Rights of the Individual

  • Authorised person

    Krka has appointed an authorised person for personal data protection (DPO - Data Protection Officer). In addition to other tasks that are set out in the General Data Protection Regulation, one of the key tasks of the DPO is to establish and implement certain procedures and supervise all procedures that must be performed by Krka to exercise the rights of individuals.


    Terme Krka, d. o. o., Novo mesto

    Novi trg 1

    8000 Novo mesto

    Saša Kos

    E-mail: dataprotection.officer.TK@terme-krka.si


    Rights of the individual

    You can send requests (for access, amendments, deletion and withdrawal of personal consent, limitation of processing and objection to processing) to us personally or in the form of a certified document, which ensures that the right person is exercising their right. Among the key objectives of the General Data Protection Regulation are also the protection of personal data against unauthorised access and ensuring the accuracy of the personal data, therefore individuals must accept our identification requirements. Otherwise any person could request, for example, an extract or correction of the personal data, which could lead to an unauthorised disclosure or use of incorrect personal data.

    When an individual completes the online consent, they will also be able to withdraw their consent, whereby their identity is verified through an e-mail confirmation.

    Each request by an individual will be dealt with and the appropriate procedures will be performed or we will notify them that this is not possible and state the reasons for this.

    Requests should be sent to the above address.


    Content of the page on Records of personal data processing

    Records of personal data processing

    Terme Krka have identified all databases that contain individuals’ personal data.

    In the description of each personal data database (i.e. records of processing) we state:

    • The legal basis for the processing of personal data;
    • Categories of the individual to which the personal data refer;
    • Types of personal data in the personal data database;
    • Purpose of processing;
    • Storage period of the personal data;
    • Users or categories of users of the personal data in the personal data database;
    • Whether the personal data is being transferred to a third country or an international organisation, where and to whom, as well as the legal basis of the transfer;
    • General description of how the personal data is protected:
      • Physical databases and the premises in which the personal data from the database is located;
      • Transferring personal data between databases (interfaces);
      • Who is the owner of the database and who has user rights for the job positions with access to the data;
      • Contractual processors of the personal data;
      • Records of transfers;
      • Description of technical and organisational measures.


    Personal data protection

    Terme Krka, d. o. o., Novo mesto (hereinafter referred to as Terme Krka), as a company controlled by Krka, d.d., commits to respecting all the rules that apply within the Krka Group.


    Terme Krka’s commitment

    Terme Krka commits to the secure and confidential processing of personal data of its employees, guests, contracting parties, website users and other interested persons, and furthermore ensure that the personal data is processed in a legal, fair and transparent manner – by respecting individuals’ rights.


    Personal data protection policy

    To put this commitment into action, Terme Krka adopted new Rules on the Protection of Personal Data, which is harmonised with the of the European Parliament and of the Council (General Data Protection Regulation, GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council) and other applicable legislation. The Rules, in conjunction with other internal regulations and measures, represent Krka Group’s policy with which we ensure that we will collect and process personal data for specific purposes and to the smallest extent necessary and store them only for the length of time necessary to fulfil the purpose for which they were collected.


    Areas of use

    Our policy applies to anyone who submits any personal data: Terme Krka guests, employees, job candidates, buyers, suppliers, etc.


    Who is affected by this policy

    Generally speaking, this policy applies to anyone we work with or who acts on our behalf and may occasionally need access to personal data. It must be followed by Terme Krka employees and employees of its subsidiary, as well as contractors, consultants and other external personal data processors.


    Parts of the policy

    We must also obtain and process personal data to be able perform our processes. This information includes any data that enables the identification of a person, such as: names, addresses, usernames and passwords, digital footprint, photographs, ID document numbers, special types of personal data, financial data, etc.

    Our company collects this information in a transparent way and only with the full cooperation and awareness of the interested party. Once we have obtained this information, the following rules apply:


    Our data will be:

    • Obtained honestly and only for legal purposes,
    • Accurate and up-to-date,
    • Processed within legal and moral boundaries,
    • Protected against any unauthorised or illegal access by internal or external parties.

    Our data will not be:

    • Informally forwarded,
    • Stored for more than the determined time,
    • Transferred to organisations or countries that do not have suitable rules on data protection,
    • Communicated to any party that the owner of the data has not given consent to 
      (except for the legal requirements of law enforcement authorities).


    In addition to the appropriate handling of data, Terme Krka also have direct obligations to the people who own the data. In accordance with the General Data Protection Regulation (GDPR) and other applicable legislation relating to personal data protection, Terme Krka will, among other things:

    • Enable any interested party to find out which pieces of their personal data we collect and for what purpose, how long we store them and whether we transfer them to anyone else, etc.;
    • Enable any interested party to correct any of their incorrect personal data;
    • Delete all personal data where the conditions for deletion are met, e.g. if you withdraw your personal consent;
    • Initiate proceedings in cases of lost or damaged data or data at risk.



    We are committed to perform activities such as the following for the protection of personal data:

    • Restrict and supervise access to special types of personal data;
    • Develop and perform transparent data collection procedures;
    • Train employees to be able to perform personal and technical security precautions;
    • Set up a safe network to protect personal data against cyber attacks;
    • Establish clear procedures for reporting privacy violations or misuse of data;
    • Include contract clauses or clear instructions on how we process personal data;
    • Establish good data protection practices (clear desk and clear screen policy, document shredding, secure locking, data encryption, regular safety backups, access authorisations, etc.).


