Information on the protection of personal data

Information about the operator 

The Slovenian Research and Innovation Agency
Bleiweisova cesta 30
1000 Ljubljana
Email: GlavnaPisarna@aris-rs.si

The Slovenian Research and Innovation Agency (hereinafter: ARIS) processes your personal data in accordance with the GDPR and the applicable legislation on the protection of personal data (Personal Data Protection Act, Official Gazette of the Republic of Slovenia, Nos. 163/22 and 40/25 – ZInfV-1, hereinafter: ZVOP-2) and other legislation which provides ARIS with the legal basis for processing personal data.

ARIS is guided by high standards of personal data protection, and to ensure an appropriate level of protection, ARIS has adopted internal data protection rules and control mechanisms designed to prevent misuse or any unauthorised processing of data.

Data Protection Officer

Damjana Bogataj Demšar
Email: Damjana.Bogataj-Demsar@aris-rs.si
Tel.: (01) 555 53 81

Marjeta Janežič
Email: Marjeta.Janezic@aris-rs.si
Tel.: (01) 400 59 89

Cookies

Information regarding the processing of data relating to visits to the ARIS website can be found in the Cookie Policy.

Purpose of processing and legal basis for the processing of personal data

ARIS processes individuals’ personal data primarily for the following purposes:

  • management of the General Terms and Conditions of Use of ARIS websites
    and the processing of data and communication with users for the purposes of registration and providing the necessary support to users on websites managed by ARIS;
  • in connection with the organisation of public tenders or public calls for proposals regarding the co-funding of scientific research and innovation activities, the maintenance of personal data files, and for the performance of the tasks and purposes defined by the Scientific Research and Innovation Activities Act (Official Gazette of the Republic of Slovenia, Nos. 186/21, 40/23, 102/24 and 40/25; hereinafter: ZZrID), subordinate legislation and ARIS’s founding documents;
  • maintaining databases in accordance with ZZrID;
  • handling various customer enquiries and communicating with customers;
  • providing support for the operation of ARIS’s expert bodies;
  • contacting potential reviewers and liaising with reviewers who express an interest in collaborating with ARIS;
  • carrying out recruitment procedures and communicating with job applicants;
  • the organisation and running of various meetings, training sessions or events, and for the purposes of public information;
  • conducting public procurement procedures, concluding and implementing contracts for the supply of goods or services;
  • managing documentary material, including the storage of documentary and archive material;
  • ensuring the efficient and secure operation of the ARIS online systems and providing support to users;
  • monitoring and exercising oversight, in particular with regard to the lawful and appropriate use of the financial resources allocated for the implementation of scientific research and innovation activities which it co-funds;
  • implementing requirements relating to access to information of public interest;
  • ensuring that individuals’ rights are upheld in accordance with data protection legislation;
  • sending e-newsletters and providing information about events, calls and updates, where individuals voluntarily subscribe to them on the website;
  • cooperating with state authorities or other bodies exercising public powers;
  • providing explanations or answers should individuals contact ARIS with any questions or suggestions.

ARIS will process personal data on one of the following legal bases:

  • if the processing is necessary to comply with a legal obligation to which ARIS is subject, provided that the processing of personal data, the types of personal data to be processed, the categories of individuals to whom such personal data relate, the purpose of their processing, and the retention period for personal data or the period for regularly reviewing the need for retention are determined by law;
  • if the processing is necessary for the performance of tasks carried out in the public interest or in the exercise of official authority vested in ARIS, subject to the same conditions as apply to processing necessary for compliance with a legal obligation to which ARIS is subject (see the previous indent). Notwithstanding the aforementioned condition, however, in the case of the legal basis in question, personal data that is strictly necessary for the exercise of legitimate powers, tasks or obligations of the public sector, provided that such processing does not infringe upon the legitimate interests of the data subject;
  • where an individual has given consent to the processing of their personal data for one or more specified purposes, where such a possibility is provided for by law, or otherwise on the basis of consent, provided that this does not involve the exercise of statutory powers, tasks or public sector obligations;
  • where the processing of personal data is necessary for the performance of a contract to which the data subject is a party, or for the implementation of measures taken at the request of that data subject prior to entering into a contract;
  • where processing is necessary to protect the vital interests of the data subject or of another natural person;
  • where processing is necessary for the legitimate interests pursued by ARIS, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. The legal basis referred to does not apply to processing carried out by ARIS in the performance of its public (regional) duties.

