Privacy Notice of Lonstroff AG

Version dated August 2023, updated in September 2024

With this Privacy Notice we, Lonstroff AG (hereinafter Lonstroff, we or us), describe how we collect and further process personal data. This Privacy Notice is not necessarily a comprehensive description of our data processing. It is possible that other Privacy Notices or General Terms and Conditions, Conditions of Participation or similar documents are applicable to specific circumstances.

This Privacy Notice is aligned with the Federal Act on Data Protection («FADP») and the EU General Data Protection Regulation («GDPR»). However, the application of these laws depends on each individual case.

The terminology, some of which is differentiated in the FADP and the EU GDPR, is used consistently in this privacy policy. They should be understood in the specific case in accordance with the relevant legal regulations.

In this privacy policy, we use the term “data” synonymously with “personal data”. Personal data is in-formation that makes it possible to identify a natural person. This includes, in particular, your name, date of birth, address, telephone number, email address, but also your IP address. Anonymous data exists if no personal reference to the user can be established.

If you provide us with personal data of other persons (such as family members, work colleagues), please make sure the respective persons are aware of this Privacy Notice and only provide us with their data if you are allowed to do so and such personal data is correct.

The FADP does not stipulate that a legal basis for data processing must be specified. If such a basis is specified and no explicit reference is made to the FADP (see section 4), the legal basis specified refers to data processing in accordance with the EU GDPR.

This privacy policy provides you with comprehensive information about the processing of your personal data by Lonstroff and the rights to which you are entitled.

1. Controller / Data Protection Officer / Representative

The “controller” of data processing as described in this Privacy Notice (i.e. the responsible person) is Lonstroff AG, Industrie Nord 1, 5634 Merenschwand.

You can notify us of any data protection related concerns regarding Lonstroff, using the following con-tact details:

Lonstroff AG
Industrie Nord 1
CH-5634 Merenschwand
privacy@lonstroff.com
Phone number: +41 62 836 37 37

Our representative in the EEA according to art. 27 GDPR is: Dunja Bevc, privacy@lonstroff.com, Lonstroff Medicinski Elastomeri, d.o.o., Privacy, Obrtna cona Logatec 31, SI-1370 Logatec, Slowenien.

2. 2. Purpose of Data Processing and Legal Grounds

We use the personal data we collect primarily for these processing purposes:

• [1] Communication: Responding to inquiries and the exercise of your rights and to enable us to contact you in case of queries. We keep this data to document our communication with you, for training purposes, for quality assurance and for follow-up inquiries. [for categories of personal data affected see section 3: a, b, d]
• [2] Contract and contractual relationships: We process data for the conclusion, administration, execution, and performance of contractual relationships with you or the entity you represent or are employed with (e.g. customer, supplier, subcontractor, service provider), especially in the context of the production of elastomers for our customers. [for categories of personal data affected see section 3: a, b, c, d]
• [3] Marketing and relationship management: We process data for marketing purposes and relationship management, for example to send our customers and other contractual partners advertising for products and services from us. This may happen in the form of newsletters and other regular contacts (electronically, by e-mail or by telephone), through other channels for which we have contact information from you, but also as part of marketing campaigns (for ex-ample events, etc.). You can object to such contacts at any time (see at the end of this Section 9) or refuse or withdraw consent to be contacted for marketing purposes. [for categories of personal data affected see section 3: b, d]
• [4] Safety and security: We may also process your data for security and access control purposes to our premisses and information systems. [for categories of personal data affected see section 3: d, h]
• [5] Compliance and fulfilment of our legal obligations: We may process your data to comply with laws, directives and recommendations from domestic and international authorities and internal regulations. [for categories of personal data affected see section 3: a, b, c, d, g, h]
• [6] Risk and quality management: We also process data for the purposes of our risk and quality management and as part of our corporate governance, including business organisation and development. [for categories of personal data affected see section 3: c, g, h]
• [7] Provision of services: We may process your data to provide you with information services (e.g., on our website or social media) our technology services at our locations (e.g., guest internet access). [for categories of personal data affected see section 3: d, f]
• [8] Recruiting: We process your data during a recruitment process to occupy a vacancy within our company or group. [for categories of personal data affected see section 3: a, b, e]
• [9] Use of social media (Facebook, Instagram): As the operator of our social media accounts, we can only see your public profile (displayed information depend on your profile settings) and information you provide (your messages, inquiries, or other posts to us). We then process this data for the purpose of using social media account and responding to (if applicable) your posts accordingly. For information on the processing done by the platform providers, please refer to the privacy information of the relevant platforms. [for categories of personal data affected see section 3: b, c, h]

You may be affected by our data processing in your capacity as an employee of such a client or business partner.

