Personal Data Protection

The General Data Protection Regulation (GDPR) is a regulation of the European Union, which standardises the rules on the processing of personal data by private companies and public authorities across the EU. The aim is not only to safeguard the protection of personal data within the European Union, but also to ensure the free movement of data within the European single market.

Protection and security of personal data is of great importance to us. Below you will find the information required under the General Data Protection Regulation ("GDPR") regarding the processing of personal data in connection tailored to different categories of data subjects.

It is our goal to provide you with exactly the right amount of information regarding the processing of personal data relating to you.

Below you can read how Fraport Slovenija collects, stores and processes personal data of individuals. If we did not answer your questions with the written information, please contact us via e-mail.

Information regarding processing of personal data is contained in the following documents:

  • Personal data protection policy for employees and other personnel of the company Fraport Slovenia;
  • Personal data protection policy for Fraport Aviation Academy;
  • Cookies.

In the event of any conflict between the provisions of this General Policy and the provisions of the abovementioned documents, the provisions of the abovementioned documents shall apply.

This policy applies to the processing (use) of any personal data carried out by Fraport Slovenia, upravljanje letališč, d.o.o. (controller) or carried out by third parties on behalf of the controllerInformation about the controller:

Fraport Slovenija, d.o.o.
Zgornji Brnik 130A
4210 Brnik – Airport, Slovenia
Register number: 5142768000
Phone: +386 (0)4 20 61 000
E-mail:  info@fraport-slovenija.si

Controller stores and processes personal data depending on the relationship with a particular individual. In principle, we only process some of the data listed below for a specific individual, but not all of them.

There are four categories of individuals to whom personal data refer to:

Passengers and visitors

Surveillance cameras videos:
a video of an individual who entered the airport area (defined in the Airport Usage Rules, Chapter 14), the date and time of entry into and departure from the airport area;ž

Data on entry and exit through access control passages:
name and surname, company, organization or department, access card number, picture of person, date and time of the passage, task (entry / exit) and location or facility in which the passage happened;

Data on visitors who move within the protected area of the airport (defined in the Airport Usage Rules, Chapter 14): name and surname, number and type of personal document, date and hour of entry to and exit from the protected area, the person or company visited;

Data on persons entering the airport area for a visit:
name, surname, organization, personal identification number

Data on safety reports and investigations:
name and surname, address of residence;

Partners

Data on contact persons of clients, business partners and media:
name and surname, name of the employer, phone number, e-mail address, address, area of interest, data on participation in controller’s training, business correspondence and calendar of activities (meetings, events, ...), bank account, tax number;

Data on office building visitors:
name and surname of the person and/or company or organization, date of the visit, person visited, number of issued badge, hour of arrival, departure time;

Data on airport identification card holders:
name and surname, date of birth, address of permanent and temporary residence, name of the employer and work position, number, type and date of validity of identification card, persons’ picture, area to which entrance is allowed with that specific identification card;

Data on airport driving license holders:
name and surname, date of birth, address of permanent and temporary residence, employer's name, position, number and validity of identification card, picture number, test type, copy of valid driving license for driving in road transport;

Data on participants of trainings organized by the controller:

name and surname, address, e-mail address, information on trainings completed, data on controller’s instructors;

External instructors for trainings:
name and surname, address, e-mail address, telephone number, data on competences and licenses

Parking lot users

Data of the parking lot users:
Video footage of the user entering and exiting parking areas, date and time of entry and exit, location or facility where the parking lot is located, license plate, name and address of the user after obtaining the data, exceptionally, if this is particularly necessary, also sound video.

Data on parking cards holders:
first and last name, title of employer, vehicle registration number, card number, card validity date, date and time of entering and exiting the parking lot, location or facility where the parking lot is located, information about the vehicle or asset.