Types of personal data and the collection of personal data

ARIS collects only such personal data that is strictly necessary to fulfil a specific purpose, namely, primarily for the purposes of carrying out ARIS’s public duties and the purposes set out in Article 55 of ZZrID, and for the implementation of the subordinate legislation listed on the ARIS website. Certain categories of personal data that may be processed in relation to you are specified in other regulations, for example where such processing is required under labour law, public procurement regulations, regulations on administrative procedures and the management of documentary and archive material, regulations on the protection of personal data, etc.

ARIS usually obtains your personal data directly from you. In certain cases, as specified by regulations, personal data may also be obtained from official databases, which are maintained in the Republic of Slovenia by authorised bodies and organisations, where such data collection is provided for by regulations. ARIS may also obtain personal data from other parties (e.g. research organisations, service providers, etc.), provided that they are applying for a public tender or public call, or intend to enter into a contract with ARIS.

With regard to user registration on the RDI Hub website, ARIS will process data relating to the time of registration, the username, the organisation on whose behalf the user submits content to the RDI Hub website, the type of stakeholder (political, educational, etc.) and a brief description of the purpose of registration, as well as the user’s activities (e.g. login time, date and type of content to be published on the ARIS websites, logout time). Where necessary, it may also process other personal data and information relating to individuals, insofar as such data or information is disclosed by a potential user during the registration process or in the course of providing user support.

When managing e-newsletters, ARIS processes the email address that individuals enter into the online form, the date and time of registration, the date and time of the last action, and information regarding the opening of individual e-newsletter issues and clicks on links within those issues.

ARIS, as part of its efforts to ensure the secure and efficient operation of the online system for the submission of applications and documents relating to public tenders or public calls for co-funding of scientific research and innovation activities, may process personal data relating to users of the online system on the basis of point (e) of the first paragraph of Article 6 of the GDPR; namely, data on email addresses, usernames, the time of use or access to the system, and the activities carried out by individual users within it (an audit trail). In this way, ARIS can ensure the proper functioning of the online system, monitor and ensure an appropriate level of information security, and provide support to users as and when they require it.

In the case of communication by email, the ARIS email system processes information regarding your email address, the time your message was sent or received, a description of the subject matter and the content of the message, as well as other information that you disclose to ARIS.

Users, categories of users and data processors

The processing of your personal data is strictly limited to those ARIS employees who absolutely need your personal data to carry out their work duties, and to members of ARIS’s expert bodies, who, on the basis of a written contract with ARIS, assist in the performance of ARIS’s tasks. All employees and members of expert bodies are bound by a duty of confidentiality and must respect the protection of personal data.

Your personal data may also be processed by the competent state authorities and public bodies in the exercise of their statutory powers, as well as by other persons who have a legal basis for obtaining and processing personal data (e.g. for the purposes of audits, supervisory, inspection, regulatory or other proceedings).

In certain cases, your personal data is processed by data processors with whom ARIS has entered into a written contract. Data processors process the data entrusted to them exclusively on behalf of and for the account of ARIS, within the limits of the authorisation set out in a written contract or other legal document, and in accordance with the purposes specified in that contract or legal document. ARIS works with contractors who maintain software or solutions used to process individuals’ personal data, and which are utilised in the processes of application, assessment, cost monitoring in the context of public tenders or public calls, communication with individuals, and the management of data, various reports and documentary material.

Under no circumstances will ARIS disclose an individual’s personal data to unauthorised third parties, except in cases provided for by law or other regulations.

Transfer of data to third countries or international organisations

In the event of data being transferred to third countries or international organisations, ARIS will put in place procedures and implement the measures required by the relevant regulations for such data transfers.

Personal data security

ARIS protects your personal data using appropriate technical and organisational measures. Technical measures include measures to address online security, the security of the use of online systems, managing the risk of data loss, data alteration or unauthorised access, taking into account the risk posed by the processing and the nature of the personal data being processed. Organisational measures include restricting access to personal data to authorised persons who have a legitimate need to know such data for the purposes of processing.

Retention period for personal data

The retention period for personal data depends on the legal basis and the purpose of processing each category of personal data. Personal data is retained for as long as is necessary to fulfil the purpose for which it was collected, or for the period prescribed by law or other regulations. ARIS retains personal data processed on the basis of your consent until such consent is withdrawn or for as long as is necessary to fulfil the purpose for which it was collected.

