Right to privacy is one of the most important human rights. In LEP d.o.o. (hereinafter referred to as the Company), we are very well aware of this and we, therefore, respect the privacy of our customers and treat their personal data responsibly, carefully and according to the applicable legislation. The access to personal data is permitted only to authorised Company personnel and contracted processors, to the extent and with the purpose strictly necessary for the smooth implementation, assurance and fulfilment of rights and obligations arising from concluded contractual relations.

By taking proper measures, we ensure that unauthorised persons do not access personal data, protect its confidentiality and integrity, and prevent its loss or unintentional destruction throughout the entire time of being processed. We will not be held responsible for any “hacking” into a computer system!

Company and its processors fully respect the general principles regarding the processing of personal data, which are:

  • We process user personal data legally, fairly and transparently.
  • We collect personal data for purposes that are pre-determined, explicit and legal; we do not process personal data for any other purpose, except in the case of processing for scientific or historical research purposes and for statistical purposes, under certain conditions.
  • Personal data is processed to the minimum extent for the purposes for which it is processed.
  • We ensure that the personal data we process is accurate and regularly updated; incorrect data is corrected or deleted.
  • We store personal data only as long as it is necessary for the purposes for which they are processed.
  • We ensure appropriate security of personal data, which includes prevention of unauthorised or unlawful processing and accidental loss, destruction or damage by appropriate technical and organisational measures.


For questions related to the processing and use of personal data, information, corrections, blocking, deletion of personal data or cancellation of notification consent, cancellation of consent.


  • Basic personal data (e.g. name and surname);
  • communication data (e.g. address, mail, telephone no.);
  • information on communication between the Company and you;
  • payments data;
  • any other data obtained based on the consent.


We can treat personal data in accordance with valid legislation from the field of protection of personal data:

  • if this is necessary for the conclusion and/or fulfilment of a contract (application on an event, workshop, etc.)
  • if required by law;
  • if consent is given (which can be cancelled at any time);
  • if the processing is necessary for the legitimate interests pursued by the Company or a third party.


The company processes personal data of individuals to fulfil its obligations under a contractual relationship for the organisation of events, workshops or other services agreed between the contractual parties. In the context of the exercise of rights and the fulfilment of contractual obligations, Company processes personal data of individuals for the following purposes:

  • identification of an individual;
  • preparation of the offer and conclusion of the contract;
  • providing services, whereby Company can give the data to contract partners that will implement an individual service (e.g. a provider of overnight stays, etc.)
  • sending notifications to individuals regarding the implementation of the contractual relationship;
  • informing about changes in legislation in a particular field or changes in terms of sale;
  • invoicing services;
  • resolving objections or complaints;
  • implementation of any recovery procedures, a sale of receivables;
  • for other purposes, necessary for the conclusion or implementation of a contractual relationship.

To the extent strictly necessary for authentication and identification of transactions, Company processes data for the purpose of preparing reports and planning further activities.

For the purposes of organising events and related services or other services ordered by an individual, Company processes all information needed. This includes in particular, but not exclusively: name, first name, surname, birth date, address, place, country, telephone number, email, etc.

We do not need explicit consent for contractual processing of personal data.

At events or workshops that are strictly connected with photographing and publication of pictures (on Facebook, Twitter, YouTube in Instagram), it is numbered that photographing and publication of pictures are part of an event or workshop. In spite, that photographing and publishing of pictures is a contractual relationship, Company will still gain explicit consent of an individual. In a case where explicit consent for photographing and publication of pictures will not be given and Company will not be able to assure that an individual will not be on photograph, Company is justified to rejects application on such event or workshop.

If the individual does not provide all personal data that the Company needs to fulfil the contractual relationship, the Company cannot execute the individual’s order. Hereby, Company always acquires and further processes only the personal data that is needed to fulfil the contractual relationship.


The legal basis means that the Company processes personal data of an individual to fulfil the applicable legal obligations imposed by the legislation. In the Republic of Slovenia, legal obligations to process certain personal data are determined in particular by:

Value Added Tax Act ZDDV-1;

Tax Procedure Act;

Companies Act;

Accounting Act;

Rules on the implementation of the Value Added Tax Act;

Slovenian Accounting Standards.

If Company processes personal data of an individual who has made an online purchase or service order, it keeps the invoice for 10 years (as well as individual’s/buyer’s data on the account).


Company may process data on the basis of a legitimate interest which Company or a third party pursues, except when such interests are prevailed by the interests or fundamental rights and freedoms of an individual, to whom the data that requires the protection of personal data is related, in particular when the data relates to a child. In the case of further use of collected data on an individual, the Company implements the assessment according to the General Data Protection Regulation. Such further use of data in a pseudonymised or aggregated form, for example, represents the lawful use of data for marketing and other business or technical analyses of Company.

