Privacy terms

MEANING OF TERMS

Privacy terms

The privacy conditions are an internal act of Amper Sol d.o.o. (hereinafter: processor) and apply to all
legal relations between him and service subscribers (hereinafter: the controller).
The act determines the rights and obligations of the processor and controller in the management and processing of personal data
data of individuals.

Personal information

Personal data means any information relating to a specific or identifiable individual who is
a physical person. A designated individual is one whose personal data is designated and processed in accordance with the agreement
with purposes determined by the controller. A definable individual is one who can be directly or
indirectly determine and process his personal data in accordance with the purposes determined by the controller.

Individual

An individual is any natural person whose personal data is processed on a legal or contractual basis
on the basis between the controller and this individual or on the basis of the express consent of the individual
given to the manager.

Manager

The controller determines the purposes and means of processing within the framework of its registered activity and/or legal
authorizations. The individual is informed in advance who is the controller of personal data and who he is
processor of his personal data.

Processor

The processor processes the personal data of individuals on behalf of the controller, according to his instructions, within
the framework of legal purposes and methods of processing.

Subprocessor

The sub-processor processes the personal data of individuals on behalf of and according to the instructions of the processor, within the framework
of the legal purposes and methods of processing.

Processing

Processing of personal data means any action or series of actions performed in relation to personal data
or sets of personal data with or without automated means such as collection, recording, editing,
structuring, storing, adapting or modifying, retrieving, viewing, using, disclosing by means of,
disseminating or otherwise making accessible, adapting or combining;
restriction, deletion or destruction.

Restriction of processing

Limitation of processing means marking stored personal data in order to limit their
processing in the future.

Designing profiles

Profiling means any form of automated personal data processing that involves
the use of personal data to evaluate certain personal aspects relating to an individual, in particular to
analyze or predict performance at work, economic situation, health, personal taste,
interests, reliability, behaviour, location or movements of that individual.

Pseudonymization

Pseudonymization means the processing of personal data in such a way that personal data can no longer be
attributed to a specific individual to whom the personal data relate, without additional information.
if such information is kept separately and is subject to technical and organizational measures to ensure,
that the personal data are not attributed to a specific or identifiable individual.

Privolitev posameznika

The consent of the individual to whom the personal data relates means any voluntary, explicit,
informed and unequivocal statement of the will of the individual to whom the personal data refer, by which
he expresses his consent to the processing of the personal data relating to him by a statement or a clear affirmative action
on him.

Breach of personal data protection

A breach of personal data protection means a breach of security that results in intentional or illegal destruction,
loss, alteration, unauthorized disclosure or access to personal data that is sent, stored
or otherwise processed.

PERSONAL DATA PROCESSING

Processor data

Company name: Amper Sol d.o.o.
Company address: Šmartinska cesta 106. 1000 Ljubljana
Tax number: SI19244617
Phone: +38670115885
Email address: info@ampersol.com

Subprocessors

The processor has concluded contracts on the further processing of personal data of specific individuals
of a specific controller in cases where it has external processors for the performance of its services, who are its
sub-processors in relation to the controller. The processor is responsible for the selection of subprocessors and ensures that
they are bound to the same or higher level of protection of personal data as stipulated by Slovenian regulations and
European Union regulations. The processor informs the controller about its existing processors and about
any replacement of processors or the hiring of new processors. It does this by announcing the publication of new
privacy conditions, in which it specifies the new processors and gives the controller thirty days
to comment on the changes, confirm or oppose them.

Legal basis for processing personal data

The processor has a legal basis for processing the personal data of certain individuals
of a specific controller in a previously concluded contract between the controller and the processor or on the basis of another
agreement on the order of the service.

The processor is responsible for ensuring that managers are aware of this act and other acts of the processor,
insofar as they regulate the processing of personal data of individuals and/or the terms of business for
the provision of ordered services.

The manager is responsible for ensuring the appropriate legal bases for the processing of personal data
(legal interest, contractual interest and/or express consent of the individual).

Types of personal data

The processor processes the personal data provided by the controller. The processor never
processes other personal data of the individuals of the specific controller.

Purposes of personal data processing

The processor processes the personal data of the individuals of a specific operator only for the purposes for which
the operator has given him an instruction. The processor never processes the personal data of individuals
of a specific controller for other purposes.

The role of the manager

The controller is obliged to give instructions to the processor for the processing of the personal data of
the individuals it manages. The controller must provide the processor with clear and unambiguous information about what types
of personal data and for what purposes it can process.