In determining the retention period, account is taken of the time limits laid down in the relevant regulations and in the Classification Criteria Plan of the Slovenian Research and Innovation Agency. If retention periods are not specifically laid down by regulations, retention must be limited to the shortest possible period, taking into account the principle of proportionality. Once the retention period has expired, personal data shall be deleted, destroyed, blocked or anonymised, unless it is defined as archive material under the law governing archive material and archives, or unless the law provides otherwise for specific types of personal data. ARIS may process certain personal data for scientific research, historical research, statistical and archive purposes, provided that appropriate measures are taken in accordance with the GDPR and ZVOP-2.

Data relating to a user’s registration on the RDI Hub website is retained for a maximum of three years from the registered user’s last activity or the deletion of their user account, carried out by the registered user on the RDI Hub website, unless there is a legal basis for storing the data for a longer period.

Email details and information relating to the receipt of e-newsletters are stored until the individual unsubscribes from the email notification service.

Obligation to provide information

The provision of personal data in the context of a public tender or public call, a selection procedure, or within the framework of procedures conducted by ARIS in which it decides on applications submitted by individuals, constitutes a legal obligation. If an individual fails to provide the required information, ARIS will be unable to carry out the prescribed procedures, which means that a request to supplement the application may be issued, a decision to reject the application may be made, or it may not be possible to participate in the selection process. The provision of personal data is also a contractual obligation where the collection and processing of personal data is necessary for the conclusion of a contract with ARIS, the processing of payments or the monitoring of the performance of the contract.

If you wish to collaborate with ARIS as a member of an ARIS expert body or as a reviewer, you will also need to provide the necessary information to establish a contractual relationship with you (contractual obligation) and to fulfil legal obligations relating to financial and tax matters.

If the information is not provided during the registration process in the restricted section of the ARIS website, which is intended for user registration and the submission of proposals for the publication of events or news by external stakeholders, it will not be possible to create a user account for submitting content and events on the RDI Hub website.

Information on the use of automated decision-making

ARIS does not process personal data or make decisions based solely on automated processing that would have legal effects on an individual or similarly significantly affect them. Nor does it process data for the purpose of profiling individuals.

Questionnaires

ARIS may also collect data by sending questionnaires to individuals (e.g. reviewers, researchers, etc.) for them to complete. In this way, it obtains data directly from individuals or – in order to ensure accuracy – updates the data it has obtained from them, from research organisations or from publicly available sources. Through its questionnaires, ARIS collects personal data as defined by the provisions of ZZrID, as well as other information in the context of mutual cooperation and the exchange of opinions (e.g. the presentation of individual public tenders or calls). In doing so, it may use various tools to conduct online surveys, in particular the 1KA online questionnaire, which is provided by the contracted data processor – the University of Ljubljana, Faculty of Social Sciences, Centre for Social Informatics. Further information on the protection of personal data in connection with the conducting of surveys is available at: https://www.1ka.si/d/sl/o-1ka/pogoji-uporabe-storitve-1ka/politika-zasebnosti. ARIS will inform individuals of this information in advance each time questionnaires are sent out and will obtain confirmation from them that they have been made aware of it.

Event organisation and public information

In accordance with Article 93 of ZVOP-2, ARIS may use the contact details of individuals which it has collected from publicly available sources or in the course of carrying out its public duties, or which have been for the purposes of organising official meetings, education, training and events, determining the composition or functioning of committees, councils, delegations and other similar public-sector activities, or for the purpose of issuing press releases. For the purposes set out in the previous sentence, ARIS may only use the following personal data: name, telephone number, email address or other contact number or identifier, information about the employer or organisation, and information about the field of work, position and role of the individual to whom the personal data relates; for all other types of personal data, ARIS must obtain the individual’s explicit consent.

ARIS may, for the purposes of informing the public, process – including by publishing – personal names, titles, photographs and video recordings of individuals obtained at events organised by that person within the scope of their duties, powers or activities, provided that the individual has not objected to such processing.

ARIS uses Microsoft Forms for event registration, processing only the personal data that is strictly necessary for registering for an event. The email address is used to send confirmation messages and reminders. When registering, individuals are provided with information regarding the processing of their personal data.

