Personal data controller: GEN-I, trgovanje in prodaja električne energije, d.o.o. (hereinafter: GEN-I, d.o.o. or the Controller).
Address/registered office: Vrbina 17, 8270 Krško. Telephone: +386 7 48 81 840; fax: +386 7 48 81 841, email: info@gen-i.si.
The Company’s personal data protection officer is responsible for the processing of your personal data. That person continuously monitors the compliance of processing in accordance with valid regulations and international standards, assesses the effects of the processing of personal data and cooperates with the competent supervisory bodies. Our personal data protection officer can be reached at GEN-I, d.o.o.’s registered office, via email at dpo@gen-i.eu or at +386 7 48 81 840 for all questions or assistance regarding the exercising of your rights.
The Company processes your personal data based on one of six possible legal bases (consent, the conclusion and/or execution of a contract, legal obligations, the protection of the life interests of an individual, tasks carried out in the public interest, and the legitimate interests of the Controller or third parties), to the minimum extent necessary and for the period required to achieve that purpose. Provided below are explanations in connection with the legal bases that GEN-I, d.o.o. applies most frequently for personal data processing.
3.1 Processing of personal data based on the conclusion or performance of a contract
GEN-I, d.o.o. processes your personal data for the purpose of concluding a contract/agreement and for the fulfilment of contractual obligations in connection with the supply of energy, or other agreed services and products.
The following forms of processing take place for this purpose: the identification of individuals, the processing of enquiries, the drafting of offers and/or required contractual documentation, including informative calculations of the costs of energy consumption for potential customers, as required, the conclusion of new contracts or changes to existing contractual relationships, the provision and billing of services or goods under the relevant contracts, the issue or settlement of bills (billing of products), the monitoring and collection of payments, the resolution of complaints and technical problems, the notification of customers regarding changes to the terms and conditions of sales and legislation, and the implementation of other activities required for the performance of other actions required for the fulfilment of contractual obligations for this purpose.
- Method used to obtain data
We obtain data directly from you (for example, when you complete forms with your data), and possibly from other sources, such as real estate agencies, contractors who install self-sufficient supply devices or solar power plants, other natural persons who provide your personal data (i.e. in the sale or leasing of real estate, and in the reporting of data regarding metering points or contractual relationships), from the operator of the electricity distribution system, from the geographically responsible operator of the natural gas distribution system, from the provider of telecommunication services, from publicly accessible sources (the land register, etc.), from other competent or authorized state bodies or institutions, and from the internal measurements and the internal records of the Controller and its affiliated companies, as listed on the website www.gen-i.si/en/about-gen-i/about-us/organizational-structure/.
When making changes to a metering point (new metering point, change in owner, etc.), you can anonymize the data displayed on the submitted documents that is not required.
- Purposes of data processing
One important purpose of processing your personal data in the scope of executing a contract with GEN-I, d.o.o. is to continuously provide you high-quality and timely information that includes information regarding the possibility of reporting meter readings, information regarding identified deviations in the consumption of energy products, information regarding overdue, unpaid liabilities and other information required for the high-quality execution of a contract to the satisfaction of both parties. Because we want to conclude, execute, monitor and/or terminate your contract/agreement properly, we process the data required for that purpose, primarily: data regarding a contractual relationship obtained before a contract was concluded and during the execution thereof (your identification and contact information, and data regarding the conclusion of a contract or annex thereto), tax number, data regarding the authorized representative of the person holding consent for connection to the distribution and/or transmission network, bank account number, data regarding a metering or consumption point, data regarding a production device, meter and billing data, a benefit code if activities are carried out to promote the sale of energy, restrictive conditions, data regarding recorded telephone calls and other forms of business communication, data regarding the users of the My GEN-I and My GEN-I Solar web portals, etc. For the purpose of proving a submitted enquiry, we may also store your click, time stamp and daily server log (e.g. the IP number used to identify an individual’s device).
