Legal basis
Legal basis
The University of Maribor strictly adheres to and follows all the key principles of the protection of personal data. We are processing the personal data of natural persons lawfully, fairly and in a transparent manner. For each processing of personal data, we have a particular legal basis, which is adequately recorded in the records of processing activities. Processed are only those personal data without which it is not possible to reasonably reach the purpose of the processing. Personal data are stored for no longer than strictly necessary according to the purpose and legal basis of the processing. We rigorously ensure accuracy of the processed data and process data in a way that ensures their adequate protection, including the protection against unauthorised or unlawful processing and loss, destruction or damage.
The purpose and legal basis for processing personal data depend on the specific case of processing. The University of Maribor processes personal data based on one of the following legal bases:
Consent to the processing of personal data
The University of Maribor is processing certain personal data, if the data subject has given his or her express consent for that processing. The consent of the data subject is any voluntary, explicit, informed and unambiguous statement of will by which the data subject expresses his or her consent to the processing of personal data with a statement or a clear affirmative action. Based on the consent, we process, for example, personal data of data subjects that voluntarily register for courses and trainings of the University of Maribor.
Contractual processing
The University of Maribor is processing certain personal data based on the contract, namely, when the processing is required for implementing a particular contractual relationship or for implementing measures at the request of the data subject before concluding the contract. Identification and contact information (name, telephone number, address of permanent residence, etc.) are processed for example for concluding and further implementation of the contract on education upon enrolment to full or part-time study.
Legal obligation of the data controller
Certain personal data are processed at the University of Maribor, when the processing of personal data is enabled or even imposed by law. These are the cases where the categories of personal data to be processed, categories of data subjects, the purpose of their processing and time limits for storage of personal data or for the periodic review of the need for further storage, however, also the recipients of the personal data, specific data processing acts and processing operations as well as other measures to ensure lawful, fair and transparent processing are defined by law. In this regard, records with personal data of UM employees are being kept based on the Labour and Social Security Registers Act (Official Gazette of the Republic of Slovenia, No. 40/06) and the Employment Relationship Act (Official Gazette of the Republic of Slovenia, No. 21/13, with amendments).
Vital interests
The processing of personal data is legitimate when it is necessary in order to protect the vital interests of the data subject or the vital interests of another natural person. This legal basis can be used only in exceptional cases, if the processing in this manner is necessary, for instance due to saving the natural person’s life.
Public interest
The University of Maribor is processing certain data if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. These are the cases of processing that is necessary for implementing a particular task in the public interest or exercising authority assigned to the University of Maribor and where the categories of personal data to be processed, categories of data subjects, the purpose of their processing and time limits for storage of personal data or for the periodic review of the need for further storage, however, also the recipients of the personal data, specific data processing acts and processing operations as well as other measures to ensure lawful, fair and transparent processing are defined by law. Exceptionally, those personal data may be processed on this basis that are essential for the exercise of lawful competences, duties or obligations by the public sector, provided that such processing does not encroach on the justified interests of the data subject.
For performing tasks carried out in the public interest, personal data of data subjects are for example processed when carrying out statutory elections to bodies of the University of Maribor and its members.
Legitimate interest
The processing of personal data is legitimate, when it is necessary due to legitimate interests pursued by the controller or a third party, except when such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. This legal basis can be used for instance due to the protection of property, the prevention of fraud, etc.