Individual rights

In accordance with the GDPR and ZVOP-2, ARIS guarantees individuals the right to:

  • access personal data processed in relation to them;
  • rectification of their data, insofar as the personal data held by ARIS: (i) is inaccurate or incomplete; (ii) is no longer necessary for the purposes for which it was collected or otherwise processed; (iii) where the individual withdraws their consent and there is no other legal basis for the processing; (iv) where an objection has been raised to processing that is necessary for legitimate interests or for the performance of tasks carried out in the public interest or in the exercise of official authority vested in ARIS, and there are no overriding legitimate grounds for such processing; (v) where personal data has been processed unlawfully; or (vi) where personal data must be erased to comply with a legal obligation under EU law or Slovenian law. Notwithstanding the above, ARIS will not grant a request for erasure in the cases set out in the third paragraph of Article 17 of the GDPR;
  • the erasure of data, unless there is a legal basis preventing ARIS from erasing the personal data;
  • restrictions on the processing of personal data where the personal data is inaccurate or where ARIS should not be using the personal data; specifically, for a period enabling ARIS to verify the accuracy of the individual’s personal data; where the processing is unlawful and the individual requests restriction of use rather than erasure of the personal data; where ARIS no longer requires the personal data for the purposes of processing, but the individual requires it for the establishment, exercise or defence of legal claims; or where the individual objects to the processing, pending verification of whether ARIS’s legitimate grounds override those of the individual;
  • the portability of personal data to another controller in a structured, commonly used and machine-readable format, where (i) the processing is based on consent or on a contract, and (ii) the processing is carried out by automated means. In exercising the right to data portability, an individual has the right to have their personal data transferred directly from ARIS to another data controller, where this is technically feasible. This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in ARIS;
  • objection to the processing of personal data that is necessary for the legitimate interests pursued by ARIS or for the performance of tasks carried out in the public interest or in the exercise of official authority. ARIS will cease to process personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual, or for the establishment, exercise or defence of legal claims. Where personal data is processed for scientific research, historical research or statistical purposes, the data subject has the right, on grounds relating to their particular situation, object to the processing of personal data relating to them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

If you have given your consent to the processing of your personal data, you may withdraw it at any time. Withdrawal does not affect the lawfulness of any processing carried out on the basis of your consent prior to withdrawal.

You can unsubscribe from the e-newsletter at any time and free of charge by clicking on the ‘Unsubscribe’ link in the email you have received.

You may exercise your rights in relation to personal data:

  • in person at the ARIS headquarters, verbally on record, by prior appointment during office hours: on Mondays and Wednesdays from 10.00 to 12.00 and from 13.00 to 15.00, and on Fridays from 10.00 to 12.30;
  • in writing to the address stated in the contact details for the Data Protection Officer set out above, or directly to ARIS. If you submit your request electronically, the information will be provided to you electronically where possible, unless you specify otherwise.

To ensure the reliable identification of individuals, ARIS may, when you exercise your rights in relation to personal data, request additional information from you that is necessary to verify your identity.

Upon your request to exercise your rights in relation to your personal data, ARIS will respond without undue delay and no later than one month after receipt of the request, in accordance with the procedural provisions of ZVOP-2. The deadline for exercising rights may be extended by up to two additional months, taking into account the complexity and number of requests.

All information provided, as well as all communications and measures relating to the protection of personal data, shall be provided free of charge in a single copy. Where the requests made by the data subject are manifestly unfounded or excessive, in particular because they are repetitive, ARIS may charge a reasonable fee, taking into account the administrative costs of providing the information, or refuse the request.

The right of access to public information and the protection of personal data

ARIS may, in exceptional cases, disclose data relating to individuals when processing requests from applicants for access to information of public interest, submitted in accordance with the Public Information Access Act (Official Gazette of the Republic of Slovenia, No. 51/06 – official consolidated text, 117/06 – ZDavP-2, 23/14, 50/14, 19/15 – decision of the Constitutional Court, 102/15, 7/18, 141/22 and 40/25 – ZInfV-1; hereinafter: ZDIJZ). Access to the requested information shall be granted in accordance with the provisions of ZDIJZ if it concerns data on the use of public funds or data relating to the performance of a public function or the employment relationship of a public servant, except in the cases of exemption specified in ZDIJZ, and in cases where the law governing public finances or the law governing public procurement provides otherwise. In all other cases, where there are no exceptions to access to information of public interest, ARIS will redact the personal data of the individuals concerned when disclosing information containing such data. In accordance with the provisions of the second paragraph of Article 74 of ZVOP-2, ARIS may publish such data publicly where the law stipulates that the data must be made public or where the data constitutes information of public interest.

The right to lodge a complaint with the Information Commissioner of the Republic of Slovenia

You have the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia, Dunajska cesta 22, Ljubljana, or by email to: gp.ip@ip-rs.si, if you believe that the processing of your personal data infringes the provisions of the GDPR or ZVOP-2.

Validity

ARIS reserves the right to amend or supplement this information.