Privacy policy and personal data protection

Privacy Policy and Personal Data Protection

(hereinafter: "Privacy Policy")

BASIC TERMS:

  • Personal data: any information relating to an identified or identifiable individual;
  • Processor: a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller
  • User: a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether a third party or not.
  • Individual: any person whose personal data is being processed
  • Website: all of the Controller's websites, including all sub-pages, links and related websites.
  • Application: all software provided by the Controller, as defined in the Company's General Terms and Conditions.

1. INTRODUCTION

The controller of personal data processed in accordance with this Privacy Policy is RISO d.o.o., Ribiška pot 18, 2230 Lenart, tax number: SI66431590, company registration number: 2230569000. (hereinafter: "Controller"). This Privacy Policy follows the principles of transparency and careful handling of personal data in accordance with the General Data Protection Regulation (hereinafter: "GDPR") and the Personal Data Protection Act (hereinafter: ZVOP-2).

For any questions regarding this Privacy Policy, the Controller is available at the e-mail address info@esgon.si. The company does not have a data protection officer.

2. BASIS FOR THE PROCESSING OF PERSONAL DATA ON THE WEBSITE AND IN THE APPLICATION

a) Processing based on a contract between the Controller and the Individual

The Controller processes certain personal data for the purposes of fulfilling the order and contract concluded between the Controller and the Individual:

a. General:

  • company name
  • company headquarters address
  • list of parent and subsidiary companies
  • company domain (e.g. @riso.si)
  • primary company colour
  • company logo

b. Company description

  • general description of the company
  • description of activities
  • portfolio description
  • Organisational form
  • Tax number

c. Organisational boundaries (locations)

  • location names
  • full address

The controller stores the above data for 5 years after the termination of the contract.

b) Processing necessary to fulfil the legal obligation applicable to the controller

The controller may issue an invoice to the individual for the payment of services. In this context, the controller processes and stores the personal data specified on the invoice.

The controller stores this personal data (invoices) for 10 years from the date of issue.

c) Processing based on legitimate interest

The controller processes certain personal data because it is necessary for the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual to whom the personal data relates, which require the protection of personal data. The processing of all personal data listed below is intended to provide a better user experience. On this basis, the Controller processes the following personal data:

  • IP addresses from which the Individual accesses the Website. Recording is necessary for the detection and prevention of abuse on the website;
  • logins to the Application: username, date and time of login. Recording is necessary for the detection and prevention of abuse in the Applications;
  • data about the devices from which the User accesses the Website and/or the Application;
  • cookie data for functionality, as defined in the Cookie Policy.

All of the above data is stored for 2 years from the date of collection, except for essential cookies, which may be stored for up to 6 months. Individuals may object to the processing of their personal data for these purposes at any time by sending an email to info@esgon.si.

d) Processing based on consent to the processing of personal data

The controller processes certain personal data on the basis of the individual's consent:

  • Email address;
  • Data collected on the basis of Google Analytics service functions, to which the Individual consents within the framework of the Cookie Policy;
  • Data collected based on the Hotjar service function, to which the Individual consents within the framework of the Cookie Policy;
  • All data provided by the Individual in the contact form on the Controller's website.

Consent may be revoked at any time.

3. TRANSFER OF DATA TO THIRD PARTIES AND TRANSFER OF DATA TO THIRD COUNTRIES (COUNTRIES THAT ARE NOT MEMBERS OF THE EUROPEAN ECONOMIC AREA)

The Controller shares personal data with the following recipients:

a. Google Analytics

Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, fax: +353 (1) 436 1001. Google Analytics Terms of Service, Google Analytics Security and Privacy Overview, Google Privacy Policy. Google uses standard contractual clauses (SCC) for data transfers to third countries.

b. Hotjar

Hotjar: Hotjar Ltd. is a European company based in Malta (Hotjar Ltd, Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe Tel.: +1 (855) 464-6788).

The ESG On application is hosted entirely in European Azure data centres. The cloud provider Microsoft Azure complies with the strictest compliance requirements, such as ISO27001, EU GDPR, EN 301 549, EU Cloud CoC, and the ENISA (IAF) cybersecurity assurance framework. The Microsoft cloud services used by ESG On also undergo regular, thorough independent third-party audits in accordance with the SOC 2 Type 2 standard. Full compliance documentation can be found at the following address: https://learn.microsoft.com/en-us/azure/compliance/.

Components used:

  • Data storage (Western Europe -- Frankfurt and Northern Europe -- Dublin)
  • Log Analytics
  • Cosmos DB
  • Postgres
  • Storage account
  • Search service
  • Dependencies
  • Azure AI services
  • Azure OpenAI
  • Search service
  • Data processing
  • Service Bus
  • B2C authentication
  • Container Apps Environment

Personal data collected within the Application and Website is not transferred to third countries.

4. HANDLING OF PERSONAL DATA AFTER THE EXPIRY OF THE STORAGE PERIOD

When the retention period specified in this Privacy Policy expires for a particular piece of personal data or set of data, the Controller shall effectively and permanently delete or anonymise such personal data so that it can no longer be linked to the Individual.

