Privacy Policy for Rekono Account Holders

NOTICE TO INDIVIDUALS PURSUANT TO ARTICLE 13 OF THE GENERAL DATA PROTECTION REGULATION (GDPR) REGARDING THE PROCESSING OF PERSONAL DATA

Rekono, sistemske integracije, d.o.o. is committed to protecting users’ privacy when providing products and services. This notice is prepared in accordance with Article 13 of the General Data Protection Regulation (GDPR) and discloses the type, legal basis, and purpose of personal data that Rekono collects on its websites or processes when providing Rekono services, including information on the exercise of individual rights.

I) Rekono's Responsibility

Rekono respects your privacy and acts diligently and in accordance with applicable personal data protection regulations when collecting, storing, and processing your personal data.

As Rekono’s online information system contains links to external websites not directly related to Rekono, we do not assume responsibility for data protection on those websites.

To prevent unauthorized access to or disclosure of collected data, maintain the accuracy of personal data, and ensure its proper use, we use appropriate technical and organizational measures to protect the data collected.

Rekono will make every effort to ensure that the information on the websites is accurate and up to date but cannot guarantee its accuracy or completeness and accepts no responsibility for it. All users access and use published content at their own risk.

Rekono reserves the right to change the content of these web pages at any time, in any way, for any reason, and without prior notice.

Neither Rekono nor any other legal or natural person involved in the creation or production of these web pages shall be liable to third parties for any damage arising from or in connection with the existence, access to, or use of these web pages and/or the information contained therein, or the inability to use the information on these web pages, or any errors or omissions in their content, regardless of whether they have been advised of the possibility of such damage.

These websites also provide links to third-party websites and/or contain information about third parties. As certain links on this site lead to sources located on servers maintained by third parties over which Rekono has no control, we cannot guarantee and do not accept or forward complaints regarding the accuracy of any website to which we provide a link or reference.

Key elements of the processing of personal data of Rekono account holders:

Types of Personal Data	Purposes of Processing	Legal Basis	Retention Periods
Personal data, as specified in point 5, Data Processing and Protection of User Rights of the General Terms and Conditions for the Use of the Rekono Service	Providing electronic identification and authentication services for individuals	Contract for the use of the Rekono service, in accordance with point (b) of Article 6(1) of the General Regulation	Legitimate interests of the controller, in accordance with point (f) of Article 6(1) of the General Regulation
Location, in accordance with the information provided in point 5, Data Processing and Protection of User Rights of the General Terms and Conditions for the Use of the Rekono Service	Preventing misuse of Rekono services and relying party services (point 6 of Article 3 of the eIDAS Regulation)	Legitimate interests of the controller, in accordance with point (f) of Article 6(1) of the General Regulation	5 years from the date of creation

II) Personal Data Controller

Rekono d.o.o., Ukmarjeva ulica 2, 1000 Ljubljana, info@rekono.si

The controller’s contact email address: info@rekono.si.

III) Contact Details of the Data Protection Officer (DPO):

Pursuant to Article 37 of the General Data Protection Regulation and the first paragraph of Article 45 of the Personal Data Protection Act, an external data protection officer has been appointed.

DPO contact email address: podpora@rekono.si

IV) Information on the Existence of Individual Rights

The controller guarantees the individual all rights relating to the processing of personal data under applicable regulations, namely:

the right to withdraw consent to the processing of personal data,
the right to be informed about the processing of your personal data and to access your personal data,
the right to rectification,
the right to erasure (the right to be forgotten),
the right to restriction of processing,
the right to data portability,
the right to object to the processing of personal data based on the legitimate interests of the controller.

To exercise these rights, individuals may contact the controller or the authorized person (DPO) at the contact email address.

V) Information on the Right to Lodge a Complaint with the Supervisory Authority:

An individual may lodge a complaint with the supervisory authority: Information Commissioner of the Republic of Slovenia (address: Dunajska 22, 1000 Ljubljana, e-mail: gp.ip@ip-rs.si, telephone: (01) 2309730, website: www.ip-rs.si).

VI) Types of Personal Data Subject to Processing

The controller processes personal data of Rekono account holders as a means of electronic identification, enabling the holder to identify and authenticate themselves and to provide an electronic signature using an electronic signature certificate issued as part of the trust services associated with the Rekono account.

