PRIVACY TERMS

Privacy terms of the company Mogway d.o.o.

MEANING OF TERMS

Privacy terms

Privacy conditions are an internal act of the company Mogway d.o.o. (hereinafter: the processor) and apply to all legal relationships between him and service subscribers (hereinafter: the operator).
The act determines the rights and obligations of the processor and operator in the management and processing of personal data of individuals.

Personal information

Personal data means any information relating to a specific or identifiable individual who is a natural person. A specific individual is one whose personal data is defined and processed in accordance
with purposes determined by the controller. An identifiable individual is one who can be directly or indirectly identified and whose personal data can be processed in accordance with the purposes determined by the controller.

Individual

An individual is any natural person whose personal data is processed on a legal or contractual basis between the controller and that individual or on the basis of the express consent given by the individual to the controller.

Manager

The controller determines the purposes and means of processing within the framework of its registered activity and/or legal authorizations. The individual is informed in advance who is the manager of personal data and who is the processor of his personal data.

Processor

The processor processes the personal data of individuals on behalf of the controller, according to his instructions, within the framework of legal purposes and methods of processing.

Subprocessor

The sub-processor processes the personal data of individuals on behalf and according to the instructions of the processor, within the framework of the legal purposes and methods of processing.

Processing

Processing of personal data means any act or set of acts carried out in relation to personal data or sets of personal data with or without automated means, such as collection, recording, editing,
structuring, storing, adapting or modifying, retrieving, viewing, using, disclosing by means of, disseminating or otherwise making accessible, adapting or combining, limiting, erasing or destroying.

Restriction of processing

Limitation of processing means marking stored personal data in order to limit their processing in the future.

Designing profiles

Profiling means any form of automated personal data processing that involves the use of personal data to evaluate certain personal aspects relating to an individual, in particular for
analyzing or predicting that individual’s job performance, economic situation, health, personal taste, interests, reliability, behavior, location or movements.

Pseudonymization

Pseudonymization means the processing of personal data in such a way that the personal data can no longer be attributed to a specific individual to whom the personal data refer, without additional information,
if such information is kept separately and is subject to technical and organizational measures to ensure that personal data is not attributed to a specific or identifiable individual.

Consent of the individual

Consent of the data subject means any voluntary, express, informed and unequivocal statement of the will of the data subject by which
by a statement or a clear affirmative action, he expresses his consent to the processing of personal data relating to him.

Breach of personal data protection

A breach of personal data protection means a breach of security that results in the intentional or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data that is sent, stored
or otherwise processed.

PERSONAL DATA PROCESSING

Processor data

Mogway d.o.o
TTržaška cesta 29, 1370 Logatec, Slovenia
Registration number: 7213549000
Tax number: SI 44951841
The company has been registered in the Court Register of the Republic of Slovenia in 16.1. 2017.
The person responsible for providing information regarding this act and the protection of personal data is:
Polona Peklaj, info@mogway.eu

Subprocessors

The processor has concluded contracts on the further processing of personal data of individuals of a specific controller in cases where it has external processors for the performance of its services, who are its sub-processors in relation to the controller. The processor is responsible for the selection of sub-processors and ensures that they are bound to the same or higher level of personal data protection as stipulated by Slovenian and European Union regulations. The processor informs the administrator about its existing processors and about any replacement of processors or the hiring of new processors. It does this by announcing the publication of new privacy conditions, in which it specifies the new processors and gives the manager thirty days to comment on the changes, confirm or oppose them.

Legal basis for processing personal data

The processor has a legal basis for processing the personal data of individuals of a specific controller in a previously concluded contract between the controller and the processor or on the basis of another agreement on the order of the service.

The processor is responsible for ensuring that managers are familiar with this act and other acts of the processor, insofar as they regulate the processing of personal data of individuals and/or the terms of business for the provision of ordered services.

The controller is responsible for ensuring the appropriate legal basis for the processing of personal data (legal interest, contractual interest and/or express consent of the individual).

Types of personal data

The processor processes the personal data provided by the controller. The processor never processes other personal data of the individuals of the specific controller.

Purposes of personal data processing

The processor processes the personal data of the individuals of a specific operator only for the purposes for which the operator has given him an instruction. The processor never processes the personal data of individuals
of a certain controller for other purposes.