5. INDIVIDUAL RIGHTS IN RELATION TO THE PROCESSING OF PERSONAL DATA

The Individual has the following rights in relation to their personal data:

a) Right of access by the individual to whom the personal data relates

The individual to whom the personal data relates has the right to obtain confirmation from the Controller as to whether personal data relating to him or her is being processed. Where the answer is affirmative, the Individual has the right to access the personal data and the following information:

  • the types of personal data being processed;
  • the categories of Users to whom the personal data have been or will be disclosed;
  • the storage periods;
  • the existence of the right to request from the Controller the rectification or erasure of personal data or restriction of processing concerning the data subject or to object to such processing;
  • the right to lodge a complaint with the Information Commissioner;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, and meaningful information about the reasons for it, as well as the significance and envisaged consequences of such processing for the individual.

Within the scope of this right, the Individual has the option to request one free copy of their personal data in a format specified by them. If the request is made by electronic means of communication and the Individual does not request otherwise, the copy shall be provided in electronic form. For additional copies requested by the Individual, the Controller may charge a reasonable fee taking into account the costs incurred by the Controller.

b) Right to rectification

The Individual to whom the personal data relates has the right to obtain from the Controller the rectification of inaccurate personal data concerning him or her without undue delay.

c) Right to erasure

An individual may request that the Controller erase personal data relating to him or her without undue delay in the following cases:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • the individual to whom the personal data relates withdraws the consent on which the processing is based and there is no other legal basis for the processing;
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes;
  • the personal data has been processed unlawfully;
  • the personal data must be erased in order to comply with a legal obligation under the law of the Republic of Slovenia or the European Union.

d) Right to restriction of processing

An individual may request that the processing of data relating to him or her be restricted. This may be requested in the following cases:

  • The individual disputes the accuracy of the personal data, for a period enabling the Controller to verify the accuracy of the personal data;
  • the processing is unlawful and the Individual opposes the erasure of the personal data and requests the restriction of their use instead;
  • the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Individual for the establishment, exercise or defence of legal claims;
  • the Individual to whom the personal data relates has objected to the processing pending verification whether the legitimate grounds of the Controller override those of the Individual.

e) Right to data portability

The data subject shall have the right to receive the personal data concerning him or her and to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the conditions laid down in Article 20 of the GDPR are met.

f) Right to object

The individual to whom the personal data relates has the right to object at any time to the processing of personal data relating to him or her. In such a case, the controller shall cease processing the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

The individual may always object to the processing of personal data for direct marketing purposes. In such a case, the personal data controller may no longer process the data for this purpose.

The individual also has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, where the conditions set out in Article 22 of the GDPR are met.

g) Right to lodge a complaint regarding the processing of personal data

Any Individual may lodge a complaint against the controller with the Information Commissioner when they believe that the processing of their personal data violates applicable law.

6. INFORMATION ON THE EXISTENCE OF AUTOMATED DECISION-MAKING:

The controller collects, analyses and processes information collected through the Applications. This information is used to improve the appearance, functionality and security of the Website and Applications.

7. WITHDRAWAL OF CONSENT FOR THE PROCESSING OF PERSONAL DATA AND CONSEQUENCES FOR THE INDIVIDUAL

An individual may withdraw their consent to the processing of personal data at any time. This can be done by sending a written statement to the Controller at the Controller's address or by email to info@esgon.si.

Withdrawal of consent to the processing of personal data has no negative consequences or sanctions for the Individual. However, it is possible that after revoking consent, the Controller will no longer be able to offer the Individual certain or all of its services. This happens in the case of services that cannot offer without personal data (e.g. membership in a benefits club or personalised notifications).

If, after withdrawal of consent to the processing of personal data, there is no other legal basis for processing, the Controller will effectively and permanently delete or anonymise the Individual's personal data to which the withdrawal relates, so that it can no longer be linked to the Individual.

8. PROCEDURE FOR EXERCISING RIGHTS IN RELATION TO PERSONAL DATA

The Individual may address all requests relating to the exercise of rights in relation to personal data in writing to the Controller, either to the Controller's address or by e-mail to info@esgon.si.

Where the Controller has reasonable doubts concerning the identity of the Individual submitting a request relating to the protection of personal data, it may request additional information necessary to confirm the identity of the Individual to whom the personal data relates.

The Controller shall respond to the Individual's request without undue delay, but no later than one month after receiving the request. In the event of a more complex request or a large number of requests, this period may be extended by a maximum of two additional months.

9. COOKIES

Cookies are used in accordance with the Cookie Policy published on the Controller's website.

10. CONSENT AND CHANGES TO THE TERMS AND CONDITIONS

Every user of the services of this website agrees to the specified terms of use. The Controller undertakes to comply with all of the above provisions and applicable legislation. Each registration on the website also includes the Individual's consent for the Administrator to send them e-mails or contact them via telephone number.

Any changes to this Privacy Policy will only take effect after they have been published on this website and after email notifications have been sent to all registered Individuals.

This personal data protection policy is valid from 1.10.2025 onwards.

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Cookies strictly necessary for the proper functioning of the website. This category includes only cookies that ensure basic functionalities and security features of the website. These cookies do not store any personal data.

Analytics

These are cookies that are not necessary for the website to function and are used specifically to collect visitors' personal data for analytics purposes. On our website, we use Google Analytics and Hotjar to record the number of visitors and analyze your visit with the aim of adapting the content on our website to your preferences and improving the effectiveness of advertisements. Additionally, we use HotJar to improve the user experience.