PRIMA IP invalidsko podjetje d.o.o. (Prima IP Disability Enterprise), Brnčičeva ulica 31, 1231 Ljubljana – Črnuče, Slovenia, e-mail email@example.com (hereinafter: PRIMA IP or the provider or controller of personal data) protects your personal data in a manner that ensures its protection throughout the business process.
All our activities related to the processing of personal data are in accordance with the applicable European legislation (in particular Regulation (EU) 2016/697 on the protection of individuals with regard to the processing of personal data and the flow of such data) and the Council of Europe conventions (ETS No. 108, ETS No. 181, ETS No. 185, ETS No. 189)) and the national legislation of the Republic of Slovenia (Personal Data Protection Act (ZVOP-1, Official Gazette of the Republic of Slovenia, No. 94/07), The Electronic Commerce on the Market Act (ZEPT, Ur. L. RS, nos. 96/09 and 19/15), etc.).
The controller and the data protection officer
The controller of personal data is the company PRIMA IP invalidsko podjetje d.o.o. (Prima IP Disability Enterprise), Brnčičeva ulica 31, 1231 Ljubljana – Črnuče, Slovenia.
Personal data means any information on the basis of which an individual can be identified (this includes, for example, name, surname, e-mail address, telephone number, etc.).
Controller means a legal entity that determines the purposes and means of processing your personal data.
Processor means a legal or natural person who processes personal data on behalf of the controller.
Processing means the collection, storage, access and all other forms of use of personal data.
EEA means the European Economic Area, which designates all the Member States of the European Union, Iceland, Norway and Liechtenstein.
Personal information is information that identifies you as an identified or identifiable individual. An individual is identifiable when he or she can be identified directly or indirectly, in particular by providing an identifier such as a name, identification number, location data, web identifier, or by indicating one or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
The provider, in accordance with the purposes defined below in this policy, collects the following personal data:
- basic information about the user (name and surname, address of residence, date of birth, location);
- contact details and information about your communication with the operator (email address, telephone number, date, time and content of postal or email communication, date, time and duration of telephone calls, recordings of telephone calls);
- channel and campaign – the method of acquiring a member or the source through which the user came into contact with the manager (website and advertising campaign or campaign, call centre, physical store);
- data on the user’s purchases and issued invoices (date and place of purchase, purchased items, prices of purchased items, total purchase amount, method of payment, delivery address, number and date of invoice, code of the person who issued the invoice, etc.) and data on resolving product complaints;
- information on the user’s use of the operator’s website (dates and times of website visits, visited pages or URLs, time spent on each page, number of pages visited, total time of the website visit, settings on the website) and information on the use of received messages (e-mail, SMS) by the operator;
- personal data voluntarily provided by the user by filling in forms, e.g. in the context of sweepstakes or the use of configurators to identify optimal products for the user’s needs;
- other data that the user voluntarily provides to the provider upon request for certain services, insofar as this information is necessary for the provision of the service. The provider does not collect or process your personal data, except when you allow it or consent to it, e.g. through the use of the website, when ordering products or services, when you subscribe to receive an e-magazine, participate in a prize draw, etc. The provider also processes your data when there is a legal basis, a contractual basis for the collection of personal data or when the provider has a legitimate interest in the processing.
The provider only collects personal data that is relevant and necessary in order to fulfill the purposes for which this data is processed.
The time period for which the Provider keeps the collected data is defined in more detail in the chapter Storage of personal data in this Policy.
Legal basis for data processing
The provider collects and processes your personal data on the following legal bases:
- Processing by law
- Contract processing
- Processing based on individual consent
- Processing on the basis of a legitimate interest
We need your information when necessary for the conclusion, implementation and fulfillment of contractual obligations. The provision of personal data is voluntary in this case. If you do not provide the personal data, you cannot enter into a contract with the provider, nor can the provider provide you with services or products.
Processing based on consent
We process your data when you give us your explicit consent. When processing is based on consent, we will make sure that you have all the information you need to make your decision. You can revoke your consent at any time. If you revoke your consent, the service provider will not be able to provide you with some of the services.
Processing on the basis of a legitimate interest
The provider may also process data on the basis of a legitimate interest pursued by the provider, except when such interests are outweighed by the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data. In the case of a legitimate interest, the provider always performs an assessment in accordance with the General Data Protection Regulation.
In the case of processing on the basis of a legitimate interest, the user has the right to object. You can read more about your rights below in the policy.
Processing by law
We process your personal data when such processing is required of us by legislation that binds us (e.g. tax legislation requires the storage of issued invoices). We process this personal data in accordance with the requirements of the law.