Others

Data on shareholders who are natural persons:
ID number, name and surname, personal ID number, tax number, permanent address, country of residence, tax office and type of person, data on the shareholder's transaction account (account type, bank, business unit, account number), ownership data (trading information, status of the ownership, amount), data on the documents relating to ownership (ID number, type, balance, application, trading information, amount, final amount, date of the document), data on dividends (serial number of dividend distribution,% of tax, amount of tax, date of tax transfer, gross dividend, the envisaged transfer, realized transfer, date of transfer, method of transfer, account number to which the transfer was made);

Data on participants on construction sites:
name, surname, data on the employer, data on the person responsible for safety and health at work, data on occupational health and safety education

Data on event participants and their family members:
name and surname, e-mail, names and surnames of family members, type of the event, type of airport tour, date of the event.

We may process your personal data on the following legal bases, which are enabled by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46 /EC (General Data Protection Regulation, hereinafter GDPR) and Personal Data Protection Act (ZVOP-2):

  • when processing is determined by law or when processing is necessary to fulfill our legal obligations or obligations laid down by European Union laws;
  • when processing your personal data is necessary for the conclusion and fulfillment of a contract that you have concluded with us or you wanted an offer from us or have shown an interest in our services;
  • when for processing of your personal data you have given consent for the specific purpose of processing, while you are always entitled to withdraw this consent;
  • when we have a legitimate interest in processing your personal data, which prevails over your interests.

Specific legal bases for the processing of personal data are:

Passengers and visitors

Surveillance cameras videos:

  • GDPR Article 6, Paragraph 1:
    - pt. (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
    - pt. (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
  • Articles 76 to 80 of the Personal Data Protection Act (ZVOP-2);
  • Articles 127 and 128 of the Aviation Act (Zlet);

Data on entry and exit through access control passages:

  • GDPR Article 6, Paragraph 1:
    - pt. (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Articles 85 of the Personal Data Protection Act (ZVOP-2);
  • Articles 127 and 128 of the Aviation Act (Zlet);

Data on visitors who move within the protected area of the airport:

  • GDPR Article 6, Paragraph 1:
    - pt. (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Articles 85 of the Personal Data Protection Act (ZVOP-2);
  • Articles 127 and 128 of the Aviation Act (Zlet), (defined in the Airport Users Regulation, Chapter 14.);

Data on persons who enter the airport area for a visit:

  • GDPR Article 6, Paragraph 1:
    - pt. (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;

Data on safety reports and investigations:

  • GDPR Article 6, Paragraph 1:
    - pt. (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    - pt. (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
Partners

Data on contact persons of clients, business partners and media:

  • GDPR Article 6, Paragraph 1:
    - pt. (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    - pt. (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Data on contact persons of media:

  • GDPR Article 6, Paragraph 1:
    - pt. (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    - pt. (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;

Data on the recipients of general news Fraport Slovenija:

  • GDPR Article 6, Paragraph 1:
    - pt. (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

Data on the recipients of general news Fraport Aviation Academy:

  • GDPR Article 6, Paragraph 1:
    - pt. (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

Data on office building visitors:

  • GDPR Article 6, Paragraph 1:
      - processing is necessary for compliance with a legal obligation to which the controller is subject (Articles 127 and 128 of the Aviation Act (Zlet));
  • Articles 85 of the Personal Data Protection Act (ZVOP-2);

Data on airport identification card holders:

  • GDPR Article 6, Paragraph 1:
    - pt. (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Data on airport driving license holders:

  • GDPR Article 6, Paragraph 1:
    - pt. (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Data on participants of the trainings organized by the controller:

  • GDPR Article 6, Paragraph 1:
    - pt. (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

External instructors for trainings:

  • GDPR Article 6, Paragraph 1:
    - pt. (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Parking lot users

Data of the parking lot users:

  • GDPR Article 6, Paragraph 1:
    - pt. (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    - pt. (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;

Data on parking cards holders:

GDPR Article 6, Paragraph 1:
- pt. (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Others

Data on shareholders who are natural persons:

  • GDPR Article 6, Paragraph 1:
    - pt. (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Article 25. in Book-Entry Securities Act (ZNVP-1);
  • Article 325. in Tax Procedure Act (ZDavP-2));

Data on participants on construction sites:

  • GDPR Article 6, Paragraph 1:
    - pt. (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Article 25. in 38. in Health and Safety at Work Act (ZVZD-1);

