Personal Data Controller: GEN-I, trgovanje in prodaja električne energije, d.o.o. (hereinafter referred to as “GEN-I” or the “Controller”).
Address/registered office: Vrbina 17, 8270 Krško. Telephone number: +386 7 48 81 840, e-mail: info@gen-i.si.

The processing of your personal data is supervised by our Data Protection Officer, who continuously monitors the compliance of the processing with the applicable regulations and international standards, assesses the impact of the processing of personal data and cooperates with the supervisory authorities. If you have any questions or need assistance in exercising your rights, the Data Protection Officer is available at the registered office of GEN-I, d.o.o., by e-mail at dpo@gen-i.eu or by phone on +386 7 48 81 840.

We process your personal data in accordance with one of the six possible legal bases (consent, entering into and/or performance of a contract, legal obligations, protection of the vital interests of data subjects, tasks carried out in the public interest, legitimate interests of the Controller or of third parties), to the minimum extent and for the duration necessary to achieve the purpose. Below we provide you with an explanation of the legal bases on which GEN-I processes your personal data.

Processing means any operation or set of operations which is performed upon personal data or upon sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The personal data of data subjects will only be stored and used for as long as necessary for the purpose for which it was collected or for as long as there is an adequate basis for doing so.

3.1 Processing of personal data based on the entering into or performance of a contract

GEN-I processes your personal data for the purpose of entering into a contract/agreement and for the performance of its obligations under a contractual relationship for the supply of energy products or other agreed services.

For this purpose, the following processing is carried out: identification of the individual, processing of the enquiry, preparation of the offer or the necessary contractual documentation, if necessary with an informative calculation of the energy consumption costs for potential customers, entering into a new contract or modification of the contractual relationship, supply and billing of the services or goods under the contract, invoicing and settlement, monitoring of payments and their recovery, resolution of complaints and technical problems, informing customers of changes in the conditions of sale and in the law, and carrying out any other action necessary for the fulfilment of the contractual obligations for this purpose.

• Method of obtaining data

We obtain data directly from you (for example, when you fill in a data form), but we may also obtain data from other sources, such as real estate agencies, contractors that build self-supply facilities or solar power plants, other natural persons who provide your personal data (e.g. in the sale or lease of immovable property, in the communication of metering point data or in a contractual relationship), from the system operator of the electricity distribution network, the geographically responsible operator of the natural gas distribution network, the telecommunications service provider, from publicly available sources (land register, etc.), from other competent or authorised governmental authorities or institutions, and from the Controller’s own meterings and records and those of its affiliated companies https://www.gen-i.si/en/about-gen-i/about-us/organizational-structure.

If you wish to request a change to a metering point (new metering point, change of ownership, etc.), you can make unnecessary data anonymous on the documents you provide us with.

• Purpose of data processing

An important purpose of the processing of your personal data in the context of the performance of the contractual relationship with GEN-I is to be able to provide you with quality and timely information at all times, including information on the possibility of communicating meter readings, information on perceived deviations in energy consumption, overdue receivables due to outstanding obligations and other information necessary for the quality performance of the contractual relationship to the satisfaction of both parties. In order to ensure the proper entering into, performance, monitoring and/or termination of your contract/agreement, we process the data necessary for this purpose, in particular: information on the contractual relationship obtained before and during the performance of the contract (your identification data and contact details; information about entering into the contract or an annex to the contract), your tax number, details of the authorised person of the holder of the consent for connection to the distribution or transmission network, transaction account number, metering point data, generation device data, metering and billing data, discount code in the case of energy sales promotion activities, restrictive conditions, data on recorded telephone calls and other business communications, data on users of the Moj GEN-I and Moj GEN-I Solar Portal, etc. In order to prove the submitted request, we may also store your clicks, time evidence and web server log files.

If you provide us with the details of a third party for the purpose of sending contractual documentation or other notices relating to the performance of the contractual relationship and request that the service be performed at that party’s address, we assure you that we will comply with your request. If you provide us with a telephone number or e-mail address of a third party for the purpose of communication in the performance of the contractual relationship, you shall be deemed to have given your consent that the person with such contact details may know your personal data processed for the purpose of the performance of the contractual relationship with you as well as to the use of such contact details for the purpose of communication via these communication channels. GEN-I shall not be liable for any disclosure of your personal data or misuse of your identity resulting from your failure to adequately protect your personal data or disclosure of your personal data to third parties. You are advised to protect your personal data and not to recklessly disclose it to others, as such disclosure of your personal data, which may include your identification data with the Controller, may allow the recipients of the data to further disclose it or otherwise misuse it, which in extreme cases may lead to your identity being stolen.

