The purpose of this Privacy Policy is to inform
individuals, customers, users of products or services, colleagues, employees
and other persons (hereinafter referred to as "the individual") who
interact with PIŠEK-VITLI KRPAN, d.o.o. company (hereinafter referred to as
"the company") about the purposes, legal bases, security measures and
rights of individuals with regard to the processing of personal data carried
out by the company.
We value your privacy and always protect your data
carefully.
We process personal data in accordance with applicable
data protection legislation and other legislation that provides a legal basis
for our processing of personal data.
Any changes to this document will be published on our
website. By using the website, you acknowledge that you have read and
understood the entire content of this Privacy Policy.
Personal Data Controller:
PIŠEK-VITLI KRPAN proizvodnja kmetijskih in gozdarskih
strojev, d.o.o.
Jazbina 9A
3240 Šmarje pri Jelšah
e-mail: info@vitli-krpan.com
telephone: +386 / (0)3 819 00 90
Website:
https://www.vitli-krpan.com/
1) Personal data
Personal data
means any information relating to an identified or identifiable natural person;
an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.
2) Purposes of
processing and the basis for processing
The company
collects and processes personal data on the following legal bases:
- the processing is necessary for compliance with a
legal obligation to which the controller is subject;
- processing is necessary for the performance of a
contract to which the data subject is party or in order to take steps at
the request of the data subject prior to entering into a contract;
- the processing is necessary for the legitimate
interests pursued by the controller or by a third party;
- the data subject has given consent to the
processing of his or her personal data for one or more specific purposes;
- processing is necessary
in order to protect the vital interests of the data subject or of
another natural person.
Buying goods and services in a physical shop
When an individual makes a purchase in a physical
shop, it can be carried out without processing personal data, unless the nature
of the purchase makes it necessary to process personal data in order to carry
it out.
The legal basis for data processing is the contract.
The retention period is until the purpose of the contract has been fulfilled or
up to 6 years after termination of the contract.
Buying goods and services in an online shop
The company processes personal data in the context of
an online transaction in the context of an online shop, when an individual
submits an online form and registers an account (creates a user account).
When an individual registers an account or makes a
purchase as a registered user, he or she enters into a contract with the
company regarding provision of services to registered users. The types of
personal data processed when registering an account are: first name, last name,
delivery addresses, e-mail address, telephone number, data on ordered/purchased
products, data on favourite products, payment data, data on discounts obtained
or other data provided by the user in his/her profile. When a user account is
registered, personal data is stored in the user's profile. In addition to the
above purposes, the data are also processed for the purposes of automated order
fulfillment, displaying purchase history, evaluating the offer, improving the
services and offers of the online shop, increasing customer satisfaction, and
for the purposes of studying user habits as well as for the purpose of creating
special offers and benefits intended only for registered users.
The legal basis for data processing is the contract.
The retention period is until the purpose of the contract has been fulfilled or
up to 6 years after termination of the contract.
Implementation of the contract
In cases where an individual enters into a contract
with a company, this constitutes a legal basis for the processing of personal
data. Personal data may thus be processed by a company for the conclusion and
performance of a contract, such as the sale of goods and services, the
preparation of an offer, participation in various programmes, etc. If the data
subject does not provide personal data, the company cannot conclude the
contract, nor can the company perform the service or deliver the goods or other
products in accordance with the contract, as it does not have the necessary
data to perform the contract. On this basis, the company shall process only and
exclusively the personal data necessary for the conclusion and proper
performance of the contractual obligations.
The legal basis for data processing is the contract.
The retention period is until the purpose of the contract has been fulfilled or
up to 6 years after termination of the contract, except in cases where there is
a dispute between the individual and the company in relation to the contract.
In such a case, the company shall keep the data for 10 years after the final
decision of the court, arbitration or court settlement or, if there was no
court dispute, for 5 years from the date of amicable settlement of the dispute.
Legitimate interest
The company
may also process personal data on the basis of a legitimate interest pursued by
the company. But this is not permitted when such interests are overridden by
the interests or fundamental rights and freedoms of the data subject which
require protection of personal data. In the case of using legitimate interest,
the company will carry out an assessment in accordance with the law. The
processing of personal data of individuals for direct marketing purposes is
regarded as carried out for a legitimate interest.