Data on event participants and their family members:

  • GDPR Article 6, Paragraph 1:
    - pt. (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    - pt. (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
Passengers and visitors

Surveillance cameras videos:
ensuring the safety of people and property; proving and exercising rights in official procedures;

Data on entry and exit through access control passages:
ensuring safety, fulfillment of legal obligations;

Data on visitors who move within the protected area of the airport  (defined in the Airport Usage Rules, Chapter 14):
Ensuring safety, fulfillment of legal obligations;

Data on persons who enter the airport area for a visit:
keeping records of visitors, providing security;

Data on safety reports and investigations:
ensuring the safety of civil aviation;

Partners

Data on contact persons of clients, business partners and media:
communication with clients and business partners; informing journalists about events, news, making a payment to a business partner who is a natural person, etc.;

Data on news recipients:
notifying about the activity of the controller, communication with stakeholders.

Data on office building visitors:
ensuring safety, fulfillment of legal obligations;

Data on airport identification card holders:
ensuring safety, fulfillment of legal obligations;

Data on airport driving license holders:
ensuring safety, fulfillment of legal obligations;

Data on participants of trainings organized by the controller:
organization and implementation of trainings, communication with participants, informing about similar trainings;

External instructors for trainings:
organization and implementation of trainings, communication with participants.

Parking lot users

Data of the parking lot users:
- fulfillment of contractual obligations, security assurance, process optimization and automation;

Data on parking cards holders:
- fulfillment of contractual obligations, security assurance, process optimization and automation;

Others

Data on shareholders that are natural persons:
the exercise of rights and obligations of shareholders, communication with them (invitations to assemblies, etc.), fulfillment of tax obligations;

Data on participants on construction sites:
ensuring safety, fulfillment of legal obligations;

Data on event participants and their family members:
keeping records of participants and their family members.

Passengers and visitors

Surveillance cameras videos:
three (3) months, except in cases where there is a suspicion of a criminal offense, a misdemeanor or damages felony - in this case, the information thus collected is kept for 5 years after the final conclusion of the procedure;

Data on entry and exit through access control passages:
two (2) years;

Data on visitors who move within the protected area of the airport  (defined in the Airport Usage Rules, Chapter 14):
three (3) years;

Data on persons entering the airport area for a visit:
one (1) month from the day of the visit

Data on safety reports and investigations:
one (1) year;

Partners

Data on contact persons of clients, business partners and media:
during the contractual relationship with the client or business partner and one year after the termination; until the media announces that a particular person no longer works for the media;

Data on news recipients:
until cancelled

Data on office building visitors:
3 years;

Data on airport identification card holders:
1 year after the termination of the eligibility to use the identification card;

Data on airport driving license holders:
3 years after the expiration of the license;

Data on parking card holders:
1 year after the expiration of the right to hold a parking card;

Data on participants of trainings organized by the controller:
5 years after the training;

External instructors for trainings:
- one (1) year after contract expiration for employees and other personnel of Fraport Slovenija;

Parking lot users

Data on shareholders that are natural persons:
- a maximum of six (6) months, except in cases of incident events, where the retention period is until the final resolution of the event;

Data on parking cards holders:
- one (1) year from the termination of the right to use the parking card;

Others

Data on participants on construction sites:
6 months since the last entry to the construction site, or after the construction is finished

Data on shareholders who are natural persons:
5 years after the expiration of the shareholder status; 5 years after the payment of the dividend;

Data on event participants and their family members:
1 year after the date of the event;

After the expiration of the storage period, personal data is either effectively and permanently erased or destroyed, or effectively anonymized, in such a way that it is no longer possible to determine to which specific individual certain anonymous data relate.

The provision of personal data is in principle voluntary, which means that you decide for yourself whether or not you will transmit data to the controller.

However, in certain cases you cannot receive certain services or benefits (such as entering certain airport areas) if you do not provide us with personal data. In such cases, the transmission of data may be marked or presented as mandatory from our part, but even in such cases, you may decide yourself whether or not to provide personal data.