Purposes of personal data processing
The provider collects and processes your personal data for the following purposes:
Purpose of processing
- Communication with you regarding the provision of our services and responding to your inquiries
- Conclusion and the fulfillment of obligations arising from the concluded contract
- Direct notification of customers about special offers, discounts and other content via email
- General statistical processing of data on customers and their orders and potential customers (contacts) for the purposes of the internal analysis of sales, repurchases, aggregate customer behaviour, advertising optimization and business optimization;
- Automatic e-mail communication with the user based on his or her start of the online buying process;
Storage of personal data
The provider will only keep your personal data as long as necessary to achieve the purpose for which the personal data was collected.
The personal data that the Provider processes on the basis of the law, the Provider keeps for the period prescribed by law.
The personal data that the Provider processes due to the performance of the contractual relationship with the individual, shall be kept by the Provider for the period necessary for the execution of the contract and for 5 years after its termination, except in cases where there is a dispute between you and the Provider; in such a case, the Provider shall keep the data for 5 years after the court or arbitration decision or settlement has become final or, if there has been no litigation, for 5 years from the day of the amicable settlement of the dispute.
The personal data that the Provider processes on the basis of the personal consent of the individual is kept permanently by the Provider until the revocation of this consent by the individual. The Provider only deletes such data before the cancellation when the purpose of the personal data processing has already been achieved. At the end of the storage period, the Controller shall delete or anonymise the personal data efficiently and permanently, so that it can no longer be linked to a specific individual.
Contractual processing of personal data
The contractual processors with which the Provider cooperates are:
- accounting service; law firms and other legal advice providers;
- data processing and analytics providers;
- IT system maintainers;
- e-mail providers (e.g. Mailchimp and others);
- payment system providers such as Adyen, PayPal, PayU, Klarna, Sofort, Multibanco, dotPay and others);
- customer relationship management system providers (e.g. Microsoft);
- online advertising solution providers (e.g. Google, Facebook).
The Provider will not pass your personal data on to unauthorized third parties. Contractual processors may only process personal data in accordance with the Controller’s instructions and may not use the personal data to pursue any of their own interests. The Controller and users do not export personal data to third countries (outside the European Economic Area – EU member states and Iceland, Norway and Liechtenstein) and to international organizations except the US – all contractual processors in the US are included in the Privacy Shield program.
Freedom of choice
The information you provide about yourself is controlled by you. If you choose not to provide your information to the Provider, then we will not be able to provide you with certain services.
Individuals who wish to unsubscribe from the PRIMA IP e-newsletter should notify us at the e-mail address firstname.lastname@example.org. If your personal data changes (postcode, e-mail address, physical address or telephone number), please inform us of the changes at the e-mail address email@example.com.
Automatic recording of information (non-personal data)
Whenever you access the website, general, non-personal information (number of visits, average time of visits to the website, pages visited) is automatically recorded (not as part of the application). We use this information to measure the attractiveness of our website and to improve the content and usability. Your data is not subject to further processing and is not passed on to a third party.
The Provider makes great effort to ensure the security of personal data. Your data is protected at all times from loss, destruction, falsification, manipulation and unauthorized access or unauthorized discovery.
For the protection of personal data, we implement organizational and technical measures, such as:
- employee education;
- supervision of employees and regular inspections of the operation of individual employees;
- careful selection and control of contractual processors;
- backup of electronically stored data;
- regular maintenance and updating of computer equipment;
- adoption of appropriate internal rules and instructions on personal data protection.
Individual rights regarding data processing
Based on your request, we will provide you with the required information or (in accordance with the law) take care of the realization of your rights.
You have the following rights regarding processing:
Right to revoke consent: if, as an individual, you have consented to the processing of your personal data (for one or more specific purposes), you have the right to revoke that consent at any time, without prejudice to the lawfulness of the processing of data carried out on the basis of your consent until its revocation.
Consent may be revoked by a written statement sent to the operator at one of the contacts listed on the website https://www.zascitne-maske.net
Withdrawal of consent to the processing of personal data does not have any negative consequences or sanctions for the individual. However, after revoking the consent to the processing of personal data, the controller may no longer be able to provide one or more of its services to an individual in the case of services that cannot be provided without personal data (e.g. benefits club or personalized information).