According to the General Data Protection Regulation, direct marketing also belongs to legitimate interests. For the purposes of direct marketing, Company may create individual profiles without any consent on the basis of basic information on selected services, such as e.g. the type or specific characteristics of the selected service, time of selection or past marketing contacts with the individual, in particular with respect to the expressed interest or lack of interest in certain services. Such basic profiling shall never include sensitive data. An individual may object to the processing according to the right to the restriction (item 7.4).

Based on legitimate interest, the Company may contact the individual to improve the service or determine his satisfaction with the services, even when this is not strictly necessary for the implementation of the contract. Due to the individuals’ interest, the Company does not contact those individuals who have objected to this.

The company has a legitimate interest to keep and further use data for analyses and research for marketing, business planning and similar until the expiration of the legally prescribed retention period.


Explicit consent is the basis for personal data processing for which Company does not have a legal or contractual legal basis. For example, consent may relate to:

  • informing about other Company offers and services, which is implemented exclusively through the communication channel selected by the individual;
  • photographing and recording an event or workshop for the purpose of presenting Company activities and publishing photos, videos and sound recordings on the Company website and on Facebook, Twiter, YouTube and Instagram profiles.

The individual gives the consent for himself, in the case of a child, consent is given by one of the parents or a legal representative.

In these cases, the processing of personal data is implemented to the extent and for purposes allowed by the individual’s statement and through agreed communication channels, until cancellation.

If the individual does not consent to the personal data collection and processing for one or more purposes specified in an individual consent, this does not have any consequences for the data the processing of which is implemented based on other legal bases.

Personal data collected on the basis of consent will be processed only within the framework and for the purpose of the given consent and will not be transmitted to third parties unless this is explicitly stated in the consent and the individual agrees that personal data may be transmitted to the processor specified in the consent.

The individual can cancel the consent to process personal data at any time by contacting our data protection point (point 8). The consent can be cancelled by an email sent to the email address under point 1.


Personal data shall be stored in accordance with the applicable regulations governing the protection of personal data. It shall be stored only as long as necessary for the purposes for which it is processed or according to the law. We store personal data, which we process based on the personal consent of the individual, permanently, until cancellation. Personal data, which we process based on the law or contractual relationship, is kept for as long as the law determines.

If the data is processed based on an individual’s consent due to the marketing of Company, the data may be processed to the necessary extent for as long as necessary for such marketing or services.

After the expiry of the retention period, the personal data is effectively and permanently deleted or anonymised so that it can no longer be linked to an individual.


We use technical and organisational security measures to protect personal data against unlawful or unauthorised access or use and also against unintentional loss or impairment of their integrity. We have designed these measures with regard to our IT infrastructure, possible impact on an individual’s privacy and costs and according to current industry standards and practices. Our contractual processors shall process your personal data only if they comply with these technical and organisational security measures.

Maintaining data security means protecting the confidentiality, integrity and availability of personal data:

  • confidentiality and integrity: individuals’ personal data shall be protected against unauthorised or illegal processing and against unintentional loss, destruction or injury;
  • availability: we shall ensure that authorised processors can access personal data only when necessary.

Our security procedures include access security, backup copies, monitoring, revision and maintenance, security incident management, etc.


Depending on the purposes for which we process individuals’ personal data, we can disclose this data to the following categories of processors:

  • 1. a) Within Company an employee.
  • 2. b) Our business partners of which we demand to comply with the applicable laws and personal data protection policy and to pay great attention to the confidentiality of the personal data:
  • advertising, marketing and promotional agencies and providers, e.g. MailChimp, Google (Google – only cookie identifier for remarketing, e-mail address for displaying ads in Google AdWords, cookie identifier for analysis in Google Analytics; Facebook – only cookie identifier for remarketing, e-mail address for displaying ads in Facebook Custom Audiences), that help us implement and analyse the effectiveness of our campaigns and promotions.
  • companies that perform services for Company, i.e. accounting service provider
  • natural and legal entities who are our contractual partners and provide consulting or individual services for Company with the purpose of executing a contractual relationship between Company and an individual (e.g. partner agencies, hotels, airlines, carriers, etc.);
  • c) Other third persons when required by law or legally required for the protection of:
  • Company (compliance with laws, authority requirements, court orders, legal procedures, reporting obligations and obligations to inform the authorities, etc.), verification or enforcement of compliance with Company policy and agreements;
  • rights, property or security of Company and/or its clients in relation to corporate transactions: in the context of transfer or disposal of all or part of its business or otherwise in connection with mergers, consolidations, changes of control, reorganisation of Company.
  • Our business partners listed above under item b), may only process individuals’ personal data in the framework of our instructions and may not use personal data to pursue any of their own interests. Each individual must bear in mind that the processors listed in items b) and c) above, in particular, service providers that offer services within the framework of applications and/or through their own channels may separately collect your personal data. In this case, they are solely responsible for its control and their cooperation with individuals must take place according to their terms.