Personal Data Protection Policy
The purpose of the Personal Data Protection Policy is to inform individuals, service users, colleagues, employees and other persons (hereinafter referred to as “the individual”) who interact with CTX (hereinafter referred to as “the company”) about the purposes and legal bases, security measures and the rights of individuals regarding the processing of personal data carried out by our company.
We value your privacy, so we always protect your data with the utmost care.
We process your personal data in accordance with European legislation (Regulation (EU) 2016/697 on the protection of individuals with regard to the processing of personal data and on the movement of such data (hereinafter referred to as the “General Regulation”)) and the applicable Personal Data Protection Act (ZVOP-2), as well as other legislation that provides us with a legal basis for the processing of personal data and the company’s internal acts governing the protection of personal data.
The Personal Data Protection Policy contains information for individuals on how our company, as the controller, processes the personal data it receives from an individual based on the legal grounds described below.
Controller
CTX (Invoice Exchange)
E-mail: admin@CTX.city
Tel: +27 69 118 3224
Contact person for personal data protection
For any questions concerning the processing of personal data and the exercise of their rights under the General Data Protection Regulation, data subjects may contact the data protection contact person:
Name: Gwen Swan
Address: CTX
Phone: 069 118 3224
E-mail: admin@CTX.city
Personal data
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Purposes of processing and grounds for processing
The company collects and processes your personal data on the following legal bases:
- The processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary for the performance of a contract to which the data subject is a party or for the performance of measures at the request of such data subject prior to the conclusion of the contract;
- processing is necessary for the legitimate interests pursued by the controller or by a third party;
- the data subject has consented to the processing of his or her personal data for one or more specified purposes;
- processing is necessary for the protection of the vital interests of the data subject or of another natural person.
Fulfilling a legal obligation
Based on the provisions in the law, the company primarily processes data about its employees, which is allowed under employment law. Thus, based on the legal obligation, the company processes in particular the following types of personal data for recruitment purposes: name and surname, gender, date of birth, tax number, place, municipality and country of birth, nationality, place of residence, etc.
Implementation of the contract
If you, as an individual, enter into a contract with a company, this constitutes the legal basis for the processing of your personal data. We may process your personal data for the purpose of concluding and performing the contract, such as the sale of goods and services, membership of benefits clubs, participation in events, training, promotions, etc. If you do not provide personal data, the company cannot conclude the contract, nor can the company perform the service or deliver the goods to you in accordance with the contract, as it does not have the necessary data to perform the contract. The company may, based on its lawful activity, inform individuals and users of its services, events, training, offers and other content by sending an email to their email address. The individual may at any time request to stop such communications and processing of personal data and to cancel the receipt of communications via the unsubscribe link in the communication received, or as a request by email to CTX or by regular mail to the company’s address.
Legitimate interest and direct marketing
A company may also process personal data based on a legitimate interest pursued by the company. The latter is not permissible where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data. Where legitimate interest applies, the company shall always carry out an assessment in accordance with the GDPR.
The General Regulation does not specifically regulate direct marketing and therefore different arrangements in sectoral legislation are taken into account. The scope of direct marketing to individuals by means of electronic communications, which includes unsolicited e-mails, telephone calls and SMS messages, is regulated in more detail in the Electronic Communications Act (ZEKom-2, Official Journal of the Republic of Slovenia 133/22; Article 226). The sending of such unsolicited messages by means of electronic communications is only permitted in the following cases:
- where the individual has given prior consent; or
- if the individual has purchased a product or service from the sender and has entrusted the sender with his/her e-mail address, or if the marketing of similar products or services to that e-mail address is permitted (the exact conditions are set out in Article 226(2) of the ZEKom-2).
The ZEKom-2 regime is stricter with regard to the sending of commercial communications to e-mail addresses belonging to natural persons (e.g., name@company.xx or name.surname@company.xx) and is generally only permitted on the basis of the subscriber’s or user’s prior consent (Article 226(1) ZEKom-2), except in two cases:
- where a legal person who obtains an e-mail address from a customer of its products or services uses that e-mail address for the direct marketing of its similar products or services, provided that it offers the customer a clear and explicit possibility to refuse, free of charge and in a simple manner, such use of his e-mail address at the time when the contact details are obtained and at the time of each communication, provided that the customer has not already refused such use at the outset (Article 226, second paragraph);
- where the e-mail address of a natural person is made public by a legal person as its contact e-mail address (Article 226(6)).
Under Article 21 of the GDPR, where personal data is processed for direct marketing purposes and on the basis of the legitimate interests of the controller, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing purposes, including profiling, insofar as it is related to such direct marketing. The controller must explicitly remind the data subject of the right to object at the latest at the time of the first communication with him or her and present this right to him or her clearly and separately from any other information.
