Personal data protection policy
1) About personal data protection policy
– contact information of the company and contact information of the responsible person for data protection
– purposes, bases and types of processing of various types of personal data of individuals, including profiling individuals’ personal data,
– transfer of data to third parties and third countries,
– the time of retention of individual types of personal data,
– the rights of individuals relating to the processing of personal data,
– the right to lodge a complaint concerning the processing of personal data.
Where applicable, the provisions, concerning individuals, shall also apply to the secrecy and confidentiality of the communication, carried out by individuals as legal persons.
2) Personal data controller and the responsible person for data protection
Official company name: Mizarstvo Košnik, d.o.o.
Head office: Dvorje 34, 4207 Cerklje na Gorenjskem, Slovenia
Responsible person in the company (legal representative or a representative): Janez Košnik, chief manager
Representative: Luka Oblak
Contact address and phone of TEGLC responsible person for data protection
Luka Oblak, Phone: 00386 30 928 028, E: firstname.lastname@example.org
3) The purpose and bases for data processing
Processing under a contract:
The controller processes your personal data for the purpose of notification of any new website content (subscribing to Teglc newsletter, information on new conditions, informing about events, news…), for direct marketing purposes, segmenting.
In the framework of exercising the contractual rights and meeting the contractual obligations, the controller processes individuals’ personal data for the following purposes:
Email address and name (for communication purposes, sending newsletters, advertising on Facebook, Instagram and Linkedin)
Home address (for performing purchase contract obligations – making and sending invoices)
Company details (for performing purchase contract obligations – making and sending invoices)
Processing under the law:
The controller processes your personal data for the purpose of concluding, exercising, monitoring and cancelling a subscription.
Traffic data shall mean any data processed for the purpose of conveying a communication on an electronic communications network or for the billing thereof. It includes, for example:
– Customer’s name and surname
– Phone number
– Home address
– Company details (optional)
Other purposes of processing may arise from the current legislation, such as border crossing notifications in accordance with the rules governing national roaming.
Processing of personal data, based on the controller’s legitimate interest:
The controller may also process the data on the basis of the legitimate interest pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require the protection of personal data, in particular where the data refers to a child. In the case of further use of data collected on the individual, the controller shall make an assessment in accordance with the General Data Protection Regulation. Such further use of data in a pseudonymized or aggregated form represents, for example, the lawful use of data for marketing and other business or technical analysis of the controller. Deletion of certain data may also be used as an additional measure in some forms of further use of traffic data.
The individual may object to such processing in accordance with point 6 /iv of the Policy.
On the basis of a legitimate interest, the controller can contact the individual for the purpose of improving the services by determining their satisfaction with the services or user experience even in cases where this is not strictly necessary for the performance of the contract. The controller for the purpose of weighing this interest with the interests of the individuals, does not contact again the individuals who objected to this.
The controller shall store aggregated traffic data, including roaming information, for the purpose of determining the prevailing domestic consumption or the prevailing domestic presence of an individual in Slovenia for a period of six months.
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems. This could, for example, include preventing unauthorized access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems. This may involve the processing of network diagnostic data (technical data or readings from equipment) and data on the history of diagnostic tools that could make it possible to re-identify an individual.
The controller has a legitimate interest to anonymize or aggregate the data up to the expiry of the legal retention period and continue to use it for analysis and research purposes for marketing, network planning and the like.
Other legitimate interests may include preventing any fraud, the enforcement of claims or defence against claims in administrative and judicial proceedings. A legitimate interest also includes legal verification of individuals’ ability to pay.
The controller may, in the event of a suspicion of misuse, process, in an appropriate and proportionate manner, user data on the individuals for the purpose of identifying and preventing any fraud or misuse, and may, where appropriate, also forward this information to other operators, such as business partners, the police, the public prosecutor or other competent authorities. In order to prevent future abuse or fraud, data on the history of identified abuses or fraud in connection with the individuals, shall be kept for five years after the termination of business relationship.
The controller reserves the right to process data on the fulfilment of contractual obligations of individuals (data on payment of invoices) to improve the quality of its services
Processing on the basis of consent to the processing of personal data:
Data processing can also be based on your consent which you have provided to the company. Consent may, for example, relate to the notification about offers and services, tailor-made offers according to your user customs, or to providing a value-added service. Communication is carried out via the channels that you have selected in your consent. Communicating via the email address includes sending the email to an external processor with the purpose of showing advertisements while browsing the internet.
The individuals who the personal data refer to can either withdraw or alter their consent at any time, in the same way as it was given, or otherwise, as defined by the controller, whereby the controller reserves the right to identify the customer. The withdrawal or amendment of consent refers only to data, processed on the basis of your consent. Your most recent consent received shall be valid. The possibility of revoking a consent does not constitute an entitlement to withdraw from the business relationship of the individual with the controller.
A consent may be made by one of the parents, a foster parent or a guardian of a minor child who can not give it himself or herself, in accordance with the current legislation. Such consent shall be valid until one of the parents, a foster parent, a guardian or child himself or herself, when in accordance with current law obtains this right, revokes or changes it.
4) Transfer of data to third parties and transfer of data to third countries (outside of the European Union or European Economic Area)
Personal data collections are stored by the controller in the area of the Republic of Slovenia, and are not transferred to other countries, except for personal data for delivery purposes (only in case of shipping to other countries). Delivery personal data are explicitly submitted to the courier service only. How the courier service handles delivery personal data is not within the competence of the controller.