On the same legal basis, GEN-I also processes personal data (identification and contact data, employer status, etc.) of data subjects in the B2B segment (business-to-business sales of goods and services), who are either signatories, administrators or operational contractors of contracts entered into between the Controller and the contracting party.

• Duration of data processing

Personal data processed on the basis of entering into or performance of a contract may be retained for the purpose of fulfilling the contractual obligations for as long as is necessary for the entering into or performance of the contract and the exercise of the rights and obligations under the contract or until the expiry of the statutory time limit for the exercise of remedies by the parties. Metering data will be kept for three years from the end of the year in which it is generated and time aggregates up to and including one month will be kept for five years from the end of the year in which they are generated.

If you have completed the online switching form but you have not completed the switching process, either because there were technical difficulties in completing the form, you did not have all the information you needed to complete the form or you are simply thinking about switching suppliers, we will send you a friendly reminder to remind you that your switch has not yet been completed and we will offer assistance to you for completing the switching process. If no contract is entered into, we will erase or anonymise the data as appropriate, unless you have consented to receive personalised offers from GEN-I tailored to your needs. Bills and other accounting records will be retained in accordance with the statutory periods required by tax legislation.

3.2 Processing of personal data based on law

We process your personal data on the basis of the applicable laws relating to energy and self-sufficiency, consumer protection, personal data protection, regulation of electronic communications, obligations, enforcement, taxes, excise duties and other laws binding on the Controller. For example, we are obliged to process your personal data for invoicing purposes in the manner prescribed by the Value Added Tax Act and to keep bills unchanged for 10 years after they have been issued. In the field of energy law, we are obliged, among other things, to process your personal data for the purpose of fulfilling the supply contract and for the purpose of making operational forecasts.

3.3 Processing of personal data based on legitimate interest

We may process your personal data on the basis of our legitimate interest, the existence and legitimacy of which are based on a careful assessment that your interests and fundamental rights and freedoms do not override the legitimate interest of the Controller in processing your personal data and that you can reasonably expect, at the time of collection of the personal data, that the data will be processed solely for the purpose in question. Where further use of your data is concerned, the Controller will exercise due diligence in accordance with data protection law. As a general rule, such further use of data will be in pseudonymised or aggregated form.

On this basis, we carry out the following processing or activities:

