject:

In accordance with the GDPR, ARIS shall grant you the right of access to personal data, the right to withdrawal of consent, the right to rectification, the right to erasure ("right to be forgotten"), the right to restriction of processing, the right to data portability, the right to object, and the right to lodge a complaint with the Information Commissioner, as detailed below.

Your rights in relation to personal data can be exercised:

  • orally on record, by prior appointment, during office hours from 9:00 to 12:00 and from 13:00 to 15:00 on Mondays to Thursdays, and from 9:00 to 12:00 and from 13:00 to 14:00 on Fridays;
  • in writing addressed to the Data Protection Officer indicated above or directly to ARIS. If you submit your request by electronic means, the information will be provided to you by electronic means where possible, unless you request otherwise.

In case you exercise your rights in relation to personal data, ARIS may request additional information necessary to confirm your identity.

ARIS shall respond to your request to exercise your rights in relation to personal data without undue delay an at the latest within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

All information provided as well as any communication and any actions relating to personal data protection shall be provided in a single copy free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, ARIS may either charge a reasonable fee taking into account the administrative costs of providing the information requested or refuse to act on the request.

Right of Access

You shall have the right to obtain from ARIS confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from ARIS rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with the Information Commissioner; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; (i) the appropriate safeguards, where personal data are transferred to a third country or to an international organisation.

Right to Withdrawal of Consent

You can withdraw your consent to the processing of your personal data at any time, just as easily as it was given. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right to Rectification, Erasure (“Right to be Forgotten”) and Restriction of Processing

You shall have the right to request and obtain from ARIS without undue delay:

  1. the rectification of inaccurate personal data concerning you or, taking into account the purposes of the processing, the completion of incomplete personal data;
  2. the erasure of personal data concerning you, namely: where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; where the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; where you object to the processing, which is necessary for the legitimate interests, for the performance of a task carried out in the public interest or in the exercise of official authority vested in ARIS, and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR (direct marketing); where the personal data have been unlawfully processed or where the personal data have to be erased for compliance with a legal obligation in the European Union or in Slovenia. ARIS shall not grant a request for erasure in the cases provided for in Article 17(3) of the GDPR;
  3. the restriction of personal data processing, namely: where the accuracy of your personal data is contested, for a period enabling ARIS to verify the accuracy of your personal data; where the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; where ARIS no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or where you have objected to processing pending the verification whether the legitimate grounds of ARIS override your grounds.

Right to Data Portability

You shall have the right to receive the personal data, which you have provided to ARIS, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, where: (a) the processing is based on consent or on a contract and (b) the processing is carried out by automated means.

In exercising your right to data portability, you shall have the right to have the personal data transmitted directly from ARIS to another controller, where technically feasible. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in ARIS. The right to data portability shall not adversely affect the rights and freedoms of others.

Right to Object

You shall have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is necessary for the legitimate interests pursued by ARIS or for the performance of a task carried out in the public interest or in the exercise of official authority. ARIS shall no longer process the personal data unless demonstrating compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case, the personal data shall no longer be processed.

Where personal data are processed for scientific or historical research purposes or statistical purposes you, on grounds relating your particular situation, shall have the right to object to processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Right to Lodge a Complaint with the Information Commissioner

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with the Information Commissioner, Dunajska cesta 22, Ljubljana, if you consider that the processing of personal data concerning you infringes the GDPR. The Information Commissioner shall inform you on the progress and the outcome of the complaint, including the possibility of a judicial remedy against the outcome of the complaint lodged.

Validity

ARIS reserves the right to amend or supplement the Information on the Protection of Personal Data. The Information shall be valid and applicable from 22 August 2024.