The role of the manager

The controller is obliged to give instructions to the processor for the processing of the personal data of the individuals it manages. The controller must clearly and unambiguously provide the processor with information of which type
personal data and for what purposes it can be processed.

Documented operator instructions

According to this act, the controller is obliged to specify to the processor the content and duration of the processing of personal data, the nature and purpose of the processing, the types of personal data and the categories of individuals to whom
refers to personal data.

The controller’s instructions must be documented, whereby they can be given in writing by regular or electronic mail, and in the case of oral instructions, the processor also requires written confirmation by regular or
by e-mail.

The processor is not responsible for the legality of the instructions received from the controller for the processing of personal data of individuals of a particular controller.

Data confidentiality

The processor ensures that the persons authorized to process personal data are bound by confidentiality or are bound by the relevant law to confidentiality. The processor has an adopted internal Rulebook on
to the protection of personal data and obtains from all employees and external collaborators a written commitment to data confidentiality, familiarization with the rules and the appropriate security measures that the processor
implements to ensure an adequate level of data security.

The rights of individuals

The processor technically ensures that, according to the instructions of the controller and within the legal scope, it provides support and technical solutions as well as the final data that the controller needs when individuals with the controller
exercise one or more rights provided for by law: the right to correction, the right to deletion, the right to limit processing, the right to data portability and the right to object.

Deletion or transfer of data

Based on a prior documented instruction from the controller, the processor deletes or returns all personal data to the controller after completing the service it performs for the controller and destroys existing copies,
except in cases where data storage is prescribed by law.

Access to information

The processor provides the controller with all the information necessary to demonstrate compliance with the obligations from this act and legislation, and enables the controller or another auditor authorized by the controller
implementation of audits, including inspections, and participates in them.

SECURITY OF PERSONAL DATA PROCESSING

Security of processing

Processor and controller taking into account the latest technological developments and implementation costs and the nature, extent, circumstances and purposes of processing, as well as risks to rights and freedoms
of individuals, which differ in probability and severity, the controller and processor ensure an appropriate level of security in relation to the risk by implementing appropriate technical and organizational measures,
including but not limited to measures covering:

pseudonymization and encryption of personal data,

the ability to ensure ongoing confidentiality and integrity, availability and resilience of processing systems and services,

the ability to timely restore availability and access to personal data in the event of a physical or technical incident,

procedures for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure processing security.

In determining the appropriate level of security, particular consideration shall be given to the risks posed by the processing, in particular due to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access
to personal data that is sent, stored or otherwise processed.

Authorized person for data protection

The processor is not obliged to appoint a person authorized to protect personal data, because it does not carry out the processing as a public authority or body, nor does it carry out processing in the core activity in which it would be
due to their nature, extent and/or purposes, it is necessary to regularly and systematically comprehensively monitor the individuals to whom the personal data relate, and the basic activity of the processor does not include
extensive processing of special types of personal data.

Security measures

The processor ensures adequate security measures in the processing of personal data to ensure the protection of personal data. Security measures are regularly monitored and updated in line with developments
technology and legislation requirements.

The processor informs the controller about security measures and appropriate technical solutions in a separate document that is an integral part of these privacy conditions, which govern the legal relations between the controller and
processors and the Rules on the Protection of Personal Data, which governs the legal relationship between the processor and employees who process the personal data of individuals of a particular controller.

FINAL PROVISIONS

Binding nature of legal terms

1. Privacy conditions apply to all managers with whom the processor has a regulated legal-business relationship by contract or in writing via e-mail and are confirmed by the managers via e-mail and it is considered that an annex to the existing legal relationship has been accepted, or with a written annex to an existing written contract, if the controller so requests.
2. The privacy conditions are binding for all legal transactions concluded on their basis.
3. Privacy conditions are an integral part of the service order by the operator.
4. The administrator confirms familiarity and agreement with these privacy conditions before ordering the service (in the contract or in writing via electronic communication).

Changes to the privacy terms

1. The processor regularly updates the privacy conditions with legal changes.
2. The processor informs the operator about changes in a timely manner in writing by e-mail.
4. The processor provides an archive of changes to the privacy conditions, which can be accessed by any operator with a prior written request to the processor’s contact email address.

Conflict solving

The processor and the operator undertake to resolve potential disagreements and disputes peacefully and consensually. As far as an amicable solution does not will be possible, the court in Republic of Slovenia according to the registered office of the processor is competent to resolve the dispute.