If you provide us data regarding a third party for the purposes of sending contractual documentation or other notifications in connection with the execution of a contract and request that the above-described information be delivered to the address of that person, we guarantee that we will fulfil your request. If you state the telephone or email address of a third party for the purpose of communication in the execution of a contract, you are deemed to have given your consent that the person with that contact information may be informed about your personal data that is processed for the purpose of executing a contract with you, and that these contact data may be used for the purpose of notification via such communication channels. GEN-I, d.o.o. is not liable for the potential disclosure of your personal data or the abuse of your identity as the result of your inadequate protection and/or disclosure of personal data to third parties. We advise you to protect your personal data and not recklessly disseminate it to other persons, as such dissemination of your personal data, which might include your identification data held by the Controller, allows the recipients of that data to disclose it further or in some other way abuse it, which can lead to identity theft in extreme cases.
On this legal basis, GEN-I, d.o.o. also processes the personal data of individuals (identification and contact data, employment status, etc.) in the B2B segment (sales of goods and services between companies) who are either the signatories, custodians or operational executors of contracts concluded between the Controller and another contracting party.
If you participate in prize contests/quizzes that are carried out in accordance with the general terms and conditions of a specific activity, your identification and contact data may be processed, as well answers to questions and/or data required for participation in a specific activity, and your tax number in the event of the awarding of a prize, if this is required to fulfil obligations set out in tax regulations. By registering for a prize contest, quiz or other similar activity, you expressly consent to the publication of your name, surname and place of residence in the event you are selected in connection with such an activity.
If you are involved in different projects implemented in accordance with special agreements with those involved, your identification and contact data, as well as potentially other data required for achieving the purpose of the project or similar activities, which are specifically determined in such agreement, are processed.
- Duration of data processing
Personal data processed based on the conclusion or execution of a contract may be stored for the purpose of fulfilling contractual obligations until required for the conclusion and execution of the contract, and the exercise of rights and obligations from the concluded contract or until the expiry of the legal deadline for the enforcement of legal protection of contracting parties. Metering data is stored for an additional three years after the end of the year in which it is generated, while time aggregates over more than one month are stored for a further five years after the end of the year in which they are generated.
If you completed the online form to switch your supplier but have yet to fully complete the switching process, either due to technical issues in fulfilment or the lack of having all the data required to complete the form, or you simply had to reconsider switching suppliers, we will kindly remind you that your supplier switch (or product purchase) process is still ongoing and will offer you our assistance to complete the sales process. If a contract is not concluded, we will delete the data or anonymize them as required, unless you expressed your wish by way of consent to receive personalized offers adjusted to your needs from the GEN-I Group. We will keep the issued bills and other accounting documentation in accordance with the legally prescribed deadlines pursuant to tax laws.
3.2 Processing of personal data based on the law
We process your personal data based on valid laws governing energy and self-sufficient supply, consumer protection, personal data protection, electronic communications, obligations, enforcement, taxes, excise duties and other laws binding on the Controller. For example, we are obliged to process your personal data for the purpose of issuing bills in the manner prescribed by the Value Added Tax Act, and store the bills in an unchanged form for an additional 10 years after their issue. Pursuant to energy laws, we are required to process your personal data for the purpose of executing a supply contract and generating operational forecasts.
3.3 Processing of personal data based on legitimate interests
We may process your personal data based on our legitimate interests, the existence and justification of which are based on the prudent assessment that your interests and fundamental rights and freedoms in the processing of personal data do not outweigh the legitimate interests of the personal data Controller, and that you can reasonably expect their processing solely for the purpose in question while that personal data is being collected. Whenever your data is subject to further processing, the Controller performs due diligence in accordance with the regulations governing personal data protection. Generally, such further processing takes place in pseudonymous or aggregate form.
The following processing and/or activities are carried out on that basis:
- Direct marketing is a form of communication through which we send you various information and offers via different channels. We occasionally invite you to events, and to participate in prize contests/quizzes and similar activities. For that purpose, we process personal data that we have obtained in the lawful provision of our activity or from publicly accessible sources. For direct marketing needs, we can create your profile from legitimate interests on the basis of data obtained from the implementation of the contractual relationship and use of web portals, such as activated promotions, the type and consumption of energy products, an individual’s contacts, etc. You may refuse such data processing when these contact data are obtained, and later in the context of each message, of which you will be clearly informed. We will cease such processing when we receive your refusal.