Thus, the company may process personal data of individuals collected from publicly available sources or in the course of the legitimate exercise of its activities, including for the purposes of offering goods, services, employment, information about benefits, events, etc. For these purposes, the company may use ordinary mail, telephone calls, e-mail, and other means of telecommunication. For direct marketing purposes, the company may process the following personal data of individuals: name and surname of the individual, address of permanent or temporary residence, telephone number and e-mail address. The individual may at any time request to stop such communication and processing of personal data and to cancel the subscription to such communications via the unsubscribe link in the communication received, or as a request by e-mail to admin@CTX.city or by regular mail to the company’s address.
Processing on the basis of consent
If the company does not have a legal basis based on the law, a contractual obligation, or a legitimate interest, it may ask the individual for consent. In this way, it may also process certain personal data of the data subject for the following purposes, where the data subject has given his or her consent:
- residential address and e-mail address for the purposes of information and communication,;
- tax identification number for the purposes of possible enforcement in the event of default (e.g., non-payment of an invoice;
- photographs, videos and other content relating to the individual (e.g., publication of images of individuals on the company’s website) for the purposes of documenting activities and publicizing the company’s work and events;
- other purposes for which the individual has consented.
If the data subject has given his or her consent to the processing of personal data and at some point no longer wishes to do so, he or she may request that the processing of personal data be terminated by sending a request by e-mail to admin@CTX.city or by regular mail to the company’s address. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.
The processing is necessary for the protection of the vital interests of the individual
The company may process the personal data of the data subject to the extent necessary to protect his or her vital interests. For example, the company may search for a personal document of the data subject, check whether that person exists in its database, examine his or her medical history or contact his or her relatives without the need for his or her consent. The above applies where this is strictly necessary to protect the vital interests of the individual.
Retention and deletion of personal data
The company will keep personal data only for as long as necessary to fulfil the purpose for which the personal data was collected and processed. If the company processes the data based on the law, it will keep the data for the period prescribed by the law. In this case, some data will be kept for the duration of the cooperation with the company, while some data must be kept permanently.
Personal data processed by the company based on a contractual relationship with an individual shall be kept by the company for the period necessary for the performance of the contract and for 6 years after its termination, except in cases where there is a dispute between the individual and the company in relation to the contract. In such a case, the company shall keep the data for 10 years after the final decision of a court, arbitration, or court settlement or, in the absence of litigation, for 5 years from the date of amicable settlement of the dispute.
The personal data that is processed by the company based on the individual’s personal consent or legitimate interest will be kept by the company until the consent is withdrawn or until the data are erased. Upon receipt of a revocation or a request for erasure, the data shall be erased within a maximum of 15 days. The company may also delete the data prior to revocation, where the purpose of the processing of personal data has been achieved or where required by law.
Exceptionally, a company may refuse a request for erasure on the grounds set out in the General Regulation, such as the following: the exercise of the right to freedom of expression and information, compliance with a legal obligation to process, grounds of public interest in the field of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the exercise or defence of legal claims.
After the retention period, the company must effectively and permanently erase or anonymize the personal data so that it can no longer be linked to a specific individual.
Contractual processing of personal data and data export
The Company may entrust a contractual processor with the processing of personal data on the basis of a contractual processing agreement. Contract processors may process the entrusted data exclusively on behalf of the controller, within the limits of the controller’s authorization, which is enshrined in a written contract or other legal act and in accordance with the purposes set out in this Privacy Policy.
The contractual processors with which the company cooperates are mainly:
- accounting services and other providers of legal and business advice;
- infrastructure maintenance (video surveillance, security, cleaning services);
- information systems maintenance;
- email service providers and software providers, cloud services (e.g., Amazon, Microsoft, Google);
- providers of social networks and online advertising (Google, Facebook, Instagram, etc.)..
Under no circumstances will the company disclose the personal data of an individual to unauthorized third parties.
Contract processors may only process personal data within the scope of the company’s instructions and may not use personal data for any other purpose.
The company acts as controller, and its employees do not export personal data to third countries (outside the European Economic Area – EU Member States plus Iceland, Norway, and Liechtenstein) and international organizations, except to the USA, where the company has a legal basis under Article 6 of the General Data Protection Regulation to process personal data. Before transferring personal data to another entity, the company shall ensure the legal basis and an adequate level of data protection.
Cookies
The company’s website works with the help of so-called cookies. A cookie is a file that stores website settings. Websites store cookies on users’ devices used to access the internet in order to identify individual devices and the settings used by users to access the internet. Cookies allow websites to recognize if a user has visited that website before and, in the case of advanced applications, they can be used to adjust individual settings accordingly. Their storage is under the full control of the browser used by the individual, which can restrict or disable the storage of cookies if desired.
Cookies are essential for providing a personalized online service. They are used to store information about the state of a particular website, to help gather statistics about users and website traffic, etc. Cookies can therefore be used to evaluate the effectiveness of our website design.