• Direct marketing is a form of communication through which we send you a variety of information and offers via various channels, occasionally invite you to events, to participate in contests/quizzes and so on. For this purpose, we process personal data obtained in the course of the lawful exercise of our activities or from publicly available sources. For direct marketing purposes, we may create a profile of you for reasons of legitimate interest, based on data obtained from the performance of the contractual relationship and the use of online portals, such as activated campaigns, type and consumption of the energy product, contacts of the data subject, etc. You have the right to object to such processing at the time of collection of your personal contact details and subsequently at the time of any communication, which will be made clear to you, and in the event of your objection, we will stop the processing.
• We conduct surveys or interviews to learn about your user experience and your user preferences/needs through voluntarily completed surveys, questionnaires or interviews, and by doing so we determine user satisfaction with our services and your needs for the development of new features and services. Based on your responses, we strive to continually improve our services and your customer experience, and we plan to develop the services you rightly expect and demand from us as well as what is demanded by the energy legislation and our social responsibility to maintain a clean and healthy environment. To do this, we will process your contact details (first name, surname, telephone number, e-mail) and your answers. Participation in the survey/interview is voluntary and does not affect your contractual rights. Answers to the questions asked are generally not anonymous, but they are processed using pseudonyms to ensure the security of your data.
• We conduct analysis and research (data analysis, including segmentation and profiling of data subjects) for the purposes of marketing activities, business planning, adapting and improving business processes and services, introducing new business models, market research, measuring market response, measuring sales performance, analysis that leads to improving your customer experience, managing business and credit risks, optimising our business, etc.
• In order to optimise websites, portals or applications for system efficiency, usability and to provide useful information about our services, we automatically collect and store information on the user’s computer, including: browser type and language setting, operating system, date/time of visit, and may also store other information depending on the state of the art. The information we collect may be used for analysis and research based on legitimate interest, and for communications (for example, to optimise and improve the user experience, to provide more attractive offers and services, and to improve the quality of the user experience). Websites, e-mails, online services, advertisements and interactive applications may use cookies to optimise their services. For more information about the use of cookies, please see our Cookie Policy.
• The processing of your personal data by companies affiliated with the Controller (listed at: https://www.gen-i.si/en/about-gen-i/about-us/organizational-structure) may only be carried out for the purpose of carrying out joint tasks and joint management of the GEN-I Group.
• For example, we may use the SISBON application to check your solvency.
• Ensuring network and information continuity and security to prevent accidental events or illegal and malicious activities. This may include preventing unauthorised access to electronic communications networks, the spread of malicious code, denial of service attacks and damage to computer and electronic communications systems to ensure the availability, integrity and confidentiality of your personal data.
• Preventing or limiting potential abuse and fraud.
• We record telephone calls to provide evidence of business communications (entering into and performance of contracts, complaints, data updates and other enquiries) on specific numbers, which you will be informed of each time you make a call.
• Video surveillance is used to ensure the security of persons and property, to protect data and trade secrets, to ensure the security of business premises and to control access to business premises in areas where it is necessary to protect the above interests. Video surveillance involves the processing of your personal data to the extent strictly necessary and is only carried out in locations that have been assessed as potentially vulnerable. Notices of the existence of the CCTV system are posted before you enter each area under surveillance. Detailed information about CCTV can be found at: https://www.gen-i.si/obvestilo-o-videonadzoru.

We process your personal data obtained in the course of the performance of the contractual relationship on the basis of legitimate interest and on the other bases described in these Terms and Conditions, and we retain such data only for as long as is necessary to fulfil the purpose for which the individual data was collected and further used. Video surveillance data is retained for a maximum of 6 months. Recordings of phone calls are retained for 6 months. A longer retention period is permitted if the data is the subject of litigation, enforcement, criminal or administrative proceedings. For security reasons, data may be processed in pseudonymised and/or aggregated form until the expiry of the legal retention period, and in anonymised form after the expiry of the retention period.

3.4 Processing of personal data based on consent

We may process your data for certain purposes on the basis of your consent. Such consent may relate to:

• subscribing to our eNewsletter so that you can be informed from time to time about new developments in our offer, our achievements in domestic and foreign markets as well as information that we think would be of interest to you and that you would like to receive. In this case, we will process your e-mail address or telephone number;
• the sending of personalised offers by GEN-I. In this case, we will process the personal data that you have provided to us and/or that has been generated in the course of our legitimate business activities;
• the acceptance of cookies, the purpose of which is to provide the user with personalised advertising;
• the transfer of your data to service providers that we have a cooperation agreement with (e.g. we will transfer your data to a heat pump provider on the basis of your consent);
• your participation in contests/quizzes conducted in accordance with the general terms and conditions of each activity, in which your identification and contact details will be processed as well as the answers to the questions asked or the data required to participate in each activity and, in the case of a prize, your tax number if this is required for compliance with tax regulations. By participating in a contest, quiz or other similar activity, you expressly consent to the publication of your first name, surname and place of residence in connection with that activity if you win the prize;
• your participation in various projects carried out in accordance with specific agreements with the participants, in which your identification and contact data will be processed as well as other data necessary to carry out the purpose of the project or similar activity, as specifically stated in such agreement;
• your inclusion in a database of job applicants;
• and other similar consents.

You may withdraw or amend your consent at any time. You may send your request for withdrawal to dpo@gen-i.eu to the Controller’s registered office, specifying the person to who and the consent to which the withdrawal relates. You may also use the form to withdraw or modify your consent to receive personalised offers. However, if you have provided any of the consents on the website, you may also withdraw your consent on the website. Withdrawal or modification of consent only applies to the personal data processed on the basis of the consent, and the Controller will take into account your last consent. The ability to withdraw consent does not constitute a right of withdrawal in a valid contractual relationship with us. The data for which consent has been given will be processed until the consent is withdrawn. Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until it is withdrawn.

