Close menu
Close menu

Personal Data Protection Policy

The aim of the Personal Data Protection Policy is to inform the individuals, users of services, employees, partners and other persons (hereinafter: individuals) who collaborate with the Bled Culture Institute (hereinafter: organization) about the purposes and legal groundwork, security measures and rights of data subjects regarding the processing of personal data provided by our organization.

We value your privacy and strive to protect your personal data.

Your personal data is processed in accordance with the EU legislation (Regulation (EU) 2016/697 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: GDPR)) and the relevant data protection legislation (Personal Data Protection Act (ZVOP-1, Official Gazette of the Republic of Slovenia, No. 94/17) and other rules and regulations which provide the legal basis for the processing of personal data.

The Personal Data Protection Policy contains information for data subjects about the manner how our organization as the controller processes personal data which is receives from the individual on the basis of legal groundwork described hereafter.


The controller of personal data is the organization:

Zavod za kulturo Bled (Bled Culture Institute)
Cesta svobode 11
4260 Bled
+386 (0)4 5729 770

External Data Protection Officer

In accordance with Article 37 of the GDPR, we have appointed the following company as our external Data Protection Officer:


Tržaška cesta 85, SI-2000 Maribor
+386 (0) 2 620 4 300

Personal data

Personal data means any information relating to an identified or identifiable individual (hereinafter: data subject) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Purposes and grounds for data processing

The organization collects and processes your personal data on the basis of the following legal grounds:

  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party;
  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person;

Compliance with a legal obligation or public interest

Under the provisions of the law, the organization Under the provisions of the law, the organization mainly processes data about its employees, which it is permitted to do by the labour law. In compliance with its legal obligation, the organization mainly processes the following types of personal data: Name and surname, sex, date of birth, citizen personal identification number (EMŠO), tax number, place, municipality and country of birth, nationality, place of residence for the purpose of the employment contract and in order to ensure compliance with the related legal obligation. 

Other legal acts that form the basis for the processing of personal data of employees include: Public Sector Salary Systems Act, Public Employees Act, Protection against Natural and Other Disasters Act.

In the above cases, processing of personal data by the organization is also permissible on the grounds of public interest. 

Performance of a contract

When you enter into a contract with the organization, this contract constitutes the legal basis for the processing of personal data. It is therefore permissible to process your personal data for the conclusion and performance of such contract, e.g. ticket sales, club membership, training, service agreement. In the event that the individual does not provide his or her personal data, the organization is unable to enter into the contract and, consequently, cannot carry out the service or deliver the goods or other products under the contract for failing to hold sufficient data for the execution of such. On the grounds of provision of legitimate activity, the organization may communicate information about its services, events, training, offers and other contents to the electronic mail of individuals and users of its services. An individual may at any time request the termination of such communication and processing of personal data. An individual may terminate such communication at any time via the link to unsubscribe in received messages, by a written request to the e-mail address gdpr@zkbled.si, or by a written request sent by regular mail to the address of the organization.

Legitimate interest

The enforcement of the legitimate interest as the legal basis is limited to the processing carried out by public authorities in the exercise of their responsibilities. Nevertheless, the organization may also process personal data on the grounds of the legitimate interest, which the organization strives to pursue a limited extent. The latter is not permissible when the interests and fundamental rights of the data subject override the interest of the data controller. In the event of exercising legitimate interest, the organization shall always carry out a careful assessment under the GDPR.

With a view to the above, individuals receive periodical information about our services, events, trainings, offers and other contents by electronic mail, telephone or regular mail. An individual may request the termination of such communication and personal data processing at any time via the link to unsubscribe in received messages, by a written request to the e-mail address gdpr@zkbled.si, or by a written request sent by regular mail to the address of the organization.