In addition, in line with applicable law and where appropriate, we may process your personal data and personal data of third parties for other purposes, which are in our (or, as the case may be, any third parties’) legitimate interest, such as:

• Providing and developing our products, services and websites and other platforms, on which we are active;
• Communication with third parties and processing of their requests (e.g., job applications, media inquiries);
• Review and optimization of procedures regarding needs assessment for the purpose of direct customer approach as well as obtaining personal data from publicly accessible sources for customer acquisition;
• Advertisement and marketing (including organizing events), provided that you have not objected to the use of your data for this purpose (if you are part of our customer base and you receive our advertisement, you may object at any time and we will place you on a blacklist against further advertising mailings);
• Asserting legal claims and defense in legal disputes and official proceedings;
• Prevention and investigation of criminal offences and other misconduct (e.g. conducting internal investigations, data analysis to combat fraud);
• Ensuring our operation, including our IT, our websites and other appliances;
• Video surveillance to protect our domiciliary rights and other measures to ensure the safety of our premises and facilities as well as protection of our employees and other individuals and as-sets owner by or entrusted to us (such as e.g. access controls, visitor logs, network and mail scanners);
• Acquisition and sale of business divisions, companies or parts of companies and other corporate transactions and the transfer of personal data related thereto as well as measures for business management and compliance with legal and regulatory obligations as well as internal regulations of Lonstroff.

These additional purposes also include the protection of other legitimate interests, which cannot be listed exhaustively.

3. Collection and Processing of Personal Data

We primarily process personal data that we obtain from our clients and other business partners as well as other individuals in the context of our business relationships with them or that we collect from users when operating our websites and other applications.

We process personal data depending on your relationship with us and on the purpose for which we process the data (see section 2). Additionally, to your contact details, we also process other information about you or the people who are related to you. If indispensable, this information may also consist of sensitive personal data.

We process the following categories of personal data, depending on the purpose for which we process them (purposes are mentioned in the square brackets in section 2):

• [a] Master data: Basic data that we need, for the performance of our contractual and other business relationships or for marketing and promotional purposes, such as name and contact details, and information about, for example, your role and function, your date of birth, customer history, powers of attorney, signature authorizations and declarations of consent. We process your master data if you are a customer or other business contact or work for one (for example as a contact person of the business partner), or because we wish to address you for our own purposes or for the purposes of a contractual partner (for example as part of marketing and advertising, with invitations to events, with newsletters, etc.). We receive master data from you (for example when you make a purchase or as part of a registration), from parties you work for, or from third parties such as contractual partners, associations, and address brokers, and from public sources such as public registers or the internet (websites, social media, etc.). We may also collect master data from our shareholders and investors. [purposes according to section 2: 1, 2, 5, 8]
• [b] Communication data: When you are in contact with us via a contact form, by e-mail, telephone, or chat, or by letter or other means of communication, we collect the data exchanged be-tween you and us, including your contact details and the metadata of the communication. If we must determine your identity, for example in relation to service qualification control for maintenance, a request for information, etc., we collect data to identify you. [purposes according to section 2: 1, 2, 3, 5, 8]
• [c] Contract data: This means data that is collected in relation to the conclusion or performance of a contract, for example information about the contracts and the services provided or to be provided, as well as data from the period leading up to the conclusion of a contract, information required or used for performing a contract, and information about feedback or audit findings (for example complaints, feedback about satisfaction, etc.). We generally collect this data from you, from contractual partners and from third parties involved in the performance of the contract, but also from third-party sources (for example credit information providers) and from public sources. [purposes according to section 2: 2, 5, 6]
• [d] Registration data: Certain services (such as login areas of our website or cloud space, newsletters, etc.) can only be used with a user account or registration, which can happen directly with us or through our third-party login service providers. In this regard you need provide us with certain data (such as name, email, phone number), and we collect data about the use of the offering or service. Registration data may be required in relation to access control to certain facilities. [purposes according to section 2: 1, 2, 3, 4, 5, 7]
• [e] Application data: When you apply for a job or send us your application dossier, we collect this information (e.g., CV, motivational letter, references) to process your application. We generally collect this data from you, from recruiting partners, and from third parties of your choosing when submitting your application. [8]
• [f] Technical data: When you use our website or other online offerings (for example Guest Wi-Fi), we collect the IP address of your terminal device and other technical data to ensure the functionality and security of these offerings. This data includes logs with records of the use of our systems. [purposes according to section 2: 7]
• [g] Files and documents with references to you: We also collect data from you in other situations. For example, data that may relate to you (such as files, evidence, etc.) is processed in relation to administrative or judicial proceedings. [purposes according to section 2: 5, 6]
• [h] Image and sound recordings and registration logs: Photos, videos, and sound recordings in which you may be identifiable (for example at events, with security cameras, etc.). We may also collect data about who enters certain buildings, and when or who has access rights (including in relation to access controls, based on registration data or lists of visitors, etc.), who participates in events and who uses our infrastructure and systems and when. [purposes according to section 2: 4, 5, 6]

More detailed information can be found in the description of the respective categories of processing (see section 2).

