Data Protection Statement

Avant.Si d.o.o.
Business Zone A 49
4208 Šenčur
386 Slovenia

VAT ID: SI50709329
Company ID: 5655048000

(hereinafter referred to as "provider" or "processor")

provides

DATA PROTECTION STATEMENT

Provider: Signature

(Emanuel Vidmar, Director)


1. ANNEXES

1.1. Annex No. 1: List of Data (List of personal data subject to processing)


2. DEFINITIONS

Provider: The company Avant.Si d.o.o., Business Zone A 49, 4208 Šenčur, VAT ID SI50709329, Company ID 5655048000.

Provider’s websites: Websites www.neoserv.si, www.neoserv.com, subscription portal moj.neoserv.si, my.neoserv.com.

Contractual services [of the provider]: Services that the provider makes available to all interested entities (legal or natural persons) on the websites. Contractual services are also defined in Annex No. 1 (List of Data), along with a description of the scope of data processing.

Client: The client is any entity (legal or natural person) that has entered into a business relationship with the provider via the websites or by other appropriate means to use the contractual services.

User: The user is any entity (legal or natural person) that uses the contractual services. A user may use the contractual services as a client or as a user of services ordered and/or provided by another client of the provider.

Individual: Any entity (legal or natural person) that possesses personal data that may be subject to processing by the controller or processor.

Regulation (EU) 2016/679: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. Link to the online copy: https://eur-lex.europa.eu/legal-content/SL/TXT/?uri=CELEX%3A32016R0679

Controller: The client who uses the provider’s contractual services via the websites (or otherwise) shall have the status of controller (or "data controller") under Regulation (EU) 2016/679.

Processor: The provider who enables the client to use the contractual services shall have the status of processor (or "data processor") under Regulation (EU) 2016/679.

Any other terms used in this statement have the same meaning as defined in Regulation (EU) 2016/679.


3. INTRODUCTORY PROVISIONS

3.1. This data protection statement is prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and forms part of the contractual relationship between the provider and the client.

3.2. The processor ensures that data transmitted when ordering and later using the contractual services is transferred over a properly secured HTTPS (SSL) connection.

3.3. The processor stores data exclusively within the EU and in regions recognized by the EU as having an adequate level of protection. More info: https://ec.europa.eu/info/law/law-topic/data-protection_en.

3.4. The processor will maintain proper records of all personal data received and necessary for the provision of contractual services.

3.5. Data also includes information encountered during the provision of contractual services. The processor will also maintain records of processing activities, including processing purposes (point 9.2 or Annex No. 1).

3.6. The processor ensures that the following data protection measures are observed:

3.6.1. Access to personal data is controlled through appropriately protected software that prevents unauthorized access.

3.6.2. The software grants access only to persons properly authorized by the processor (e.g., employees in specific roles).

3.6.3. Persons authorized by the processor to perform tasks involving personal data are bound to confidentiality, either by law or contractual obligation.

3.6.4. The processor grants authorized persons access only to data necessary for performing their job duties.

3.6.5. All employees and other persons involved in providing contractual services on the processor’s side are obliged to follow instructions and standards set by Regulation (EU) 2016/679 (Articles 28, 29, 32).

3.6.6. All employees and other persons involved in providing contractual services on the processor’s side are obliged to protect business secrets. This obligation remains in effect even after termination of employment, contractual relationships, or cooperation between the controller and processor.

3.6.7. The processor ensures audit trails to allow verification of data entry times, usage, transmission, access, or other processing.

3.7. The processor ensures that its operations comply with the provisions, requirements, and standards defined in this statement, Regulation (EU) 2016/679, and best practices in information security.

3.8. The processor also complies with all provisions of Regulation (EU) 2016/679 and good practices in information security related to the creation and storage of audit trails.


4. COLLECTION, PROCESSING, TRANSFER, AND STORAGE OF PERSONAL DATA

4.1. The controller confirms that all personal and related data subject to processing or provision of contractual services is collected lawfully and in accordance with Articles 6(1), 7(1), 8, and 9(2) of the Regulation.

