Privacy policy

Privacy Policy

This Privacy Policy ("Policy"), together with the terms of use of this website and any other referenced documents, outlines the types of personal data that are processed, the manner and scope of processing, and information on data sharing, as well as your rights in relation to such processing. This Policy is in accordance with the provisions of the General Data Protection Regulation ("GDPR") and applicable national data protection laws. The terms used in this Policy have the same meaning as defined under the GDPR..

Who is the data controller?

The data controller is Law Firm Ilić & Partners LLP, located at Gosposvetska cesta 11, 1000 Ljubljana, registration number 3468526000, with the general contact telephone number +386 590 866 00 and email address slovenia@odilaw.com (hereinafter referred to as “ODI” or “we”).

Purposes of processing, types, and sources of data

As a law firm, we process personal data of clients and other individuals involved in legal matters for various purposes essential to the provision of our services. The collection and processing of personal data are carried out in strict confidentiality and are necessary for fulfilling our contractual and legal obligations, as well as, in certain cases, for pursuing our legitimate interests. Below are the key purposes for which we process your personal data:

• The primary purpose of processing your personal data is to enter into and perform a contract with you (Article 6(1)(b) GDPR). This includes processing identification and contact details, such as your full name, residential address, personal identification number (EMŠO), tax number, passport or ID details, telephone number, email address, etc.
• In certain cases, processing may also involve business-related information that ODI obtains directly or indirectly, strictly for the purpose of fulfilling contractual obligations and in compliance with legal regulations governing legal practice.
• In some instances, we process your personal data to comply with our legal obligations (Article 6(1)(c) GDPR), such as client due diligence for the prevention of money laundering and terrorist financing. This may include detailed personal data as well as transaction-related information.

If you provide us with sensitive business information, trade secrets, or personal data concerning individuals such as your employees, counterparties, advisors, or suppliers for the purpose of legal services, we will process such data exclusively to provide our services in accordance with the applicable regulations governing legal practice, while ensuring strict confidentiality. Any information obtained from you is considered a trade secret and is protected in accordance with the Trade Secrets Act and other relevant legislation.

In most cases, we collect your personal data directly from you. However, in certain instances, we may obtain your data indirectly from the following sources:

• Public authorities, local government bodies, and entities with public authority for the purpose of performing legal services in a specific case, in accordance with the regulations governing legal practice. The types of data collected from these sources are defined by the applicable laws regulating the operation of public legal entities.
• Documentation disclosed by our client or an associated party. Such information typically includes identification details (e.g. full name, tax number, personal identification number (EMŠO), residential address), contact details (e.g. email address, phone number), and details regarding the matter in which we have been engaged, which may also involve various personal data.
• Website backend through the use of essential cookies. In this case, processing is carried out to ensure an efficient user experience. For more details on our use of cookies or similar technologies, please refer to our Cookie Policy.
• Website backend during interactions with the website content or use of the contact form. This processing is expected and based on our legitimate interest (Article 6(1)(f) GDPR) and may include the following data:
  • time of interaction
  • browser type and version,
  • email address (if provided),
  • phone number (if provided)
  • full name
  • content of the message.

Obligation to provide personal data

The provision of your personal data is generally both a contractual and statutory requirement. As explained in this Policy, we require certain personal data to enter into a contract with you and to fulfil our contractual obligations. Additionally, we are legally required to process certain data in compliance with applicable laws.

If we are legally obliged to collect personal data or if we process such data based on your instructions or a contract concluded with you, and you fail to provide the requested data, we may be unable to carry out your instructions or fulfil our contractual obligations. In such cases, we may be required to cancel our agreement or terminate the contract we have concluded or are attempting to conclude with you. However, you will always be duly informed of such a decision.

Existence of Automated Data Processing

Your personal data will not be used for automated decision-making or profiling.

Recipients of your personal data

Your personal data may be disclosed to the following recipients:

• Third parties, in particular our contracted processors engaged in connection with the legal services we provide, such as advisors, mediators, experts, and other legal professionals, including law firms for specialist or foreign legal advice, translators, valuation service providers, educators, couriers, and other necessary entities.
• Companies providing services for the prevention of money laundering and terrorist financing, credit risk reduction, and other fraud and crime prevention purposes, as well as financial institutions, credit rating agencies, and regulatory authorities that may require access to this personal data.
• Courts, law enforcement authorities, regulators, government officials, legal representatives, or other parties, where reasonably necessary for the assertion, exercise, or defence of legal or equitable claims, or in the context of confidential alternative dispute resolution proceedings.
• Service providers, engaged within or outside ODI, such as shared service centres, who process personal data on our behalf and strictly in accordance with our instructions for any of the purposes listed above, including website maintenance providers.
• Potential buyers or sellers in the event of a business sale or acquisition, where your personal data may be disclosed to a prospective buyer or seller as part of the transaction involving the transfer or renewal of any of our rights and obligations.

Transfer of data to third countries

As a general rule, we do not transfer your personal data to third countries or countries outside the European Economic Area (EEA). In exceptional cases where such transfers occur, we ensure that an adequate level of protection is maintained in accordance with the GDPR and national data protection regulations.

When transferring your data to other countries, we process, share, and protect it in line with this Privacy Policy. Data is transferred to third countries only when necessary for the legal services we provide to you, or for the assertion, exercise, or defence of legal claims, and only if appropriate safeguards are in place to protect your personal data. Such safeguards include the Standard Contractual Clauses (SCCs) approved by the European Commission. SCCs are legally binding agreements that ensure any data transferred outside the EEA maintains the level of protection required under the GDPR. The content of the SCCs is available here.

Data retention period

We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including compliance with legal, accounting, or reporting obligations. Where required, ODI will also retain data to assert or defend against legal claims until the end of the relevant retention period or until the claims in question are settled.

Matters where the purpose of processing has been fulfilled will be stored in our archives for an additional five years, in accordance with the Attorney Act, after which they will be securely destroyed.

Your rights

If we process your personal data, you have the right to request access to your personal data, as well as to rectify, erase, or restrict its processing. You also have the right to object to the processing of your data and to request data portability.

To exercise your rights, please send your request to slovenia@odilaw.com or contact us at +386 59 866 00. We will make every effort to process your request as promptly as possible, but no later than the timeframes prescribed by the GDPR, i.e. within one month, with the possibility of an exceptional extension if necessary.

Please note that the exercise of certain GDPR rights may be limited if you are not our client, as we are bound by legal professional privilege and confidentiality obligations under the regulations governing legal practice. Furthermore, we are required to enforce GDPR rights in a manner that does not negatively impact the rights and freedoms of others. On this basis, we may decline your request for access to personal data.

If you have given your consent for the collection, processing, and transfer of your personal data, you have the right to withdraw your consent, in whole or in part, at any time. Upon receiving a withdrawal notice, we will cease processing your data for the purpose(s) for which you originally consented, unless there is another legal basis for processing. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Right to lodge a complaint with the supervisory authority

If you believe that there has been non-compliance in the processing of your personal data, you may file a complaint with the supervisory authority for data protection: Information Commissioner, Dunajska cesta 22, 1000 Ljubljana, Slovenia, email: gp.ip@ip-rs.si, telephone: +386 1 230 97 30.