We usually collect these data directly from you. We may also receive information from our customers about individuals who have no direct relationship with us but with our customer (e.g. data about the customer’s employees). We collect certain data from public or official sources (e.g. debt registers, land registries, commercial registers, press, internet) or receive data from different companies within the Lonstroff group, authorities or other third parties. Apart from data you provided to us directly, the categories of data we receive about you from third parties include, but are not limited to:

• Information from public registers
• Data received in connection with administrative or court proceedings
• Information in connection with your professional role and activities (e.g., to conclude and carry out contracts with your employer)
• Information about you in correspondence and discussions with third parties
• Credit rating information (if we conduct business activities with you personally)
• Information about you given to us by individuals associated with you (consultants, legal representatives, etc.) in order to conclude or process contracts with you or with your involvement (e.g. references, your delivery-address, powers of attorney)
• Information regarding legal regulations such as anti-money laundering and export restrictions
• Bank details, information regarding insurances, our distributors and other business partners for the purpose of ordering or delivering services to you or by you (e.g., payments made, previous purchases)
• Information about you found in the media or internet (insofar as indicated in the specific case, e.g. in connection with job applications, media reviews, marketing/sales, etc.)
• Data in connection with your use of our websites (e.g., IP address, MAC address of your smartphone or computers, information regarding your device and settings, date and time of your visit, sites and content retrieved, applications used, localization data)

4. Legal Bases for the Processing of Personal Data

We process your personal data for the above-mentioned purposes, depending on the situation, in partic-ular based on the following legal bases in accordance with Art. 6 GDPR:

• the processing of personal data is necessary for the performance of a contract with you or to take steps prior to entering into a contract;
• you have given your consent to the processing of personal data concerning you;
• the processing of personal data is necessary for compliance with a legal obligation;
• the processing is necessary in order to protect the vital interests of the data subject or of an-other natural person; or
• we have a legitimate interest in the processing of the personal data, whereby our legitimate interests may include the following interests in particular good customer service, maintaining con-tact and communication with customers, including outside of a contract; in advertising and marketing activities; to improve services and develop new ones; to combat fraud; to protect customers, employees and other persons as well as our data, trade secrets and assets; to ensure adequate security (both physical and digital); ensuring and organizing business operations, including the operation and further development of websites and other systems; management and development; the sale or purchase of companies, parts of companies and other assets; the en-forcement or defense of legal claims; compliance with Swiss and foreign law and other rules applicable to us.

If you have given us your consent to process your personal data for specific purposes (for example, when you register to receive newsletters or carry out a background check), we will process your per-sonal data within the scope of and based on this consent, unless we have another legal basis and re-quire one. Consent that has been given can be withdrawn at any time, but this has no effect on data processing that has already taken place.

5. Cookies / Tracking and Other Techniques Regarding the Use of our Website

We typically use “cookies” and similar technologies on our websites to identify your browser or device. A cookie is a small file that is sent to your device or automatically stored on your device by the web browser you use when you visit our website. This enables us to recognize you when you return to this website, even if we do not know who you are. In addition to cookies that are only used during a session and are deleted after your visit to the website (“session cookies”), cookies can also be used to store user settings and other information for a certain period of time (e.g. two years) (“permanent cookies”). However, you can set your browser so that it rejects cookies, only stores them for one session or otherwise deletes them prematurely. Most browsers are preset to accept cookies. We use permanent cookies so that you can save user settings (e.g. field entries, language settings). If you block cookies, certain functions may no longer work. We use cookies to improve the user experience on our website (“performance cookies”) as well as strictly necessary cookies for the technical operation of the website (“functional cookies”).

We attach great importance to protecting your privacy when you visit our website. We therefore refrain from using the following technologies for the purposes described:

• We do not use “cookies” and similar technologies on our websites for advertising purposes, cross-site tracking or to track your behaviour on our website. Accordingly, we do not use any technologies to better understand how you use our offers and content or so that we can display offers and advertising tailored to you.
• We do not include any visible or invisible image elements in our newsletters and other marketing e-mails that we can retrieve from our servers to determine whether and when you have opened the e-mail.
• We do not use any services from Google Analytics or comparable providers on our websites.
• We do not use any plug-ins from social networks such as Facebook, “X”, YouTube, Pinterest, Instagram, or others on our websites.

6. Data Transfer and Transfer of Data Abroad

In the context of our business activities and in line with the purposes of the data processing set out in section 2, we may transfer data to third parties, insofar as such a transfer is permitted and we deem it appropriate, in order for them to process data for us or, as the case may be, their own purposes. In particular, the following categories of recipients may be concerned:

• Our service providers (between Lonstroff AG and its production site in Slovenia (Lonstroff Medicinski Elastomeri, d.o.o) or externally, such as e.g. banks, insurances), including processors (such as e.g. IT providers);
• dealers, suppliers, subcontractors and other business partners;
• clients;
• domestic and foreign authorities or courts;
• the media;
• the public, including users of our websites and social media;
• competitors, industry organizations, associations, organizations and other bodies;
• acquirers or parties interested in the acquisition of business divisions, companies or other parts of Lonstroff AG;
• other parties in possible or pending legal proceedings;

together Recipients.