The controller can, subject to the purpose for which personal data are processed in compliance with the EU law and Slovenian regulations, transfer individuals’ personal data to:
(i) persons who perform some processing tasks for the controller, such as preparing and sending invoices or data analytics, maintenance and development of services, where these tasks involve – within the necessary extent – the processing of personal data. (ii) persons who perform sales and marketing services for the controller, including sales and marketing in the field, or cooperate with the controller in the area of marketing and sales of their own services or services of third parties, to the extent necessary for such tasks as part of the purposes and the bases, defined in this Policy.
If the controller merges with or is acquired by another company, the personal data are – in compliance with the law – transferred to the acquirer. By using our services, you consent to further processing of your personal data by the acquirer.
5) Period of personal data storage
For the purpose of fulfilling contractual obligations, the accounting data and the associated contact details of individuals may be kept until the full payment for the service or at the latest until the expiration of the limitation period in respect of an individual claim, which may legally last from one to five years. Invoices are kept for 10 years after the expiration of the year that the invoice relates to in accordance with the law governing value-added tax.
If traffic data are processed on the basis of an individual’s consent for the purpose of marketing services, the sale of goods or the provision of value-added services, these data can be processed within the necessary extent as long as it is necessary for this marketing or service.
6) The rights of individuals relating to the processing of personal data
The controller guarantees the exercise of your rights without undue delay. We will decide on your request within one month of receiving it. In the case of complexity and a greater number of requests, the deadline may be extended by up to two additional months. If the controller extends the deadline, you will be notified of any such extension within one month of receiving the request along with the reasons for the delay.
We accept requests regarding the exercise of your rights at email@example.com or by post to Luka Oblak, Predoslje 125, 4000 Kranj, Slovenia.
When submitting an application by electronic means, you will be, whenever possible, provided with information electronically, unless you request otherwise.
Where there is reasonable doubt as to the identity of the individual who submits a claim relating to one of their rights, the controller may request the provision of additional information necessary to confirm the identity of the individual.
Where requests from an individual are manifestly unfounded or excessive, in particular because of their repetitive character, the company may:
– charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested; or
– refuse to act on the request.
You as a subject have the following rights concerning personal data protection:
(i) right of access to data,
(ii) right to rectification,
(iii) right to erasure (‘right to be forgotten’),
(iv) right to restriction of processing,
(v) right to data portability,
(vi) right to object.
(i) right of access to data
Individuals shall have the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and where that is the case, access to the personal data and the following information:
– the purposes of the processing;
– the categories of personal data concerned;
– the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
– where possible, the envisaged period for which the personal data will be stored; or if not possible, the criteria used to determine that period;
– the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning individuals or to object to such processing;
– the right to lodge a complaint with a supervisory authority;
– where the personal data are not collected from individuals, any available information as to their source;
– the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for individuals.
Upon your request, the controller will provide a copy of your personal data undergoing processing. For any further copies requested by data subjects, the controller may charge a reasonable fee based on administrative costs.
(ii) right to rectification
Individuals shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, individuals shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
(iii) right to erasure (‘right to be forgotten’)
Individuals shall have the right to obtain from the controller the erasure of personal data concerning them without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds apply:
– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
– individuals withdraw consent on which the processing is based and where there is no other legal ground for the processing;
– individuals object to the processing based on a legitimate interest of the controller and there are no overriding legitimate grounds;
– individuals object to the processing for direct marketing purposes;
– the personal data have to be erased in compliance with legal obligation under EU or Slovenian law;
– the personal data have been collected in relation to the offer of information society services directly to a child, who pursuant to existing legislation is not allowed to provide such data.
Where the controller has made the personal data public, it shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that individuals have requested the erasure by such controllers of any links to, or copy or replication of those personal data.
(iv) right to restriction of processing
Individuals shall have the right to obtain from the controller restriction of processing where the following applies:
– the accuracy of the personal data is contested by individuals for a period enabling the controller to verify the accuracy of the personal data;
– the processing is unlawful and individuals oppose the erasure of the personal data and request the restriction of their use instead;
– the controller no longer needs the personal data for the purposes of the processing, but they are required by individuals for the establishment, exercise or defence of legal claims;
– individuals have objected to processing pending the verification whether the legitimate grounds of the controller override those of individuals.
(v) right to data portability
Individuals shall have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
– the processing is based on consent or on a contract; and
– the processing is carried out by automated means.
(vi) right to object
Individuals shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning them which is based on legitimate interests, pursued by the controller or a third party. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of individuals or for the establishment, exercise or defence of legal claims. Where personal data are processed for the purposes of direct marketing, individuals should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing. If direct marketing is based on consent, the right to object can be exercised by withdrawing the given consent.
(vii) right to lodge a complaint concerning the processing of personal data
You may send any complaints related to the processing of your personal data to the email address firstname.lastname@example.org or by post to Luka Oblak, Predoslje 125, 4000 Kranj, Slovenia.
If you believe that the processing of your personal data violates Slovenian or EU regulations in the field of personal data protection, you also have the right to lodge a complaint directly with the information commissioner.
If you have exercised the right of access to the information and if, after receiving the decision, you believe that the personal data you received is not the personal information you requested or that you did not receive all the required personal information, you can lodge a reasoned complaint before submitting a complaint to the Information Commissioner with the company within 15 days. The controller needs to decide on your complaint as a new request within five business days.
This Policy is published on the shop.teglc.com website and is valid from 25/ 5/ 2018.
We will do everything in our power to assist you in exercising your rights.