We process the personal data of the following categories of data subjects on the basis of different legal bases:

• the signatory of the contract;
• the recipient of the bills, if different from the signatory of the contract;
• the owner or co-owner of the metering point;
• the service user at each metering point, such as: tenant, spouse/partner, other household member;
• an individual calling the call centre;
• an individual who wants to enter into a contract but does not do so;
• an individual who has given consent to the processing of personal data for a specific purpose;
• an individual who has entered a contest/quiz or other marketing activity;
• an individual user of websites, online portals (Moj GEN-I, Moj GEN-I Solar) and online applications.

The recipients of your personal data are:

• banks - as far as payment transactions are concerned;
• The Financial Administration of the Republic of Slovenia and other supervisory bodies, audit firms, providers of out-of-court consumer dispute resolution;
• the courts competent for the settlement of disputes;
• national and other competent authorities, such as the distribution system operator, the geographically competent natural gas distribution system operator, the Energy Agency;
• upon explicit request, other recipients who have a basis for obtaining personal data by law, personal consent of the data subject, the performance of a contractual relationship or for other legitimate interests of the Controller.

Your personal data may also be processed by our contractual processors that provide contractually agreed services, such as IT support services, printing and mailing services for documents related to communication with customers and sellers, civil debt collection services, sales services, marketing services, any authorised intermediaries working in the field to find and contact new potential customers and energy sellers as well as others. Contractual processors are committed to the strict protection of all your data and act on the instructions of the Controller.

Personal data is processed by the persons employed by the Controller who are competent for the processing in the specific field of their work and in accordance with the powers delegated to them. The persons who process your personal data are professionally qualified in the field of personal data protection and receive continuous and additional training in this field. The GEN-I Group conducts an ongoing awareness campaign among its employees on the importance of personal data protection. We use personal data within the parent company GEN-I, and its subsidiaries listed at https://www.gen-i.si/en/about-gen-i/about-us/organizational-structure insofar as this is compatible with the purpose of the processing.

GEN-I and its subsidiaries may also act as joint controllers of personal data. If you entrust your personal data to one of the companies of the GEN-I Group (e.g. GEN-I Sonce), in certain cases both the subsidiary and the parent company GEN-I may process your data on the basis of a joint management agreement, all in accordance with the purposes of the processing, which you will be notified about in advance, and in order to fulfil the purpose. Recipients may exercise their rights under point 9 with both joint controllers. The main content of the joint management agreement is available from the Controller (Data Protection Officer).

If you are a participant in a contest/quiz or other activity (which may include a pilot project) organised or co-organised by the Controller together with a business partner, both the Controller and the Controller’s business partner (hereinafter referred to jointly as the “Controllers”) will process the personal data collected in accordance with the applicable personal data protection legislation. In doing so, the Controllers will ensure that the collected data is stored and protected in an appropriate manner to prevent any unjustified disclosure to unauthorised persons and that the data is not transferred, rented or sold to third parties without prior written consent, except to contractual partners that assist in the processing of personal data for specific purposes for which there is a (lawful) legal basis on behalf of a particular Controller. The Controllers will process the personal data collected for the purpose of conducting the contest/quiz/other similar activity for which you have voluntarily opted in. You will be able to exercise your rights under point 9 with all the joint controllers.

In some cases, we may also transfer your personal data to countries that are not members of the European Economic Area or to international organisations (“third countries”) and where an adequate level of protection of personal data is not necessarily ensured. Such transfers will always be limited in scope, for a specific purpose and in strict compliance with the safeguards provided by the laws in force in the territory of the Controller (binding corporate rules, codes of conduct, standard contractual clauses, data transfers based on specific exemptions and similar other mechanisms).

Third country partners that may process some of your personal data include:

• US-based bulk email service provider (your e-mail address only);
• Website analytics provider (if you have consented to the recording of analytics cookies);
• For the purposes of advanced advertising, we use cookies from the advertising companies Meta, Google and YouTube;
• A contractor based in Northern Macedonia that develops and maintains some IT systems.