4.2. The controller confirms that all individuals are clearly, understandably, and in writing informed of the principles of collecting, processing, transferring, and storing personal data as defined in Article 5 of the Regulation.


5. RIGHTS OF THE INDIVIDUAL

5.1. The controller ensures that all individuals can exercise their rights under Articles 12 to 22 of Regulation (EU) 2016/679.

5.2. The processor, in accordance with Articles 37, 38, and 39 of Regulation (EU) 2016/679, appointed a data protection officer and defined their duties, responsibilities, and powers.


6. RIGHTS AND OBLIGATIONS OF THE CONTROLLER

6.1. The controller may at any time, at their own expense, verify the implementation of appropriate technical and organizational measures by the processor to ensure information security and personal data protection, and compliance with Regulation (EU) 2016/679.

6.2. The controller may restrict or prohibit the processor from cooperating with a particular sub-processor located inside or outside the EU.

6.3. The controller must provide all requests and instructions related to the provision of contractual services to the processor in writing.

6.4. The controller is obliged to ensure the lawful use of IT resources that are part of the contractual services and over which the processor has no control or influence.


7. RIGHTS AND OBLIGATIONS OF THE PROCESSOR

7.1. If the processor suspects that following the controller’s instructions would violate applicable law, it may temporarily suspend the provision of contractual services until the instruction is confirmed or amended. The processor must inform the controller of any suspected legal non-compliance and the intent to suspend services within a reasonable timeframe.

7.2. The processor may immediately stop any suspected illegal use or misuse of IT resources.

7.3. The processor may engage sub-processors inside or outside the EU for the provision of services within the scope and type of cooperation previously and in writing approved by the controller. If the controller does not impose restrictions, the processor may conclude agreements at its discretion.

7.4. The processor must perform contractual services only within the scope and purposes defined in the order, general terms, and written requests or instructions of the controller.

7.5. The processor shall comply with all requirements of Regulation (EU) 2016/679 regarding the creation and storage of audit trails.

7.6. The processor shall implement and maintain all appropriate technical and organizational measures according to Regulation (EU) 2016/679 and information security best practices to ensure the protection, integrity, availability, and resilience of systems and services.

7.7. The processor shall conclude written agreements with approved sub-processors, ensuring they provide at least the same level of personal data protection as the processor.

7.8. Upon receiving a request from an individual to exercise their rights under Regulation (EU) 2016/679, the processor shall, if feasible, identify the individual and forward the request to the controller in a reasonable timeframe and in writing.

7.9. The processor shall cooperate with the Information Commissioner in cases specified by Regulation (EU) 2016/679 or upon written request by the controller.

7.10. Upon termination of cooperation, the processor shall permanently destroy all copies, remnants, or traces of personal data received or accessed during the provision of contractual services within 60 days, except where retention is required by law or due to technical constraints (e.g., system backups).


8. INCIDENT MANAGEMENT

8.1. The processor shall implement all technical and organizational measures in accordance with Regulation (EU) 2016/679 and information security best practices to manage and respond to suspected security incidents.

8.2. The processor and controller shall act immediately upon detection of a security incident in accordance with Articles 33 and 34 of Regulation (EU) 2016/679.

8.3. In addition to executing internal procedures, the processor and controller shall notify each other within 72 hours of a suspected security incident.


9. LIST OF DATA

9.1. Only data strictly necessary for the technical execution and provision of a specific service is stored.

9.2. The full list of processed data is defined in a separate document called the "List of Data" (List of personal data subject to processing). This is attached to this document (the "Data Protection" document) as Annex No. 1.


10. DOCUMENT VALIDITY

10.1. New versions of this statement fully replace previous versions.

10.2. In case of dispute regarding personal data protection, the provisions of this statement take precedence over the basic contractual relationship. The competent court is in Kranj, and Slovenian law applies.

10.3. Invalidity or unenforceability of any part of this statement does not affect the validity or enforceability of other provisions.

10.4. This statement is adopted and binding for both contractual partners from the moment of order submission (or written order confirmation) or payment. For existing clients, the statement applies from the date of publication.

10.5. The statement remains valid for the entire duration of the underlying contractual relationship.


Last updated: 6th August 2025