By accepting the general terms and conditions and registering their legal identity by opening a Rekono account (hereinafter: Rekono account), the user acquires the right to use their Rekono account with the selected means of identification and authentication procedure in trust services for electronic transactions and other solutions or services related to the reliable and secure presentation or confirmation (authentication) of the user’s identity (hereinafter: trust services).

In the application for registration of a Rekono account, in the Rekono account itself, and in the account opened by the user in Rekono, various sets of personal data are processed about the user depending on the desired assurance level of the Rekono identification means:

level “0”: the user’s email address and smartphone number;
level “10”: level “0” data plus first and last name, date of birth, residential address, and tax number;
levels “20” and “30”: level “10” data plus qualified certificate, personal document number, personal document type, and document expiry date.

The controller also processes data on the location of Rekono OnePass service users who are Rekono account holders. The purpose of processing location data of Rekono OnePass service users is to prevent abuse.

VII) Use of Permissions on Your Device (Only for Users of the Rekono OnePass Mobile App)

The mobile app requires access to your device’s data and components as described below to function properly:

Approximate location (for fraud prevention, security, and compliance)
Personal information:
- Name, optional (for app functionality, fraud prevention, security and compliance, and account management);
- Email address, optional (for app functionality, fraud prevention, security and compliance, and account management);
- User IDs, optional (for app functionality, fraud prevention, security and compliance, and account management);
- Address, optional (for app functionality, fraud prevention, security and compliance, and account management);
- Phone number (for app functionality, fraud prevention, security and compliance, and account management);
- Other data, optional (for app functionality, fraud prevention, security and compliance, and account management);
App activity – interactions within the app (for analysis);
App data and app performance:
- Crash logs (for analysis);
- Diagnostics (for analysis);
Device ID or other IDs (for app functionality, fraud prevention, security and compliance, and account management).

Individuals can restrict access to personal data in the mobile application through the settings of their mobile device. Some features will not work if access is restricted, which may result in the mobile application not functioning properly.

More information about the operation of the Rekono OnePass mobile application is available in the User Manual at https://www.rekono.si/rekono-onepass/.

VIII) Purposes of Personal Data Processing

The purpose of processing data about individuals – Rekono account users – is to provide a reliable and secure electronic identification and authentication service for account holders, enabling them to use electronic signatures, other trust services, and to access services of providers that rely on Rekono.

IX) Legal Basis for Processing

Point (b) of Article 6(1) of the General Data Protection Regulation: “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”

By registering and opening a Rekono account, the user enters into a contractual relationship with the controller for the use of Rekono services in accordance with the General Terms and Conditions of Use of the Rekono service and the accompanying instructions.

The legal basis for processing personal data related to location is the legitimate interests of the controller, specifically the prevention of abuse in the use of Rekono services and the services of relying parties (point 6 of Article 3 of the eIDAS Regulation), within the framework set out in point (f) of Article 6(1) of the General Data Protection Regulation: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

X) Retention Periods

The personal data of Rekono account holders is stored for 10 years.

Data on the location of Rekono One Pass service users is stored for 5 years from the date of creation as an additional attribute in log entries.

XI) Information on Automated Decision-Making, Including Profiling

The controller’s processing of personal data does not involve automated decision-making or profiling.

XII) Information on Transfers of Personal Data to a Third Country or International Organization

Personal data is not transferred to third countries or international organizations.

XIII) Users or Categories of Users of Personal Data, if any:

At the account holder’s request, the controller shall forward the Rekono account holder’s personal data to a natural or legal person who relies on electronic identification using the Rekono identification means (the “relying party,” as defined in point 6 of Article 3 of the eIDAS Regulation).

XIV) Final Provisions

Rekono d.o.o. reserves the right to amend or supplement this Privacy Policy for holders of Rekono qualified certificates for use on personal devices whenever and to the extent necessary to ensure compliance with personal data protection regulations.

This Personal Data Protection Policy for holders of Rekono qualified certificates for use on personal devices applies and is effective from September 20, 2023.

Rekono, sistemske integracije, d.o.o.