Certain Recipients may be within Switzerland, but they may be located in any country worldwide. In par-ticular, you must anticipate your data to be transmitted to any country in which Lonstroff AG is represented by affiliates, branches or other offices (European Union). Details can be found in the list below. Likewise, you must expect the transfer of your data to other countries in Europe and the USA, where our service providers are located (such as Microsoft).

If a recipient is located in a country without adequate statutory data protection, we require the recipient to undertake to comply with data protection (for this purpose, we use the revised European Commission’s standard contractual clauses, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?), unless the recipient is subject to a legally accepted set of rules to ensure data protection and unless we cannot rely on an exception. An exception may apply for example in case of legal proceedings abroad, but also in cases of overriding public interest or if the performance of a contract requires disclosure, if you have consented or if data has been made available generally by you and you have not objected against the processing.

7. Retention Periods for your Personal Data

We generally process and store your personal data for as long as required by our processing purposes (see section 2), retention obligations, contractual and legal obligations, legitimate interests or if storage is technically necessary (e.g. in the case of backups or document management). Personal data may be stored for the period in which legal or regulatory claims can be asserted against our company and insofar as we are otherwise legally obliged to do so or legitimate business interests require this (e.g. for evidence and documentation purposes). This period is regularly at least ten years, e.g. to fulfill archiving obligations under tax law and accounting regulations or to ensure the enforcement of claims. As soon as your personal data is no longer required for the above-mentioned purposes, it will be deleted or anonymized as far as possible. For operational data (e.g. system protocols, logs), shorter retention periods of twelve months or less generally apply.

8. Data Security

We have taken appropriate technical and organizational security measures to protect your personal data from unauthorized access and misuse such as internal policies, trainings, IT and network security solutions, access controls and restrictions, encryption of data carriers and transmissions. Connections to our website are encrypted over HTTPS using SSL.

9. Profiling and Automated Individual Decisions

We do not automatically evaluate personal aspects relating to you («profiling») based on your data for the purposes set out in Section 2.

10. Obligation to Provide Personal Data To Us

You are not obliged or required to disclose data to us except in certain cases, for example within the framework of binding health protection concepts (legal obligations). If you wish to enter into contracts with us or use our services, you must also provide us with certain data, in particular master data, con-tract data and registration data, as part of your contractual obligation under the relevant contract. When using our website, the processing of technical data cannot be avoided. If you wish to gain access to certain systems or buildings, you must also provide us with registration data.

We provide certain services to you only if you provide us with registration data, because we or our contractual partners wish to know who uses our services or has accepted an invitation to an event, because it is a technical requirement or because we wish to communicate with you. If you or the person you represent (for example your employer) wishes to enter into or perform a contract with us, we must collect master data, contract data and communication data from you, and we process technical data if you wish to use our website or other electronic offerings for this purpose. If you do not provide us with the data necessary for the conclusion and performance of the contract, you should expect that we may refuse to conclude the contract, that you may commit a breach of contract or that we will not perform the contract. Similarly, we can only submit a response to a request from you if we process communication data and – if you communicate with us online – possibly also technical data. Also, the use of our website is not possible without us receiving technical data.

11. Your Rights

In accordance with and as far as provided by applicable law, you have the right to access, rectification and erasure of your personal data, the right to restriction of processing or to object to our data processing, in particular for direct marketing purposes, for profiling carried out for direct marketing purposes and for other legitimate interests in processing in addition to right to receive certain personal data for transfer to another controller (data portability). Please note, however, that we reserve the right to en-force statutory restrictions on our part, for example if we are obliged to retain or process certain data, have an overriding interest (insofar as we may invoke such interests) or need the data for asserting claims. If exercising certain rights will incur costs on you, we will notify you thereof in advance. We have already informed you of the possibility to withdraw consent in Section 2 above. Please further note that the exercise of these rights may be in conflict with your contractual obligations, and this may result in consequences such as premature contract termination or involve costs. If this is the case, we will inform you in advance unless it has already been contractually agreed upon.

In general, exercising these rights requires that you are able to prove your identity (e.g., by a copy of identification documents where your identity is not evident otherwise or can be verified in another way). In order to assert these rights, please contact us at the addresses provided in section 0 above.

In addition, every data subject has the right to enforce his/her rights in court or to lodge a complaint with the competent data protection authority. The competent data protection authority of Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).

12. Amendments of this Privacy Notice

We may amend this Privacy Notice at any time without prior notice. The current version published on our website shall apply. If the Privacy Notice is part of an agreement with you, we will notify you by e-mail or other appropriate means in case of an amendment. Last change: September 2024

Privacy Notice of Lonstroff d.o.o.