Processing on the basis of consent

If the organization has no legal grounds arising from a legal act, exercise of an official authority, contractual obligation or legitimate interest, it may request the individual to consent to processing. When the individual gives consent to processing, the organization may also process certain personal data of the individual for the following purposes: 

  • Residential address and e-mail address for the purposes of communication and notification, 
  • The tax number of citizen’s personal identification number (EMŠO) for the purpose of forced execution in the event of failure to settle contractual obligations (e.g. non-payment of an invoice), 
  • photographs, videos, and other contents relating to the individual (e.g. recordings made at public events) for the purpose of compiling photo documentation and informing the public about the organization’s activities and work;
  • For other purpose to which the individual gives consent. 

When the individual wishes to withdraw the consent to the processing of personal data, they may request the termination of personal data processing by a written request to the e-mail address gdpr@zkbled.si, or by a written request sent by regular mail to the address of the organization.

Processing is necessary in order to protect the vital interests of the data subject

The organization may process the personal data of the data subject provided this is necessary to protect the vital interest of the data subject. This means that the organization may inspect the data subject’s passport, check whether the data subject is entered in the organization’s database, study the data subject’s medical history and get in contact with the data subject’s relatives, for which the organization requires no further consent. The above only applies when such processing is crucial to protect the vital interests of the data subject. 

Retention and erasure of personal data

The organization will retain your personal data only for as long as necessary for the realization of the purpose for which the personal data was collected and processes. The personal data which the provider processes on the basis of the law will be retained by the organization for the period provided by the law. In this respect, certain data will be retained for the duration of cooperation with the organization, while certain data must be retained permanently. 

Personal data which the organization processes on the basis of a contractual relationship with the individual will be retained for the term of the contract and for 6 years after its termination, except in the event of a dispute arising between the organization and the individual in relation to the contract. In this event, the organization will retain the data for a period of 5 years from the date of finality of the court decision, or, in the absence of litigation proceedings, for 5 years from the date of amicable settlement of the dispute.

Those personal data which the organization processes on the basis of the individual’s personal consent or legitimate interest will be retained by the organization until the individual’s revocation of this consent or until his request for erasure. The organization will erase the data within 15 days from the date of receipt of the revocation of consent or the request for erasure. The organization may erase the data before receiving the revocation if the purpose of processing has been met or when so stipulated by the law. 

In exceptional cases, the organization may reject the request for erasure for the following reasons listed in the GDPR: for exercising the right of freedom of expression and information, for compliance with a legal obligation, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

After the expiry of the retention period, the controller will erase the personal data efficiently and permanently, and render them anonymous so they can no longer be linked to a certain individual. 

Video Surveillance

The Bled Culture Institute (Zavod za kulturo Bled, or ZKB) uses video surveillance. The purpose of video surveillance (cameras installed at entrances) is to monitor entrances and exits to and from the premises (based on Article 77 of the Personal Data Protection Act of the Republic of Slovenia (ZVOP-2)). Video surveillance is also carried out for the purpose of ensuring appropriate security of individuals (visitors, clients and employees) and the Institute's property (in accordance with the principle of lawfulness as defined in Article 6(1)(f) of the GDPR, in conjunction with Articles 76 et seq. of the ZVOP-2). Video surveillance is conducted within certain work areas because it is strictly necessary for the security of people or property. Video surveillance will help us to detect, process or resolve incidents, crimes, claims for damages and other claims. Recordings will be kept for a maximum of 3 months. We do not conduct video surveillance in a manner that would involve specific processing impact. Similarly, video surveillance does not allow for unusual further processing, such as transfer to third countries and the possibility of audio intervention during live broadcasting of events.  
Video surveillance allows authorised persons to monitor live events. For information on video surveillance, please contact us at the Institute's telephone number or email address. The rights of data subjects are described in this Privacy Policy. You can address any further questions to the Data Protection Officer.

Contractual personal data processing and output of data

The organization may entrust individual tasks relating to your data to other persons (contractual data processors). Contractual data processors may process confidential data only on behalf of the controller, within its authorizations (in a written agreement or other legal act) and pursuant to the purposes defined in this privacy policy.