You do not have a choice in video surveillance: if you enter the airport area, you will be recorded.

From the controller’s part, access to your personal data is available to employees and contractors for whom that is necessary due to their position or workplace or work tasks.

We do not transmit your personal data or provide information about them to third parties (beyond the controller), except to those who have a written contract with us, on the basis of which they perform certain tasks related to data processing and are obliged to comply with the legislation regarding the processing and protection of personal data (the so-called processors). Processors to whom we provide personal information are:

  • marketing service providers;
  • providers of sending e-mails;
  • IT equipment maintenance service providers;
  • providers or administrators of developed tools that are used to edit websites and carry out marketing activities.

Processors shall process personal data only within the framework of our instructions and shall not process personal data for their own purposes. They are obliged, together with their employees, to protect the confidentiality of your personal data.

Contracted processors of personal data do not transmit data to third countries (outside the European Economic Area Member States - EU Member States and Iceland, Norway and Liechtenstein).

You have the following rights regarding your personal data:

To ask us at any time for:

  • confirmation that we process your personal data;
  • access to personal data and the following information: processing purposes; type of personal data; users or categories of users to whom your personal data have been or will be disclosed, in particular users in third countries or international organizations; the planned period of storage of personal data or, if that is not possible, the criteria used to determine that period; the existence of automated decision-making, including the profiling and the reasons for it, as well as the significance and intended consequences of such processing for you;
  • one (free) copy of personal data in the format you specify yourself (if the request is provided by electronic means of communication and you do not request otherwise, the copy will be provided in electronic form); for additional copies you request, we can charge a reasonable fee, taking into account the costs;
  • restriction of processing, when:
    • you contest the accuracy of personal data, for a period that allows us to verify the accuracy of personal data;
    • processing is unlawful, and you are opposed to the deletion of personal data and, instead, request a restriction on their use
    • we no longer require your personal data for processing, but you need them to exercise, enforce or defend legal claims;
  • the deletion of all personal data (the right to forget) if the conditions under Article 17 of the General Data Protection Act are fulfilled, and in particular when you withdraw the consent for the processing of personal data;
  • the printout of personal data in a structured, commonly used and machine-readable format, with the right to transmit these data to another controller without obstructing you in doing so;
  • termination of usage of personal data for direct marketing purposes, including profiling;
  • that you are not subject to a decision based solely on automated processing, including profiling if the conditions of Article 22 of the General Data Protection Regulation are met.

The right to file a complaint against us with the Information Commissioner if you believe that the processing of your personal data violates the General Data Protection Act.

When you have consented to processing of your personal information, you can withdraw it at any time by sending it to us in writing to Fraport Slovenia, Airport Management, Ltd, Personal Data Protection Authorized Person, Zgornji Brnik 130A, 4210 Brnik - Airport, Slovenia, or by e-mail at  info.gdpr@fraport-slovenija.si.

The cancellation of the consent does not have any negative consequences for you, but in certain cases you will no longer be able to receive certain services from us, namely in cases when we need your personal data to provide the service for which you have cancelled the consent.

The cancellation of the consent may also be partial, e.g. for certain personal data or for a certain period of time or for a specific purpose.

You can address your requests regarding the exercise of rights regarding personal data in writing to any contact that is listed under the  Controller (who processes my personal data)?

For the purposes of reliable identification (in order, for example, to avoid the deletion or access to your personal information by someone else), we may require additional information or proofs in the event of the exercise of rights regarding personal data, and the exercise of such rights may be refused only in case we prove that we cannot reliably identify you.

At your request, with which you exercise your rights regarding personal data, we must respond without undue delay and no later than one month after receiving your request.

The operator does not perform automated decision making or profiling of individuals.

With video surveillance, due to the possibility of immediate reaction by the operator, live video surveillance is carried out with the possibility of audio intervention.

Contact us at Fraport Slovenia, Airport Management, Ltd, Authorized Person for Personal Data Protection, Zgornji Brnik 130A, 4210 Brnik - Airport, Slovenia or at  info.gdpr@fraport-slovenija.si.