1. Data Controller(s)

2. Purposes of processing personal data

3. Categories of personal data and retention periods

4. Is providing personal data contractual obligation?

5. Legal basis for processing personal data

6. Profiling and automated individual decisions

7. With whom do we share your data?

8. Is your personal data disclosed abroad?

9. What are your rights?

10. Do we use online tracking?

11. Can we update this Privacy Notice?

1. Data Controller(s)

Lonstroff d.o.o., Obrtna cona Logatec 31, 1370 Logatec (also «we», «us») collects and processes personal data that concern you as an individual. We use the word «data» here interchangeably with «personal data». In some cases, we may process personal data as joint controller together with our parent company, Lonstroff AG, Switzerland. In case of joint control, this document shall be considered as the Privacy Notice of each joint controller.

You may contact us for data protection concerns and to exercise your rights as follows:

Lonstroff Medicinski Elastomeri, d.o.o
Obrtna cona Logatec 31
SI-1370 Logatec
privacy@lonstroff.com
phone number: +386 1 780 09 04

Lonstroff AG
Industrie Nord 1
CH-5634 Merenschwand
privacy@lonstroff.com
phone number: +41 62 836 37 37

2. Purposes of processing personal data

In this Privacy Notice, we describe what we do with your data when you: i) use lonstroff.com or our social media profiles or our wi-fi, ii) obtain services/products from us or work for entity who does; iii) provide services/goods from us or work for entity who does; iv) interact with us in relation to a contract not yet concluded or any other matter, also marketing v) visit our factory, vi) communicate with us or otherwise deal with us as an external individual; vii) you or the entity you work for are in any kind of contractual relation with us.

We process your data for the purposes explained below:

• [1] Communication: Responding to inquiries and the exercise of your rights and to enable us to contact you in case of queries. We keep this data to document our communication with you, for training purposes, for quality assurance and for follow-up inquiries. [for categories of personal data affected see section 3: a, b, d]
• [2] Contract and contractual relationships: We process data for the conclusion, administration, execution, and performance of contractual relationships with you or the entity you represent or are employed with (e.g. customer, supplier, subcontractor, service provider), especially in the context of the production of elastomers for our customers. [for categories of personal data affected see section 3: a, b, c, d]
• [3] Marketing and relationship management: We process data for marketing purposes and relationship management, for example to send our customers and other contractual partners advertising for products and services from us. This may happen in the form of newsletters and other regular contacts (electronically, by e-mail or by telephone), through other channels for which we have contact information from you, but also as part of marketing campaigns (for example events, etc.). You can object to such contacts at any time (see at the end of this Section 9) or refuse or withdraw consent to be contacted for marketing purposes. [for categories of personal data affected see section 3: b, d]
• [4] Safety and security: We may also process your data for security and access control purposes to our premisses and information systems. [for categories of personal data affected see section 3: d, h]
• [5] Compliance and fulfilment of our legal obligations: We may process your data to comply with laws, directives and recommendations from domestic and international authorities and internal regulations. [for categories of personal data affected see section 3: a, b, c, d, g, h]
• [6] Risk and quality management: We also process data for the purposes of our risk and quality management and as part of our corporate governance, including business organisation and development. [for categories of personal data affected see section 3: c, g, h]
• [7] Provision of services: We may process your data to provide you with information services (e.g., on our website or social media) our technology services at our locations (e.g., guest internet access). [for categories of personal data affected see section 3: d, f]
• [8] Recruiting: We process your data during a recruitment process to occupy a vacancy within our company or group. [for categories of personal data affected see section 3: a, b, e]
• [9] Use of social media (Facebook, Instagram): As the operator of our social media accounts, we can only see your public profile (displayed information depend on your profile settings) and information you provide (your messages, inquiries, or other posts to us). We then process this data for the purpose of using social media ac-count and responding to (if applicable) your posts accordingly. For information on the processing done by the platform providers, please refer to the privacy information of the relevant platforms. [for categories of personal data affected see section 3: b, c, h]

You may be affected by our data processing in your capacity as an employee of such a client or business partner.

We may process your data for further purposes, in line with applicable law and where appropriate, for example as part of our internal processes and administration or for quality assurance purposes and trainings.

These further purposes include, for example, training and educational purposes, administrative purposes (such as managing master data, accounting and data archiving, and testing, managing and continuously improving IT infrastructure), protecting our rights (for example to enforce claims in or out of court, and before authorities in Slovenia and abroad, or to defend ourselves against claims, for example by preserving evidence, conducting legal assessments and participating in court or administrative proceedings) and evaluating and im-proving internal processes. These further purposes also include safeguarding other legitimate interests that cannot be named exhaustively.

3. Categories of personal data and retention periods

We primarily process personal data that we obtain from you, our clients and other business partners as well as other individuals in the context of our business relationships with them or that we collect from users when operating our websites and other applications.

