Policy on Customer Data Usage for Machine Learning

1. Purpose

This policy regulates the collection, processing, and use of customer data by CALMS d.o.o. for the purpose of developing and improving machine learning (ML) models, in compliance with the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) and Slovenian ZVOP-2 (Zakon o varstvu osebnih podatkov).

CALMS may use customer data for ML purposes only based on one or more of the following lawful grounds:

  • Consent (Art. 6(1)(a) GDPR): Explicit, informed consent from the customer.
  • Contractual necessity (Art. 6(1)(b)): Data required to provide services described in the agreement.
  • Legitimate interest (Art. 6(1)(f)): For improving energy management tools, provided there’s no overriding risk to individual rights.

⚠️ If personal data is used (e.g., names, emails, identifiable operational patterns), consent or anonymization is required.

3. Data Minimization & Anonymization

  • Only necessary data will be used.
  • Personal identifiers must be anonymized or pseudonymized before use in ML.
  • CALMS commits to using aggregated data whenever possible.

4. Customer Transparency & Rights

Customers must be informed via privacy policy or service agreement about:

  • What data is collected
  • Why it is used (ML model training, product improvement)
  • Data retention period
  • Their rights (access, correction, deletion, objection)

Opt-out or withdrawal of consent must be easy and accessible.

5. Data Sharing & Sub-processors

  • No customer data may be shared with third parties unless under a DPA (Data Processing Agreement).
  • If ML services are run via cloud (e.g., Azure, AWS), only GDPR-compliant providers will be used.

6. Data Retention

Data used for ML training will be stored:

  • For a defined period based on project lifecycle
  • Anonymized training data may be stored longer if unlinkable to individual customers

7. Security Measures

  • End-to-end encryption of data in transit and at rest
  • Access restricted to authorized personnel
  • Periodic audits and model bias testing

8. Regulatory Compliance

CALMS appoints a Data Protection Officer (DPO) as required by ZVOP-2. Any data breach or misuse must be reported within 72 hours to the Slovenian Information Commissioner (IP-RS) and affected users.

9. Policy Review

This policy is reviewed annually or upon major changes in law or technology.

GDPR Compliance and Clarification

10. Scope of Data Collected

CALMS d.o.o. does not collect or process personal data as defined under Article 4(1) of the GDPR. All data used for machine learning and analytics are:

  • Non-personal
  • Related to companies, equipment, or systems
  • Publicly available or collected through explicit customer agreement

Examples include:

  • Compressor type, energy consumption, pressure profiles
  • Site-level performance data
  • Company name, location (if already public or anonymized)

11. Position under GDPR

Since no personally identifiable information (PII) is collected, CALMS is not acting as a controller or processor of personal data, and is therefore not subject to full GDPR obligations, such as:

  • No Data Subject Rights (access, erasure, etc.)
  • No need for Data Protection Impact Assessment (DPIA)
  • No DPO requirement (unless future processing includes personal data)

However, CALMS still adheres to GDPR principles of:

  • Lawfulness and transparency
  • Purpose limitation and data minimization
  • Security and accountability

12. Future Considerations

If CALMS ever introduces features that collect personal data (e.g., user accounts, contact details, logins), a separate GDPR-compliant policy and consent mechanism will be introduced.

 

📄 Adopted by: Gorazd Bregar, CEO
📅 Date: 23.April 2025
📍 CALMS d.o.o., Ljubljana, Slovenia, CALMS Air Inc , USA

Arrow up icon