The company
may process personal data of individuals collected from publicly available
sources or in the course of the legitimate exercise of its activities,
including for the purposes of offering goods, services, employment, information
about benefits, events, etc. To achieve these purposes, the company may use
ordinary mail, telephone calls, e-mail and other means of telecommunication.
For direct marketing purposes, the company may process the following personal
data of individuals: name and surname of the individual, address of permanent
or temporary residence, telephone number and e-mail address. For direct
marketing purposes, the company may also process the personal data referred to
above without the explicit consent of the data subject. The individual may at
any time request the cessation of such communication and processing of personal
data and may cancel the receipt of communications by using the unsubscribe link
in the communication received or by sending a request by e-mail or ordinary
mail to the company's address.
The legal
basis for data processing is legitimate interest. The data will be processed
until individual withdraws consent for receipt of communication or until the
purpose of the processing is fulfilled. The withdrawal of consent does not
affect the lawfulness of processing based on consent before its withdrawal.
Processing on
the basis of approval or consent
If the company does not have a legal basis based on
the law, a contractual obligation, a legitimate interest or the protection of
the life of the individual, it may ask for the individual's approval or
consent. It may also process certain personal data of the data subject for the
following purposes if the data subject gives his or her consent:
- the home address and email address (for information
and communication purposes);
- photographs, videos and other content relating to the
individual (e.g. posted images of individuals on the website for the purposes
of documenting activities and giving information to the public on the work and
events of the company);
- other purposes for which the individual gives his or
her consent.
If the data subject has given his or her consent to
the processing of personal data and at some point no longer wishes to do so, he
or she may revoke his or her consent to the processing of personal data by
sending a request by e-mail or by ordinary mail to the company's address. The
withdrawal of consent shall not affect the lawfulness of processing based on
consent before its withdrawal. Upon receipt of the withdrawal of consent or a
request for deletion, the data shall be deleted within 15 days. The company may
also delete this data before cancellation where the purpose of the processing
of personal data has been achieved or where required by law.
Exceptionally, a company may refuse a request for
erasure on the grounds set out in the GDPR in cases of exercising the right to
freedom of expression and information, compliance with a legal obligation to
process, reasons of public interest in the field of public health, archiving
purposes in the public interest, scientific or historical research purposes,
statistical purposes, the exercise or defence of legal claims.
The legal basis for the processing of data is consent.
The data will be processed until the consent is withdrawn or until the purpose
of the processing is fulfilled. The withdrawal of consent shall not affect the
lawfulness of processing based on consent before its withdrawal.
Protecting
the vital interests of the individual
The
company may process the personal data of the data subject insofar as this is
necessary to protect his or her vital interests. In urgent cases, the company
may search for an individual's identity document, check whether that person
exists in its database, examine the individual's medical history or contact the
individual's relatives, without the need for the individual's consent. This
applies where it is strictly necessary for the protection of the vital
interests of the individual.
3) Video surveillance
Video surveillance is provided by the
organisation. Video surveillance (cameras are installed around the entrances to
the organisation and in the organisation itself) is used to monitor entrances
and exits to and from the premises (based on Article 77 of ZVOP-2). We also
carry out video surveillance for the purpose of protecting individuals (users,
employees and visitors) and the property of the organisation (based on
legitimate interest as defined in Article 6(1)(f) of the GDPR). Recordings are kept for a maximum of 30 days. We do not carry out video surveillance in a way that would have a particular impact on the individual. Video surveillance enables any action to be recorded in the real time. For information on video surveillance, please contact the company
by phone or email. The rights of individuals are described in this Privacy
Policy.
Video surveillance is carried out by a contractual
processor: HSI inovativne in tehnične rešitve d.o.o., Novo mesto.
4) Retention and deletion of personal data
The company
will only keep personal data for as long as necessary to fulfil the purpose for
which the personal data was collected and processed. If the company processes
the data on the basis of the law, it will keep the data for the period
prescribed by the law. In this case, some data is retained for the duration of
cooperation with the company, while other data must be retained permanently.