Documented operator instructions

According to this act, the controller is obliged to specify to the processor the content and duration of the processing of personal data,
the nature and purpose of the processing, the types of personal data and the categories of individuals to whom
the personal data relate.

The operator’s instructions must be documented, and may be given in writing by regular or
electronic mail, and in the case of verbal instructions, the processor also requires written confirmation by regular or by
electronic mail.

The processor is not responsible for the legality of the instructions received from the controller for the processing of personal data
of individuals of a particular controller.

Data confidentiality

The processor ensures that the persons authorized to process personal data are bound by
confidentiality or are bound by the relevant law to confidentiality. The processor has adopted internal regulations on the
protection of personal data and obtains a written commitment from all employees and external collaborators a
written commitment to data confidentiality, familiarization with the regulations and the appropriate security measures implemented by the processor
to ensure an adequate level of data security.

The rights of individuals

The processor technically ensures that, according to the controller’s instructions and within the legal scope, it provides support and
technical solutions as well as the final data that the controller needs when individuals exercise
one or more rights with the controller that are provided for them by legislation: the right to correction, the right to deletion,
the right to limit processing, the right to data portability and the right to object.

Deletion or transfer of data

Based on the prior documented instructions of the controller, the processor deletes or returns all
personal data to the controller after the completion of the service it performs for the controller and destroys existing copies,
except in cases where data storage is prescribed by law.

Access to information

The processor provides the controller with all the information necessary to prove compliance with the obligations
from this act and the legislation, and allows the controller or another auditor authorized by the controller
to carry out audits, including inspections, and participates in them.

SECURITY OF PERSONAL DATA PROCESSING

Security of processing

The processor and operator, taking into account the latest technological development and costs of implementation
and the nature, scope, circumstances and purposes of processing, as well as risks to the rights and freedoms of
individuals, which differ in probability and severity, the operator and processor ensure by implementing
appropriate technical and organizational measures the level of security in relation to the risk,
including, but not limited to, measures covering:

pseudonymization and encryption of personal data,

the ability to ensure the ongoing confidentiality and integrity, availability and resilience of processing systems
and services,

the ability to timely restore the availability and access to personal data in the event of a physical or
of a technical incident,

procedures for regular testing, assessment and evaluation of the effectiveness of technical and organizational
measures to ensure processing security.

When determining the appropriate level of security, the risks posed by the processing, in particular due to
accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access
to personal data that is transmitted, stored or otherwise processed.

Authorized person for data protection

The processor is not obliged to appoint a person authorized to protect personal data, because
it does not carry out the processing as a public authority or body, nor does it carry out processing in its core activity which, due to
their nature, scope and/or purposes, would require individuals to whom refers to personal
data, regularly and systematically comprehensively monitored and does not cover the basic activity of the processor
extensive processing of special types of personal data.

Security measures

The processor ensures adequate security measures in the processing of personal data to ensure
the protection of personal data. Security measures are regularly monitored and updated in line with the development
of technology and the requirements of legislation.

The processor informs the operator about security measures and appropriate technical solutions in a separate
document, which is an integral part of these privacy conditions, which govern the legal relationship between the manager and
the processor, and the Rules on the Protection of Personal Data, which govern the legal relationship between the processor
and the employees who process the personal data of individuals of a particular manager.

FINAL PROVISIONS

Binding nature of legal terms

1. The terms and conditions apply to all operators with whom the processor has a regulated legal-business relationship
by contract or in writing via e-mail and confirmed by the operators via e-mail
and it is considered that an annex to the existing legal relationship or a written annex to
the existing one has been accepted written contract, if the controller so requests.
2. Privacy conditions are binding for all legal transactions concluded on their basis.
3. The privacy terms are an integral part of the service order by the operator.
4. The administrator confirms familiarization with and agreement with these privacy conditions before ordering the service (in
the contract or in writing via electronic communication).

Changes to the privacy terms

1. The processor regularly updates the privacy terms with legislative changes.
2. The processor informs the operator about changes in a timely manner in writing
by e-mail.
4. The processor provides an archive of changes to the privacy conditions, which can be accessed by any controller
with a prior written request to the processor’s contact email address.

Conflict solving

The processor and operator undertake to resolve any disagreements and disputes peacefully and
consensual. If an amicable solution is not possible, the court in
in the Republic of Slovenia according to the registered office of the processor.