Right of access to personal data: as an individual, you have the right to obtain confirmation from the Provider (personal data controller) whether personal data is being processed in relation to you and, where applicable, access to the personal data and certain information (on the purposes of processing, types of personal data, on users, on storage periods or criteria for determining periods, on the existence of the right to rectify or delete data, the right to limit and object to processing and the right to appeal to the supervisory authority, the source of the data, on the existence of automated decision-making, including profiling, the reasons for it and the importance and consequences of such processing for you, and other information in accordance with Article 15 of the GDPR);
Right to correct personal data: as an individual, you have the right to have the provider correct inaccurate personal data about you without undue delay. As an individual, you have the right to supplement incomplete data, including the submission of a supplementary statement, taking into account the purposes of the processing;
Right to delete personal data (“the right to forget”): as an individual, you have the right to have the Provider delete personal data concerning you without undue delay, and the provider must delete the data without undue delay when there is one of the following reasons:
(a) the data is no longer needed for the purposes for which it was collected or otherwise treated,
(b) if you withdraw your consent and there is no other legal basis for the processing,
(c) if you object to the processing and there are no overriding legitimate reasons for the processing,
(d) the data has been processed unlawfully,
(e) the data must be deleted in order to fulfill legal obligations under EU law or the law of the Member State applicable to the Provider,
(f) data has been collected in relation to offers of information society services.
However, as an individual, in certain cases described in Article 17 (3) of the GDPR, you do not have the right to have the data deleted;
Right to limit processing: as an individual, you have the right to have the Provider restrict processing when there is one of the following cases:
(a) if you dispute the accuracy of the data, for a period that allows the provider to verify the accuracy of the data,
(b) the processing is unlawful and you oppose the erasure of the data and instead request a restriction on their use,
(c) the Provider no longer needs the data for processing purposes, but you need it to enforce and defend legal claims,
(d) you have lodged an objection to the processing until it has been verified that the legitimate reasons of the Provider outweigh your reasons;
Right to data portability: as an individual, you have the right to receive personal data concerning you that you have provided to the Provider in a structured, commonly used and machine-readable form, and you have the right to pass this data on to another provider without being hindered by the Provider to whom the personal data has been provided, when:
(a) processing is based on consent or a contract; and
(b) the processing is carried out by automated means.
As an individual, in exercising this right of portability, you have the right to transfer personal data directly from one controller (provider) to another, where technically feasible;
Right to object to processing: as an individual, you have the right, on grounds relating to your specific situation, to object at any time to the processing of personal data necessary for the performance of tasks in the public interest or in the exercise of public authority conferred on the Provider (point (e) of article 6 (1) of the GDPR) or is necessary for legitimate interests pursued by the tenderer or a third party (point (f) of Article 6 (1) GDPR), including profiling based on those treatments; the Provider ceases to process personal data unless it proves compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or for asserting, enforcing or defending legal claims.
Where personal data is processed for marketing purposes, the individual has the right to object at any time to the processing of data relating to him/her for the purposes of such marketing, including the creation of profiles in so far as it relates to such direct marketing; if an individual objects to the processing for direct marketing purposes, the data shall no longer be processed for those purposes.
Where data is processed for scientific, historical or statistical purposes, the individual has the right to object to the processing of data relating to him or her for reasons related to his or her particular situation, unless the processing is necessary for the performance of the task carried out, for reasons of public interest;
The right to lodge a complaint with the supervisory authority: without prejudice to any other (administrative or other) remedy, you as an individual have the right to lodge a complaint with the supervisory authority, especially in the country of your habitual residence, place of work or where the breach allegedly occurred (in Slovenia, it is the Information Commissioner), if you believe that the processing of personal data in relation to you violates the regulations on personal data protection.
Without prejudice to any other (administrative or extrajudicial) remedy, you as an individual have the right to an effective remedy against a legally binding decision of the supervisory authority in relation to it, as well as if the supervisory authority does not consider your complaint or does not inform you about the situation or the decision on the appeal within three months. Proceedings against the supervisory authority shall be subject to the jurisdiction of the courts of the Member State in which the supervisory authority is established.
An individual may address all requests concerning the exercise of personal data rights to the controller, in writing, to one of the contacts listed on the website https://www.zascitne-maske.net
For the purposes of reliable identification in the case of exercising rights in relation to personal data, the Controller may request additional data from the individual, and may only refuse to act if it proves that it cannot reliably identify the individual.
The Controller must respond to a request from an individual exercising his or her rights in relation to personal data without undue delay and within one month of receiving the request at the latest.
Notification to the supervisory authority of a personal data breach
In the event of a breach of personal data protection, the Provider is obliged to inform the competent supervisory authority, except when it is probable that the breach did not endanger the rights and freedoms of individuals. When there is a suspicion that a criminal offense has been committed during the violation, the Provider is obliged to inform the police and/or the competent prosecutor’s office about the violation.
In the event of a violation that may cause a great risk to the rights and freedoms of individuals, the Provider is obliged to immediately inform the data subject or, if this is not possible, without undue delay. The notice to the individual must be in understandable and clear language.
Access to social networks
Through our website, you can access the web plugins defined below, which the provider uses in its operation:
Privacy policies are available at the links below:
- Instagram: https://help.instagram.com/519522125107875
- Facebook: https://www.facebook.com/about/privacy/
- YouTube: https://policies.google.com/privacy?hl=sl