Where we transfer your personal data to third countries, we will only do so after carefully considering the legal basis and safeguards in place in that third country. Any transfer of personal data to third countries will be carried out by the Controller with due care and diligence, in accordance with the principle of accountability. Information on the specific security mechanism used for each transfer of personal data to third countries and, where applicable, a copy of it, is available from the Controller (Data Protection Officer).

GEN-I has a system of preventive measures in place to prevent personal data breaches. We keep our measures up to date with the latest information security guidelines. We also report all personal data incidents as required by law and notify the relevant supervisory authorities and affected individuals as appropriate.

Our business is predominantly digital, but all contractual and other decisions with legal or related implications are made by our people, with appropriate IT support.

The data protection legislation in force in the territory of the Controller provides you with a number of privacy and data protection rights, including the following:

• The right to be informed about the processing of your personal data (the text you are reading is considered as part of the exercise of this right);
• The right of access to personal data means that you have the right to ask GEN-I, as the Controller, whether personal data concerning you are being processed and, if so, to obtain access to your personal data and other information (purposes of processing, types of data, recipients of data, existence of rights and information on the possibility of lodging a complaint, data sources, possible automated decision making or specific profiling);
• The right to obtain a copy of the personal data being processed, where there is a legitimate interest in doing so;
• The right of rectification, which allows us, upon your request, to rectify without undue delay inaccurate personal data concerning you; you also have the right to have incomplete personal data completed, including by submitting a supplementary declaration, taking into account the purposes of the processing;
• The right to erasure, also known as the “right to be forgotten”, entitles us to erase personal data concerning you without undue delay if the prescribed conditions are fulfilled (processing is no longer necessary, withdrawal of consent and no other legal basis, reasoned objection, unlawful processing, erasure required by applicable law, etc.);
  The right to restriction of processing, which means the right to request that we restrict the processing of your data if you dispute the accuracy of the data, or if you have objected to it, or if the processing is unlawful, or if the processing is no longer necessary for the Controller but is necessary for the establishment, exercise or defence of legal claims;
• The right to be informed of the rectification, erasure or restriction of the processing of your personal data, insofar as it has been communicated to another user, unless this proves impossible or involves a disproportionate effort;
• The right to data portability means the right to receive personal data relating to you that you have provided to us in a structured, commonly used and machine-readable format, including the right to transmit such data to another controller without any hindrance (applies to data processed by automated means on the basis of consent or a contractual relationship);
• The right to object means that you can object at any time to certain types of processing of your personal data (public interest, legitimate interests of the Controller, marketing purposes) and the Controller must demonstrate legitimate interests for the processing or cease the processing (always in the case of direct marketing, including profiling, if it is related to such direct marketing, you may object, which will be made clear and unambiguous to you), except in rare cases of legitimate exceptions, where we demonstrate that we have compelling legitimate grounds for the processing which override your interests, rights and freedoms, or that we need them for the establishment, exercise or defence of legal claims;
• The right against automated processing and profiling means that you will not be subject to a decision based solely on automated processing, including profiling, which has legal or similar effects concerning you unless it is strictly necessary, mandatory or you consent to it;
• The right to lodge a complaint with a supervisory authority, i.e. the Information Commissioner of the Republic of Slovenia.

If we process your personal data on the basis of your consent, you may withdraw your consent temporarily or permanently at any time. In this case, your withdrawal will be prospective and will not affect the processing carried out until the withdrawal. Upon your request, the Controller will, without undue delay and in any event within one month of receipt of the request, provide you with information on the steps taken to process your personal data in accordance with the data protection legislation applicable in the territory of the Controller. In exceptional cases, this period may be extended by up to a further two months, taking into account the complexity and number of requests. In this case, the Controller will inform you within one month of receipt of the request, giving the reasons for the delay. If you make a request by electronic means, the Controller will, where possible, provide the information by electronic means, unless you request otherwise. When you make a request, we will verify your identity and, if there is any doubt as to whether you are the right person and the intended recipient of the request, we will ask for any additional information necessary to confirm your identity.

If a personal data breach occurs and the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay that a personal data breach has occurred. The national authority responsible for handling personal data breaches is the Information Commissioner of the Republic of Slovenia, Dunajska cesta 22, 1000 Ljubljana.