We process the following personal data, depending on the purpose for which we process them (purposes are mentioned in the square brackets in section 2):

• [a] Master data: Basic data that we need, for the performance of our contractual and other business relationships or for marketing and promotional purposes, such as name and contact details, and information about, for example, your role and function, your date of birth, customer history, powers of attorney, signature authorizations and declarations of consent. We process your master data if you are a customer or other business contact or work for one (for example as a contact person of the business partner), or because we wish to address you for our own purposes or for the purposes of a contractual partner (for example as part of marketing and advertising, with invitations to events, with newsletters, etc.). We receive master data from you (for example when you make a purchase or as part of a registration), from parties you work for, or from third parties such as contractual partners, associations, and address brokers, and from public sources such as public registers or the internet (websites, social media, etc.). We may also collect master data from our shareholders and investors. [purposes according to section 2: 1, 2, 5, 8]
• [b] Communication data: When you are in contact with us via a contact form, by e-mail, telephone, or chat, or by letter or other means of communication, we collect the data exchanged between you and us, including your contact details and the metadata of the communication. If we must determine your identity, for example in relation to service qualification control for maintenance, a request for information, etc., we collect data to identify you. [purposes according to section 2: 1, 2, 3, 5, 8]
• [c] Contract data: This means data that is collected in relation to the conclusion or performance of a contract, for example information about the contracts and the services provided or to be provided, as well as data from the period leading up to the conclusion of a contract, information required or used for performing a contract, and information about feedback or audit findings (for example complaints, feedback about satisfaction, etc.). We generally collect this data from you, from contractual partners and from third parties involved in the performance of the contract, but also from third-party sources (for example credit information providers) and from public sources. [purposes according to section 2: 2, 5, 6]
• [d] Registration data: Certain services (such as login areas of our website or cloud space, newsletters, etc.) can only be used with a user account or registration, which can happen directly with us or through our third-party login service providers. In this regard you need provide us with certain data (such as name, email, phone number), and we collect data about the use of the offering or service. Registration data may be required in relation to access control to certain facilities. [purposes according to section 2: 1, 2, 3, 4, 5, 7]
• [e] Application data: When you apply for a job or send us your application dossier, we collect this information (e.g., CV, motivational letter, references) to process your application. We generally collect this data from you, from recruiting partners, and from third par-ties of your choosing when submitting your application. [8]
• [f] Technical data: When you use our website or other online offerings (for example Guest Wi-Fi), we collect the IP address of your terminal device and other technical data to ensure the functionality and security of these offerings. This data includes logs with records of the use of our systems. [purposes according to section 2: 7]
• [g] Files and documents with references to you: We also collect data from you in other situations. For example, data that may relate to you (such as files, evidence, etc.) is processed in relation to administrative or judicial proceedings. [purposes according to section 2: 5, 6]
• [h] Image and sound recordings and registration logs: Photos, videos, and sound recordings in which you may be identifiable (for example at events, with security cameras, etc.). We may also collect data about who enters certain buildings, and when or who has access rights (including in relation to access controls, based on registration data or lists of visitors, etc.), who participates in events and who uses our infrastructure and systems and when. [purposes according to section 2: 4, 5, 6]

As far as it is not unlawful, we also collect data from public sources (for example debt collection registers, commercial registers, or the internet) or receive data from other companies within our group, from public authorities and from other third parties (such as credit agencies, associations, contractual partners, etc.).

Your data will be processed as long as necessary to achieve the purpose for which they were obtained. When the legal basis for processing is your consent, the processing will be carried out until the consent is revoked, if such withdrawal will be submitted to us before the purpose(s) from previous sentence will be achieved. In cases where the law stipulates retention period (e.g. the VAT Act), these data will be processed in accordance with the legal provisions determining retention period.

After achieving the relevant time point from the previous paragraph, we will further keep and store your data until the expiration of statute(s) of limitations (as a rule 3 or 5 years) and/or until a final decision on the already initiated matter (also considering deadline to file an extraordinary legal remedy). Video surveillance recordings are kept for a maximum of 1 year after the recording was made. In case any kind of inspection, administrative procedure, litigation, enforcement, or any other legal procedure will be initiated where your data may be relevant, we will further process your personal data during such procedures if necessary to defend and protect our legitimate interests.

4. Is providing personal data contractual obligation?

You are not obliged or required to disclose data to us except in certain cases, for example within the framework of binding health protection concepts (legal obligations). If you wish to enter into contracts with us or use our services, you must also provide us with certain data, in particular master data, contract data and registration data, as part of your contractual obligation under the relevant contract. When using our website, the processing of technical data cannot be avoided. If you wish to gain access to certain systems or buildings, you must also provide us with registration data.

We provide certain services to you only if you provide us with registration data, because we or our contractual partners wish to know who uses our services or has accepted an invitation to an event, because it is a technical requirement or because we wish to communicate with you. If you or the person you represent (for example your employer) wishes to enter into or perform a contract with us, we must collect master data, contract data and communication data from you, and we process technical data if you wish to use our web-site or other electronic offerings for this purpose. If you do not provide us with the data necessary for the conclusion and performance of the contract, you should expect that we may refuse to conclude the contract, that you may commit a breach of contract or that we will not perform the contract. Similarly, we can only submit a response to a request from you if we process communication data and – if you communicate with us online – possibly also technical data. Also, the use of our website is not possible without us receiving technical data.