- Surveys and interviews are carried out in such a way that we gain knowledge about your user experience/needs through voluntarily completed surveys, questionnaires or interviews and thus determine users’ satisfaction with our services and your needs for the development of new functionalities and new products. On the basis of your responses, we strive for continuous improvements to our services and your user experience, and plan the development of products that are expected and demanded from us by customers and energy laws, and to which we are driven by our social responsibility for maintaining a clean and healthy environment. To that end, we process your contact data (name and surname, telephone number, email) and your response. Participation in a survey or interview is always voluntary and does not affect your rights from the contractual relationship. Answers to posed questions are generally not anonymous. However, their processing will be carried out by using pseudonymization to secure your data.
- Analyses and research (data analysis, including the segmentation and profiling of individuals) are carried out for the needs of marketing activities, business planning, adapting and improving business processes and products, the introduction of new business models, market research, the measurement of responses from the market, the measurement of sales performance, analyses that lead to the improvement of your user experience, business and credit risk management, the optimization of our operations, etc.
- With the aim of optimizing websites, portals or applications in terms of system efficiency, usefulness and ensuring useful information regarding our services, we automatically collect and store information in the daily log files on a user’s computer. That information includes your internet protocol (IP) address, browser type and language settings, operating system, internet service provider (ISP), and date/time of visit, as well as other data given the current state of technology. We may use collected data for analyses and research that we carry out based on legitimate interests, and for communication (e.g. the optimization and improvement of the user experience, which ensures a more attractive range of products and services, and a higher-quality experience for the user). Websites, emails, web services, advertising and interactive applications may use cookies to optimize services. You can read more about cookies by following this link: www.gen-i.si/en/legal-notice/#cookie-section.
- The processing of your personal data by companies affiliated with the Controller (listed on the website www.gen-i.si/en/about-gen-i/about-us/organizational-structure/), can only be performed due to the implementation of joint tasks and the joint management of the GEN-I Group.
- We may verify your solvency using the SISBON application.
- Ensuring business continuity and network and information security can help us prevent random events, or unlawful and malicious acts. This could include the prevention of unauthorized access to electronic communication networks, the spreading of malicious codes, denial-of-service attacks, and damage to computer and electronic communication systems, the aim of which is to ensure the accessibility, integrity and confidentiality of your personal data.
- Preventing or limiting potential abuse and fraud.
- We record phone calls in order to maintain evidence of business communication (the conclusion and performance of contracts, complaints, the updating of data, and other requests) on certain numbers, of which the caller is always informed.
- We use video surveillance to ensure the safety of people and assets, to protect data and trade secrets, to ensure the security of business premises, and to control entry to and exit from business premises, at those premises where the aforementioned interests must be protected. When using video surveillance, your personal data is processed to the extent that is absolutely necessary, while video surveillance is only carried out in areas assessed as potentially at risk. Notices are placed to bring your attention to the existence of video surveillance systems prior to entering each individual area under video surveillance. The notice also indicates where to obtain additional information on the use of video surveillance at a specific location (i.e. regarding the possibilities of access to recordings, how long recordings are stored, etc.). For general information on the video surveillance system, you can write to us at: dpo@gen-i.eu.
Based on legitimate interests, we process your personal data obtained during the performance of a contract, and based on the other bases described in these terms and conditions, and store them for the amount of time required to fulfil the purpose for which they were collected and further processed. Data regarding video surveillance is stored for at least 14 days and for no more than six months. Recordings of phone calls are stored for six months. The storage of data is permitted for a longer period if those data are the subject of legal, enforcement, criminal or administrative proceedings. For security reasons, data may be processed in pseudonymous and/or aggregate form until the legal retention period has expired, and in anonymous after the retention period has expired.
3.4 Processing of personal data based on consent
We may also process your data based on consent given by you for precisely defined purposes. Such consent may relate to:
- registration for the electronic newsletter for timely notification regarding new features in our portfolio, regarding our achievements on the domestic and foreign markets, and regarding information that we believe would excite you and that you would like to receive. In such cases, we will process you email address or telephone number;
- information provided by the GEN-I Group regarding personalized products and services tailored to your needs. In such cases, we will process the personal data that you forwarded to us or that were generated during the lawful performance of our activities;
- the acceptance of cookies, whose purpose is to display advertisements that are tailored to you and your preferences, or to prevent the display of advertisements that are not of interest to you; and
- other similar forms of consent.