    Terme Krka will adhere to the good data protection practices that apply to the Krka Group.

    Our provisions concerning data protection are set out in the following documents:

    • Special policy for personal data protection on the website;
    • Rules on personal data protection, which define the personal data protection system in more detail;
    • Appendix to the rules on the  General procedures on the protection and safeguarding of personal data, which includes a brief description of the technical and organisational measures for protecting personal data;
    • Records of personal data processing – Descriptions of personal data databases.


    Disciplinary consequences

    All principles described in this policy must be strictly followed by all Terme Krka employees. Violations of the rules on data protection may result in disciplinary and other measures.


    Privacy protection

    Conformity with applicable legislation 
    In accordance with the General Data Protection Regulation (EU) 2016/678 and other applicable legislation, Terme Krka is focusing closely on the protection of privacy of information it obtains from the users of this website, and the personal data submitted to Terme Krka by users. We want to make it clear how we collect, store, use and disclose personal data.

    What personal data do we collect on our website? 
    You can visit our website without providing your personal data. You only have to provide personal data if you order any services.

    We only collect personal data when you provide it yourself, for example, when you subscribe to our newsletter, access certain content or take part in a prize draw, when you fill out a form about side effects or make hotel reservations, when you order services by e-mail or make an enquiry about services and similar cases where you have decided to provide us with your personal data.

    In addition to the personal data you provide us with, we also collect data using cookies. This data can contain information about: the website you used to access our website, the websites you visit from our website, the duration of your visit to our websites. We immediately anonymise the last three numbers of your IP-address, which means we cannot identify you by your IP-address. With this information, we may be able to determine your identity, however, we do not do this.

    For what purposes do we process the data that you provide us with through the website? 
    The data you provide us or we collect via cookies is processed for the following purposes: for internal statistical purposes and for the purposes of visitor interests, but only in such a way that does not disclose your identity; for identifying server problems and for creating the website; for other purposes that you have requested and have agreed to, unless prescribed otherwise by law.

    Do we send your personal data to other companies? 
    The Terme Krka company has access to your personal data, while it has concluded agreements with all its external providers, with whom it cooperates, where they are bound to personal data protection in accordance with applicable legislation.

    Where do we store the personal data you entrust us with through the website? 
    Your personal data is stored on Krka’s servers in the European Union and which we manage ourselves. If the personal data is being stored by contractual partners, they guarantee at least the same level of security as is provided by Terme Krka. We will not forward your personal data in any​ form to be used by third parties, except for the company that creates the Terme Krka website, or if required to do so by judicial authorities. 


    The Terme Krka website is principally intended for adults. If Terme Krka will create online content for minors or products and services for minors, it shall be performed in compliance with applicable legislation and consent shall be obtained from the minor’s parents or guardians.



    A cookie is a small file that is stored on your device when you visit a website and is recognised by the website that issued it.
     The cookies are used to enable all the functionalities of the website, to customise certain content to your preferences and to improve the website by analysing visits.

    The data collected via cookies is processed solely for statistical purposes and for the purposes of visitor interests, but only in such a way that does not disclose your identity, for identifying server problems and for creating the website.

    Some cookies that we use are temporary, while some cookies remain stored on your device for a specific period even after you leave our website. We use temporary cookies to measure the number of website visitors and we use the stored cookies to store contact details for future visits to our website so that you do not have to register again the next time you visit the website. We also used stored cookies that originate from other websites: these are cookies from YouTube that enable you to be able to watch certain video content on our website, advertising cookies and Google Analytics cookies that we use to see how you use our website, what content you are interested in and how long you stay on our website. On this basis we can create content for the website and customise it to the needs of visitors.

    The majority of browsers automatically accepts the use of cookies. You can decline the use of cookies at any time. If you want to decline cookies on your device, you can change the browser settings on your device. To find out more about declining cookies, go to www.aboutcookies.org, and to find out more about Google Analytics go to https://tools.google.com/dlpage/gaoptout.


    Your rights

    Using a request and the instructions on how to exercise your rights published on the page “Rights of the individual”, you can request at any time to access your personal data that we process, to correct them or delete them, object to their processing or limit processing.

    Furthermore, you can unsubscribe from receiving promotional e-mails by clicking “Unsubscribe” in the footer of the received e-mail.

    Changes to the Terme Krka website privacy policy

    Terme Krka reserves the right to change their website privacy policy, therefore we advise that you regularly check it. If any significant changes will be made, we will publish a notice in advance on our website.



    Terme Krka uses technical and organisational security measures that protect your data against tampering, loss, destruction or unauthorised access. Since we are aware of its importance, security measures are also integrated into all systems and procedures dealing with personal data databases. We working with databases, we use the most up-to-date technological solutions and approaches that, in combination, ensure a high degree of security regarding the storage and processing of personal data (data encryption, data access policy, recording data accesses, etc.). The infrastructure with continuous supervision safeguards the data from any threats, including viruses and other types of malicious codes. We use systems and procedures to detect threat, which help protect the services and ultimately provide a high level of security.