5. Legal basis for processing personal data

Where we ask for your consent for certain processing activities (for example for the processing of sensitive personal data where necessary or for marketing mailings), we will in-form you separately about the relevant processing purposes. You may withdraw your con-sent at any time with effect for the future by providing us written notice (by mail) or, unless otherwise noted or agreed, by sending an e-mail to us: privacy@lonstroff.com. Where you have a user account, you may also withdraw consent by contacting us as applicable. Once we have received notification of withdrawal of consent, we will no longer process your in-formation for the purpose(s) you consented to, unless we have another legal basis to do so. Withdrawal of consent does not, however, affect the lawfulness of the processing based on the consent prior to withdrawal.

Where we do not ask for consent for processing, the processing of your personal data is carried out in conformity with Art. 6 GDPR and relies on the following legal bases:

• Requirement of the processing for initiating or performing a contract with you. [for purposes for which data is processed on this legal basis, see section two, points: 1, 2, 5, 7, 8]
• Necessary for compliance with law or other legal obligations. [for purposes for which data is processed on this legal basis, see section two, points: 4, 5, 6]
• Our or a third-party legitimate interest in the particular processing, in particular in pursuing the purposes and objectives set out in Section 2 and in implementing related measures:
  • Promotion of products, brands, or the company [for purposes for which data is processed on this legal basis, see section two, points: 1, 3, 7, 9]
  • Ensuring the high-quality requirements of our products and good manufacturing principles [for purposes for which data is processed on this legal basis, see section two, points: 1, 6]
  • Fraud prevention, mitigation of risks [for purposes for which data is processed on this legal basis, see section two, points: 4, 6]
  • Protection of premises and company infrastructure [for purposes for which data is processed on this legal basis, see section two, points: 4]
  • Network and information security [for purposes for which data is processed on this legal basis, see section two, points: 4]
  • Visitor administration and ensuring their safety [for purposes for which data is processed on this legal basis, see section two, points: 4]
  • Strengthening our workforce and selecting suitable candidates [for purposes for which data is processed on this legal basis, see section two, points: 1, 8]
  • Communication with employees of external parties (clients, providers, suppliers etc.) [for purposes for which data is processed on this legal basis, see section two, points: 2, 7]

6. Profiling and automated individual decisions

We do not automatically evaluate personal aspects relating to you («profiling») based on your data for the purposes set out in Section 2.

7. With whom do we share your data?

In relation to our contracts, the website, our services and products, our legal obligations or otherwise with protecting our legitimate interests and the other purposes set out in Section 2, we may disclose your personal data to third parties, in particular to the following categories of recipients:

• Group companies: We may share data with our parent company (Lonstroff AG, based in Switzerland). This group company may use the data according to this Privacy Notice for the same purposes as we use it (see Section 2).
• Service providers: We work with service providers in Slovenia as well as possibly in other EEA countries and Switzerland who process your data on our behalf or as joint controllers with us or who receive data about you from us as separate controllers (for example IT providers, shipping companies, cleaning companies, security companies, banks, insurance companies, debt collection companies, credit information agencies, or address verification providers). Key service providers in the IT area are Microsoft, for taxation A tax, and for shipping DHL and similar companies.
  To be able to deliver our products and services efficiently and focus on our core competencies, we procure services from third parties in various areas. These include, for ex-ample, small batch shipping and delivery, facility management, security and cleaning, debt collection, credit agencies, address verification provider (for example to update ad-dress lists in case of relocations), fraud prevention measures and services from consulting companies, lawyers, banks, insurers, and telecommunication companies. In each case, we disclose to these providers the data they require for their services, which may also concern you. These providers may also use such data for their own purposes, for example information about overdue claims and your payment history in case of credit in-formation agencies or anonymised data to improve their services. In addition, we enter into contracts with these providers that include provisions to protect data, where such protection does not follow from the law. In some cases, our service providers may also process data on how their services are used and other data that is generated in the course of using their services as independent data controllers for their own legitimate in-terests (e.g., for statistical analysis or billing purposes). Service providers inform about their independent data processing activities in their own privacy statements. More in-formation on how Microsoft processes data can be found here; for the use of Microsoft Teams in particular here.
• Contractual partners including customers: This refers to customers (for example recipients or our products) and our other contractual partners as this data disclosure re-sults from these contracts. If you work for one of these contractual partners, we may al-so disclose data about you to that partner in this regard. These recipients also include contractual partners with whom we cooperate.
• Authorities: We may disclose personal data to agencies, courts and other authorities in Slovenia, the European Union and Switzerland if we are legally obliged or entitled to make such disclosures or if it appears necessary to protect our interests. These authorities act as separate controllers.
• Other persons: This means other cases where interactions with third parties follows from the purposes set out in Section 2, for example service recipients, training personal, and associations in which we participate or if you are included in one of our publications.