You may revoke or amend consent at any time. You may revoke or amend previously given consent in writing using the form available on our website www.gen-i.si. Send the signed form to the email address dpo@gen-i.eu or to the Controller’s registered office. If you gave consent via a website, you may also revoke consent in the same manner. Revoking or amending consent only relates to the personal data that is processed on the basis of consent, where the Controller will take into account your most recent valid consent. The revocation of consent does not release you from your valid contractual relationship with us. The data for which you give consent are processed until that consent is revoked. The revocation of consent does not affect lawful processing that was carried out based on consent until the revocation thereof.
We process the data of various categories of individuals in accordance with various legal bases:
- the initiators (signatories) of contracts;
- the recipients of bills if the latter differ from the contract signatory;
- the owners or co-owners of metering points;
- the users of services at individual metering points, such as lessees, spouses/partners, other household members, etc.;
- individuals who contact the call center;
- individuals who wish to conclude a contract, but no contract is signed;
- individuals who have given consent to process personal data for a specific purpose;
- individuals who have participated in a prize contest/quiz/survey or other marketing activity; and
- individuals, users of websites, web portals (My GEN-I, My GEN-I Solar) and web applications.
More information regarding the terms and conditions of use of GEN-I, d.o.o.’s websites and regarding the processing of data that is generated in the use thereof can be found in information available in the legal notice published on our website www.gen-i.si/en/legal-notice/.
Users of your personal data include:
- banks (for payment transaction purposes);
- The Financial Administration of the Republic of Slovenia and other supervisory authorities (in the process of supervision), audit firms, bodies responsible for the out-of-court settlement of consumer disputes;
- competent courts in the resolution of disputes;
- government and other authorized bodies, such as the system operator of the distribution network and the geographically responsible operator of the natural gas distribution system, and Energy Agency; and
- on the basis of an explicit request, other users who can obtain personal data on the basis of the law, an individual’s personal consent, the execution of a contract or due to the Controller’s other legitimate interests.
Your personal data may also be processed by our contracted data processors who provide services agreed in bilateral contracts, such as: information support, the printing and sending of documents in connection with communication with customers and sellers, civil debt recovery, sales and marketing, potential authorized agents in the field who search for and establish contact between ordering parties, and new potential customers and sellers of energy products, etc. Contracted processors are bound to the strict protection of all of your data and operate under the instructions of GEN-I, d.o.o.
Personal data are processed by an employee of the Controller responsible for processing in a specific work area and in accordance with conferred authorizations. Personal data are used by the parent company GEN-I, d.o.o. and all of its subsidiaries (GEN-I Sonce, d.o.o., Elektro energija, d.o.o., GEN-I Zagreb, d.o.o. and the other subsidiaries listed on the website www.gen-i.si/en/about-gen-i/about-us/organizational-structure/), if this complies with the purpose of processing.
Whenever you participate in a prize contest/quiz or other activity (including a pilot project) that is organized or co-organized by the Controller together with a contractual partner, both the Controller and its business partner (jointly referred to as ‘Controllers’’) will process the personal data collection in accordance with the applicable personal data protection legislation. To that end, the Controllers will ensure that they store and protect collected data in an appropriate manner to prevent the potential unlawful disclosure of data to unauthorized persons, and will not disseminate, lend or sell that data to third parties without obtaining prior written consent, except to contracted partners who provide support to an individual controller in the processing of personal data for the specific purposes for which there is a (legitimate) legal basis. The Controllers will process collected data for the purposes of organizing prize contests/quizzes/other similar activities in which you willingly decide to participate. You will be able to exercise your rights under Article 9 at all joint controllers.
We store personal data collections in the territory of the European Union and do not generally transfer them to third countries. If we transfer your personal data to third countries, we will do so after carefully reviewing the legal bases and safeguards applied by that third country (binding rules, codes of conduct, standard contractual clauses and other similar mechanisms). We use the MailChimp web platform, which is operated by a US-based company, for email notification. Thus, a limited amount of personal data is transferred there exclusively for the purpose of email notification. The terms and conditions of use and MailChimp’s privacy policy are available on the website https://www.intuit.com/privacy/statement/. The MailChimp web platform ensures compliance with the requirements and your rights under the GDPR.
