Privacy Policy

This Privacy Policy explains how AWA Systems processes personal data in connection with its website and services, in accordance with the General Data Protection Regulation (GDPR) and applicable EU and national laws.

Data Controller

AWA Systems acts as the data controller within the meaning of Art. 4(7) GDPR for personal data processed in connection with this website and its business activities.

For data protection inquiries or to exercise your rights:

• via Contact Form
• via email: info@awa.si

Data Protection Officer

A Data Protection Officer has not been appointed, as the legal requirements under Art. 37 GDPR are not met.

All data protection matters can be addressed via:
info@awa.si

Scope of Processing

This Privacy Policy applies to personal data processed in connection with:

• use of the website
• communication (e.g. email, contact forms)
• service delivery and project-related activities
• system integration and operational processes

Where necessary for service delivery, systems and related data may be accessed or processed to ensure execution, monitoring, and operational control.

Processing is carried out strictly within defined contractual scope and applicable legal requirements.

Types of Personal Data

Depending on the context, the following categories of personal data may be processed:

• identification and contact data (e.g. name, email address, phone number)
• professional or organizational data (e.g. company, role, project context)
• technical data (e.g. IP address, browser type, device information)
• communication data (e.g. emails, messages, notes)

Special categories of personal data within the meaning of Art. 9 GDPR are not processed unless explicitly required and subject to appropriate safeguards.

Purposes of Processing

Personal data is processed only to the extent necessary for:

• communication and handling inquiries
• preparation and performance of contracts
• service delivery and operational execution
• system design, integration, and coordination
• ensuring system security, monitoring, and reliability
• compliance with legal obligations

Legal Basis

Processing is carried out on the following legal bases:

• Art. 6(1)(b) GDPR – performance of a contract or pre-contractual measures
• Art. 6(1)(f) GDPR – legitimate interests, including communication, system operation, service delivery, and IT security
• Art. 6(1)(a) GDPR – consent, where explicitly obtained

Where processing is based on legitimate interests, these consist in ensuring efficient communication, reliable system operation, and secure service delivery.

Hosting & Infrastructure

This website and related systems are hosted by service providers within the European Union or European Economic Area.

These providers act as processors pursuant to Art. 28 GDPR and are bound by contractual agreements ensuring:

• processing only on documented instructions
• confidentiality obligations
• implementation of appropriate technical and organizational measures

Processors & External Parties

Personal data may be processed by the following categories of recipients:

Processors

(e.g. hosting, email, infrastructure providers)

• engaged under data processing agreements (Art. 28 GDPR)
• processing is limited to defined purposes and scope
• subject to appropriate security and confidentiality obligations

External Parties

In certain cases, external professionals (e.g. legal advisors, accountants, or operational support) may be involved.

In such cases:

• access is limited to what is necessary
• applicable confidentiality and data protection obligations apply
• they act either as independent controllers or processors, depending on the context
• unless explicitly agreed otherwise, they are not considered agents

International Data Transfers

Personal data is processed within the EU/EEA wherever possible.

If transfers to third countries occur, they are carried out only where appropriate safeguards are in place, including:

• adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs)
• additional safeguards where required

Data Retention

Personal data is retained only for as long as necessary for the respective purposes or as required by law:

• communication data: generally up to 12 months after completion
• contractual data: in accordance with statutory retention obligations (typically 6–10 years)
• technical and log data: generally 30–90 days

After expiry, data is deleted or anonymized unless further retention is required by law.

Disclosure of Data

Personal data is not sold or used for unrelated marketing purposes.

Disclosure takes place only:

• where required by law
• where necessary for contract performance
• where processors or external parties are involved under appropriate legal arrangements

Cookies & Similar Technologies

Only technically necessary cookies are used by default.

Any use of analytics, tracking, or similar technologies is subject to prior user consent where required by law.

Consent mechanisms are implemented in accordance with GDPR and ePrivacy requirements.

Automated Decision-Making

No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.

Children’s Data

This website and services are not directed at children.

Personal data of minors is not knowingly collected.

Data Subject Rights

Data subjects have the following rights under the GDPR:

• right of access (Art. 15 GDPR)
• right to rectification (Art. 16 GDPR)
• right to erasure (Art. 17 GDPR)
• right to restriction of processing (Art. 18 GDPR)
• right to data portability (Art. 20 GDPR)
• right to object (Art. 21 GDPR)
• right to withdraw consent at any time (Art. 7(3) GDPR)

Requests can be submitted via the Contact Form or email: info@awa.si.

Right to Lodge a Complaint

Data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement.

Provision of Personal Data

Provision of personal data may be required for:

• entering into a contract
• fulfilling contractual obligations

If required data is not provided, it may not be possible to establish or perform a contractual relationship.

Data Sources

Where personal data is not collected directly from the data subject, it may originate from:

• business partners
• project participants or stakeholders
• publicly accessible sources

Processing is limited to professional and business-related contexts.

Security Measures

Appropriate technical and organizational measures are implemented in accordance with Art. 32 GDPR, including:

• encryption (e.g. TLS/SSL)
• access control and authentication mechanisms
• system monitoring and logging
• data minimization and segregation

Measures are reviewed and updated as necessary.

Data Protection Principles

Processing is carried out in accordance with the principles set out in Art. 5 GDPR:

• lawfulness, fairness, and transparency
• purpose limitation
• data minimization
• accuracy
• storage limitation
• integrity and confidentiality

Updates

This Privacy Policy may be updated to reflect legal, regulatory, or operational changes.

The current version published on this page applies.

Last updated: 2026-04-20