Our website uses the following cookies:
| Name of the cookies | Duration | Purpose |
| ads.linkedin | ||
| lang | Duration of the session | |
| google.com | ||
| 1P_JAR | Duration of the session | To personalize your Google advertising |
| AEC | 6 months | |
| APISID | 2 years | |
| CONSENT | 1 year | |
| HSID | 2 years | |
| NID | up to 6 weeks | To personalize your Google advertising |
| SAPISID | 2 years | |
| SID | 2 years | |
| SIDCC | 2 years | |
| SSID | 2 years | |
| SEARCH_SAMESITE | 6 months | |
| CTX | ||
| _ga | 2 leti | Google cookie to distinguish between users |
| _gid | 24 ur | Google cookie to distinguish between users |
| _gat | 1 minuta | To control access to pages |
| google.com | ||
| 1P_JAR | Duration of the session | To personalize your Google advertising |
| APISID | 2 years | |
| HSID | 2 years | |
| NID | 6 months | To personalize your Google advertising |
| ENID | 6 months | |
| OGPC | ||
| SAPISID | 2 years | |
| SID | 2 years | |
| SIDCC | 2 years | |
| SSID | 2 years | |
| OTZ | ||
| gstatic.com | ||
| 1P_JAR | duration of the session | |
| CONSENT | 19 years | |
| linkedin.com | ||
| AMCV_14215E3D5995C57C0A495C55 | 2 years | |
| UserMatchHistory | 1 month | |
| _ga | 2 years | Google cookie to distinguish between users |
| _lipt | ||
| bcookie | 2 years | |
| lang | ||
| liap | 1 year | |
| lidc | ||
| utag_main | 1 year | |
| http://www.CTX.city | ||
| ci_session | Duration of the session | |
| csrf_cookie_name | Duration of the session | |
| cookie-consent-settings | Trajanje seje | |
| _ga | 2 years | Used to distinguish between users |
| _gid | 24 hours | Used to distinguish between users |
The storage and management of cookies is under the full control of the browser used by the individual. The browser can restrict or disable the storage of cookies if it wishes. You can also delete cookies that have been stored by your browser; instructions can be found on the web pages of each browser. You can cancel non-essential cookies (analytics and marketing cookies) at any time in the website settings.
Data protection and data accuracy
The company takes care of information security and infrastructure security (premises and application system software). Our information system is protected by antivirus and firewall, among other things. We have put in place appropriate organizational and technical security measures designed to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access and against other unlawful and unauthorized forms of processing. In the case of the provision of special types of personal data, we provide them in encrypted and password-protected form.
It is the individual’s responsibility to ensure that his or her personal data is provided securely and that the data provided is accurate and reliable. The company will endeavour to ensure that the personal data it processes is accurate and, where necessary, kept up to date, and we may contact you from time to time to confirm the accuracy of your personal data.
Rights of the data subject regarding data processing
Under the GDPR, the data subject has the following data protection rights:
- He or she may request information about whether we hold his or her personal data and, if so, what data we hold, on what basis we hold it and why we use it;
- He can request access to his personal data, which allows him to receive a copy of the personal data held by the company and to check whether the company is processing it lawfully.
- He or she can request rectification of personal data, such as correction of incomplete or inaccurate personal data;
- He or she may object to further processing of personal data where the company relies on legitimate business interest (including in the case of legitimate interest of a third party), where there are grounds relating to the situation of the data subject; the data subject has the right to object at any time if the company processes personal data for direct marketing purposes.
- He or she may request the restriction of the processing of his or her personal data, which means the interruption of the processing of personal data, for example, if the data subject wishes the company to establish its accuracy or to verify the grounds for further processing of personal data.
- He or she may request the transfer of his or her personal data in a structured electronic format to another controller, insofar as this is possible and feasible;
- • He or she may withdraw the consent or assent he or she has given to the collection, processing and transfer of his or her personal data for a specific purpose; upon receipt of notification that he or she has withdrawn his or her consent, the company will cease to process the personal data for the purposes for which he or she originally gave it, unless the company has another lawful legal basis to do so lawfully.
If an individual wishes to exercise any of the above rights, he or she may send a request by email to admin@CTX.city or by regular mail to the company’s address.
Access to the personal data and the exercised rights is free of charge for the individual. However, the company may charge a reasonable fee if the data subject’s request is manifestly unfounded or excessive, in particular if it is repetitive. In such a case, the company may also refuse the request.
If you exercise your rights under this title, the company may need to request certain information from you to help it confirm the identity of the data subject, which is only a precautionary measure to ensure that personal data is not disclosed to unauthorized persons.
If an individual has any questions regarding the processing of his or her personal data, he or she may always contact our company by email at admin@CTX.city or by regular mail to our company address..
Publication of changes
Any changes to the Personal Data Protection Policy will be published on the company’s website: https://www.CTX.city
The updated personal data protection policy was adopted by the company on 30th September 2025.
CTX 