In accordance with the principle of responsibility, every transfer of personal data to third countries will be carried out by the Controller after careful consideration and with the requisite level of prudence.
The Company operates for the most part digitally. However, all decisions in connection with contractual relationships, and other decisions with legal or similar effects are made by employees with the appropriate information support.
The Constitution of the Republic of Slovenia, and valid European and Slovenian regulations provide you numerous rights regarding privacy and the protection of personal data, in particular the following:
- the right to information regarding the processing of your personal data (the text you are reading is part of the exercising of that right);
- the right to access to personal data, which means that you have the right to obtain from GEN-I, d.o.o., as Controller, confirmation as to whether personal data that relates to you is being processed. Whenever that is the case, you have the right to access your personal data and additional information (the purposes of processing, types of data, data users, the existence of rights and information regarding potential claims, data sources, potential automated decision-making and special profiling);
- the right to receive a copy of personal data that is subject to processing, if a legitimate interest for that exists;
- the right to rectification, which means that you have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of processing, you also have the right to have incomplete personal data completed, including by means of the provision of a supplementary statement;
- the right to erasure (known as the ‘right to be forgotten’), which means that you have the right to demand that the Controller erase personal data concerning you without undue delay, if the prescribed conditions are met (when processing is no longer necessary, in the event of the revocation of consent and when there is no other legal basis for processing, in the event of justified objection and unlawful processing, erasure is required in accordance with valid regulations, etc.);
- the right to the restriction of processing, which means the right to demand that the Controller restrict the processing of personal data, if you contest the accuracy of data, if you have filed an objection, if processing is unlawful, and when the Controller no longer needs the data for processing, but they are required for the establishment, exercise or defense of legal claims;
- the right to notification regarding the rectification or erasure of your personal data, or restrictions on the processing thereof, if those data were provided to another user, unless this proves impossible or involves disproportionate effort;
- the right to portability, which means the right to receive personal data concerning you that you provided to the Controller, in a structured, commonly used and machine-readable form, and the right to transmit data to another Controller without any hindrance whatsoever (applies to data processed automatically based on consent or a contractual relationship);
- the right to object, which means that you have the right to object at any time to certain types of processing of your personal data (public interests, the legitimate interests of the Controller, marketing purposes, etc.). The Controller must prove the existence of legitimate interests for the processing or the cessation of processing (you may always object in the case of direct marketing, including profiling if it is connected with direct marketing, about which you will be clearly and unambiguously informed), except in rare cases of justified exceptions, if we can prove that we have urgent legitimate reasons for data processing that outweigh your interests, rights and freedoms, or we require such data to establish, exercise or defend legal claims;
- the right regarding automated processing and profiling, which means that you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similar effects concerning you, if this is not urgently necessary or prescribed, or you do not give your consent;
- you may temporarily or permanently revoke previously given consent whenever we process your personal data based on your consent. In such cases, your revocation applies prospectively and does not affect processing that was carried out until that revocation.
The Controller will provide information regarding measures in connection with the processing of your personal data that were adopted at your request in accordance with Articles 15 to 22 of the GDPR without undue delay and in any event within one month of receiving such a request. That period may be extended exceptionally for a maximum of two additional months taking into account the complexity and number of requests. The Controller will inform you in such cases within one month from the receipt of a request, and state the reasons for a delay. If you submit your request by electronic means, the data manager will provide information by electronic means, unless you request otherwise. Upon the submission of a request, we will verify your identity and, in the event of doubt regarding whether you are the correct person and actual beneficiary of the request, we will request additional information that is required to confirm your identity.
Whenever a breach of the protection of personal data occurs and whenever it is likely that a breach will result in a high risk to your rights and freedoms, the Controller will inform you without undue delay that such a breach has occurred. The state body responsible for handling breaches of personal data protection regulations is the Information Commissioner of the Republic of Slovenia, Dunajska cesta 22, 1000 Ljubljana.