Data Protection Policy

(as last amended Jan 21st, 2026)
Data Protection Policy

1. General

1.1.      The Legal Notice and Terms of Engagement apply in their entirety to this Data Protection Policy. The definitions set forth in the Legal Notice are hereby incorporated by reference and shall apply throughout this document.

1.2.      This policy outlines our approach to the collection, processing, and protection of personal data. We are committed to safeguarding the privacy and security of personal information in accordance with applicable data protection law, including the General Data ProtectionRegulation (GDPR) and Slovenian legislation governing personal data protection.

2. Data Subject

2.1.      A data subject is any natural person(individual) whose personal data are processed by KBP.

2.2.      This policy applies to all data subjects whose personal data we process, including:

·     visitors accessing our website(kbp.si);

·     natural persons seeking legal advice, including prospective clients;

·     clients who engage our legal assistance, including natural persons acting on behalf of legal entities(regardless of their role, capacity, authorisation, or statutes);

·     participants in recruitment processes;

·     any other natural person whose personal data are processed as a result of interaction with KBP.

 

3. Data Controller

The data controller is Law firm Kavčič, Bračun & Partners Attorneys-at-Law, Ltd, with registered office at Trg republike 3, 1000 Ljubljana, Slovenia ("KBP").

 

4. Personal Data Collection and Usage

4.1.      Personal data are any information relating to an identified or identifiable individual.

4.2.      Categories of personal data we may process include:

·     Contact information (e.g.,name, email address, phone number, postal address);

·     Professional details (e.g., job title, role, qualifications, work experience, employer/organisation);

·     Technical information (e.g., IP address, browser type, device identifiers, usage data, should they be so specific to constitute personal data);

·     Special categories of personal data (sensitive data) only where strictly necessary for a particular matter and where a valid legal basis applies (including, where required, explicit consent);

·     Other personal data you choose to share with us for the purpose of potential or actual provision of legal services, during recruitment, and/or during any other interaction with us.

4.3.      We may collect personal data:

·     directly from individuals during consultations, provision of legal services, recruitment, or other interactions (e.g., when you contact us for legal services, sign documents, pay invoices, etc.);

·     automatically through cookies and similar technologies on our website (as described in our Cookie Policy);

·     from third parties, such as your employer/organisation (where relevant), recruitment agencies, publicly available sources, competent authorities, courts, or other parties involved i na matter, as appropriate.

4.4.      Where we are required to collect and process personal data to comply with a legal obligation and/or to establish or perform a contractual relationship, and you do not provide the necessary personal data, we may not be able to provide the requested services or toc onclude/perform a contract. In such cases, we will notify you accordingly.

4.5.      Purposes of processing may include:

·     providing legal services and establishing and maintaining contractual relationships with clients and suppliers;

·     ensuring compliance with legal obligations (e.g., anti-money laundering and counter-terrorist financing checks, keeping records required by law, professional obligations of attorneys-at-law);

·     recruitment and HR management;

·     sending information on legal developments and firm updates (where permitted and/or based on consent);

·     establishing, exercising, or defending legal claims;

·     improving website functionality and user experience, including analytics and security.

4.6.      Use of our website: we may use analytics tools (such as Google Analytics) to understand how visitors interact with the website. The information collected is used to improve performance and user experience. Where you submit personal data through the website (e.g., contact forms or job applications), we use such information to respond to your inquiry and/or manage the relevant process.

 

5. Legal Basis for Processing

5.1.      We process personal data on one or more of the following legal bases, as applicable:

·     Consent: where you have given consent for specific processing activities for specific purposes (e.g.,receiving updates, certain website cookies, recruitment retention beyond standard periods);

·     Contractual necessity: where processing is necessary to take steps at your request prior to entering into a contract or to perform a contract with you or with the entity you represent;

·     Legal obligation: where processing is necessary to comply with obligations imposed by law (e.g.,employment-related obligations, AML/CFT requirements, statutory record keeping, professional obligations);

·     Legitimate interests: where processing is necessary for our legitimate interests (e.g., ensuring network and information security, improving services and website, client relationship management), except where such interests are overridden by your interests or fundamental rights and freedoms.

 

6. Retention of Personal Data

6.1.      We retain personal data only for as long as necessary to fulfil the purposes for which they were collected, in line with applicable legal, contractual, and operational obligations.

6.2.      Retention periods may vary depending on the nature of the data and the reasons for processing. Once the purpose for retaining data has been fulfilled or is no longer applicable, we securely delete or anonymise the information, unless a longer retention period is required by law or is necessary to establish, exercise, or defend legal claims.

·      

7. Data Sharing and Transfers

7.1.      We may share personal data with:

·     trusted service providers(e.g., IT providers, hosting, email, security, accountants) under contractual arrangements imposing appropriate confidentiality and data protection obligations;

·     courts, competent authorities, regulators, or law enforcement agencies where required by law or necessary for the establishment, exercise, or defence of legal claims;

·     independent co-counsel, external experts, translators, and other third parties engaged for a matter where there is a valid legal basis and appropriate safeguards;

·     independent foreign law firms/professionals in cross-border matters where necessary, subject to applicable safeguards.

7.2.      Where personal data are transferred to recipients outside the European Economic Area, such transfers will take place only in compliance with applicable data protection law and using appropriate safeguards (e.g., adequacy decisions, standard contractual clauses, or other recognised transfer mechanisms), as applicable.

 

8. Data Security

8.1.      We implement technical, organisational, and other appropriate measures to protect personal data, including access controls, encryption where appropriate, secure storage, backups, and procedures to maintain confidentiality and integrity.

8.2.      Our personnel are trained to handle data responsibly and are bound by confidentiality obligations applicable to the legal profession.

 

9. Your Rights

9.1.      Depending on the circumstances and subject to applicable law, you may have the right to:

·     Withdraw consent (where processing is based on consent), at any time;

·     Access your personal data and obtain a copy of the data we hold about you;

·     Rectification of inaccurate or incomplete personal data;

·     Erasure (right to be forgotten), subject to legal conditions and exceptions;

·     Restriction of processing, under certain conditions;

·     Data portability (for data you provided, where processing is based on consent or contract and carried out by automated means);

·     Object to processing based on legitimate interests, including certain profiling;

·     Lodge a complaint with the Slovenian supervisory authority for data protection (Information Commissioner of the Republic of Slovenia), if you believe your personal data have been processed in breach of applicable law.

9.2.      To exercise your rights, please contact us using the contact details set out in Section 10.

 

10. Contact Information

For inquiries or to exercise your rights, please contact KBP at info@kbp.si.