The contractual data processors with whom the provider collaborates are:

  • accounting service and other providers of legal and business advice;
  • IT system maintainers;

The organization shall not forward your personal data to unauthorized third parties.

The contractual processors may only process personal data in accordance with the instructions of the organization, and they shall not use personal data to fulfil any of their own interests.

The organization as the data controller and its employees will not transfer personal data to third countries (outside the countries of the EEA area, EU member states, and Iceland, Norway and Liechtenstein) or international organizations, with the exception of the USA, wherein the relations with contractual processors from the US are governed by standard contract clauses (model contracts adopted by the European Commission) and/or binding corporate rules (adopted by the organization and approved by supervisory authorities in the EU).

Data protection and data accuracy

The organization shall ensure the information security and the safety of infrastructure (spaces and application system software). Our information systems are protected, inter alia, with antivirus software and firewall systems. Several technical and organizational security measures were put in place that are aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of processing. As regards the transfer of special categories of personal data, these data are communicated in coded and password-protected format. 

It is your responsibility to ensure that the data is communicated to us safety and that the data is accurate and authentic. We will do our best to ensure that your personal data being processed is accurate and updated, if necessary, and will turn to you on occasion to confirm the accuracy of your personal data. 

Rights of a data subject with regard to data processing

Under the GDPR, the data subject shall have the following rights: 

  • You may request information whether we hold certain personal data on you and if we do, what data we have, what is the legal basis for having such data, and what the data are used for. 
  • You may request access to your personal data which enables you to receive a copy of the personal data we hold relating to you and check whether data processing is legitimate.
  • You may request that we correct inaccurate personal data relating to you or refine them in consideration with purposes of the processing.
  • You may request us to erase your personal data when there is no longer any need for processing for a specific purpose, or if you object to further processing.
  • You may object to further processing of the personal data, which relies on legitimate business interest (even in the event of a third person's legitimate interest), when there are reasons related to your special position; notwithstanding the provisions of the previous sentence, you have the right to object if your personal data are processed for the purpose of direct marketing.
  • You may request us to limit the processing of your personal data, which means the termination of processing personal data relating to you, for example, if you wish us to determine the accuracy of data or verify the reasons for their further processing. 
  • You may request that we provide you with your personal data in a structured electronic form, or to transmit it to another controller, if possible and technically feasible. 
  • You may withdraw the consent previously given for personal data collection, processing and transfer for a specific purpose; after receiving the notification that your consent has been revoked we will terminate the processing of your personal data for the purposes that were originally approved, unless other legitimate legal basis exists for us to do that legally. 

In order to exercise any of the rights stated above, send us a request to the e-mail address gdpr@zkbled.si or by post to the organization’s address. 

Access to your personal data or exercising your rights is free of charge for you. However, if your request was manifestly unfounded, repetitive or excessive you will be charged with reasonable costs. In such case, your request can also be denied.

In the event of exercising your corresponding rights, we may have to request certain information from you which will help us confirm your identity, which is just a precautionary measure that ensures that personal data are not disclosed to unauthorized persons. 

In exercising their rights under this Directive, or if they believe that their rights have been violated, individuals may seek protection or assistance from the supervisory authority, the Information Commissioner, at the following website: https://www.ip-rs.si/.

If you believe that your rights have been violated, you can contact the supervisory body or Information Commissioner for support or assistance. Link to:  https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/kljucna-podrocja-uredbe/prijava-krsitev/

Should you have any further queries regarding the processing of your personal data, do not hesitate to contact us. 

Publication of amendments

Any amendment to the Personal Data Protection Policy will be published on our website. By using the website, the individual confirms that they accept and agree to the full content of this Personal Data Protection Policy.

The Personal Data Protection Policy was adopted by the management of the organization, March 2024.

Visit us

To visit Bled Castle, please look us up and select your preferred type of visit. You can plan the entire visit ahead, and feel free to use the audio guide to learn more about the castle.