All these categories of recipients may involve third parties, so that your data may also be disclosed to them. We can restrict the processing by certain third parties (for example IT providers), but not by others (for example authorities, banks, etc.).

In addition, we may enable certain third parties to collect personal data from you at events organised by us (for example photographers, providers of tools on our website, etc.). Where we have no control over these data collections, these third parties are sole control-lers. If you have concerns or wish to exercise your data protection rights, please contact these third parties directly. See Section 10 for the website.

8. Is your personal data disclosed abroad?

When we disclose data to other parties, these may not all be located in Slovenia or the European Union. Your data may also be processed both in Switzerland, in exceptional cases, in any country in the world.

If a recipient is located in a country without adequate statutory data protection, we require the recipient to undertake to comply with data protection (for this purpose, we use the re-vised European Commission’s standard contractual clauses, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?), unless the recipient is subject to a legally accepted set of rules to ensure data protection and unless we cannot rely on an exception. An exception may apply for example in case of legal proceedings abroad, but also in cases of overriding public interest or if the performance of a contract requires disclosure, if you have consented or if data has been made available generally by you and you have not objected against the processing.

Many countries outside of Switzerland or the EEA currently do not have laws that ensure an adequate level of data protection under the DPA or the GDPR. The contractual arrangements mentioned compensate for this weaker or missing legal protection to some extent. However, contractual precautions cannot eliminate all risks (namely of government access abroad). You should be aware of these remaining risks, even though they may be low in an individual case, and we take further measures (for example pseudonymization or anonymization) to minimize them.

Please note that data exchanged via the internet is often routed through third countries. Your data may therefore be sent abroad even if the sender and recipient are in the same country.

9. What are your rights?

On grounds relating to your special situation, you have the right to object at any time to processing of personal data concerning you when processing is based on the performance of a task carried out in the public interest or legitimate interest, including profiling based on those provisions. We shall no longer process the personal data unless we will be able to demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise, or defence of legal claims.

Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

To help you control the processing of your personal data, you also have the right to:

• request access and information whether and what data we process from you;
• request correction of data if it is inaccurate;
• request erasure of data;
• request that we provide certain personal data in a commonly used electronic format or transfer it to another controller;
• withdraw consent, where our processing is based on your consent;
• request restriction of processing
• receive, upon request, further information that is helpful for the exercise of these rights;

If you wish to exercise the above-mentioned rights in relation to us, please contact us in writing, at our premises or, unless otherwise specified or agreed, by e-mail privacy@lonstroff.com. For us to be able to prevent misuse, we need to identify you.

You also have these rights in relation to other parties that cooperate with us as separate controllers – please contact them directly if you wish to exercise your rights in relation to their processing.

You also have the right to lodge a complaint with the competent data protection supervisory authority: Informacijski pooblaščenec RS, Dunajska 22, 1000 Ljubljana, e-mail: gp.ip@ip-rs.si, phone no. 01 230 97 30, website: www.ip-rs.si. You can find a list of authorities in the EEA here: https://edpb.europa.eu/about-edpb/board/members_en. You can reach the UK supervisory authority here: https://ico.org.uk/global/contact-us/. You can reach the Swiss supervisory authority here: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html. You can reach Slovenian supervisory authority here: https://www.ip-rs.si/.

10. Do we use online tracking?

We typically use “cookies” and similar technologies on our websites to identify your browser or device. A cookie is a small file that is sent to your device or automatically stored on your device by the web browser you use when you visit our website. This enables us to recognize you when you return to this website, even if we do not know who you are. In addition to cookies that are only used during a session and are deleted after your visit to the website (“session cookies”), cookies can also be used to store user settings and other information for a certain period of time (e.g. two years) (“permanent cookies”). However, you can set your browser so that it rejects cookies, only stores them for one session or otherwise deletes them prematurely. Most browsers are preset to accept cookies. We use permanent cookies so that you can save user settings (e.g. field entries, language settings). If you block cookies, certain functions may no longer work. We use cookies to improve the user experience on our website (“performance cookies”) as well as strictly necessary cookies for the technical operation of the website (“functional cookies”).

We attach great importance to protecting your privacy when you visit our website. We therefore refrain from using the following technologies for the purposes described:

• We do not use “cookies” and similar technologies on our websites for advertising purposes, cross-site tracking or to track your behaviour on our website. Accordingly, we do not use any technologies to better understand how you use our offers and content or so that we can display offers and advertising tailored to you.
• We do not include any visible or invisible image elements in our newsletters and other marketing e-mails that we can retrieve from our servers to determine whether and when you have opened the e-mail.
• We do not use any services from Google Analytics or comparable providers on our websites.
• We do not use any plug-ins from social networks such as Facebook, “X”, YouTube, Pinterest, Instagram, or others on our websites.

11. Can we update this Privacy Notice?

This Privacy Notice is not part of a contract with you. We can change this Privacy Notice at any time. The version published on this website is the current version. Last updated: September 2024