Personal data processed by the company on the basis of a contractual
relationship with an individual shall be kept by the company for the period
necessary for the performance of the contract and for a period of 6 years after
its termination, except in cases where there is a dispute between the
individual and the company in relation to the contract. In such a case, the
company shall keep the data for 10 years after the final decision of the court,
arbitration or court settlement or, if there was no court dispute, for 5 years
from the date of amicable settlement of the dispute. The personal data that is
processed by the company on the basis of the individual's personal consent or
legitimate interest will be kept by the company until the consent is withdrawn
or until a request for deletion of the data is made. Upon receipt of a
withdrawal of consent or a request for deletion, the data shall be deleted
without undue delay. The company may also delete this data before cancellation
where the purpose of the processing of personal data has been achieved or where
required by law. When an individual is exercising his or her rights, the company
shall keep the personal data of that individual until the final decision has
been made, and after the final decision, in accordance with the final decision
in the case.
Exceptionally, a company
may refuse a request for erasure on grounds such as: the exercise of the right
to freedom of expression and information, compliance with a legal obligation to
process, grounds of public interest in the field of public health, archiving
purposes in the public interest, scientific or historical research purposes or
statistical purposes, the exercise or defence of legal claims. After the
retention period, the company must effectively and permanently erase or
anonymise the personal data so that it can no longer be linked to a specific
individual.
5) Contractual processing of personal data and data export
The company
may entrust individual types of processing of personal data to a contractual
processor on the basis of a contractual processing agreement. Contract
processors may process the entrusted data solely on behalf of the controller,
within the limits of the controller's authorisation, as set out in a written
contract or other legal act, and in accordance with the purposes set out in
this Privacy Policy.
The company mainly cooperates with the following
contractual processors:
- accounting services and other providers of legal and
business advice;
- infrastructure maintenance (video surveillance,
security services);
- maintenance personnel of IT systems;
- providers of email services, software and cloud
services (e.g. Microsoft, Google);
- providers of social networking and online advertising
(Google, Facebook, Instagram, etc.);
- providers of personalised products
(printing/embroidery), etc.
In order to improve the overview and control of the
contractual processors and the arrangement of the contractual relationship
between them, the company also maintains a list of contractual processors,
which lists all the specific contractual processors with which the company
cooperates.
Under no circumstances will the Company disclose the
personal data of an individual to unauthorised third parties. Contract
processors may only process personal data within the scope of the company's
instructions and may not use personal data for any other purpose.
The company as controller and its employees do not
export personal data to third countries (outside the Member States of the
European Economic Area – EU Member States plus Iceland, Norway and
Liechtenstein) and to international organisations, except to the USA, where the
relationship with US contract processors is governed by standard contractual
clauses (standard contracts adopted by the European Commission) and/or binding
corporate rules (adopted by the company and approved by the supervisory
authorities in the EU).
6) Cookies
The company's website operates with the help of
so-called cookies, which are important for the provision of online services and
are used to store information about the status of a particular website, to help
collect statistics about users and website traffic, etc. When you enter a
website, only those cookies that are strictly necessary for the website to
function (e.g. for the shopping basket) are placed on your device. Other
cookies will only be uploaded with the consent of the individual. You can
change your settings and delete cookies at any time (instructions can be found
on the web pages of each browser).
Cookies
are regulated in more detail on the website https://www.vitli-krpan.com/en/cookie-policy.
7) Data protection and accuracy of the data
The company
manages information security as well as infrastructure security (of the
premises and application system software). Our IT systems are protected by,
among other things, an antivirus program and a firewall. We have put in place
appropriate organisational and technical security measures to protect personal
data against accidental or unlawful destruction, loss, alteration, unauthorised
disclosure or access, and against other unlawful and unauthorised forms of
processing. In the case of specific types of personal data, we provide them in
encrypted and password-protected form. It is the individual's responsibility to
ensure that his or her personal data is provided securely and that the data
provided is accurate and reliable.
8) Rights of the data subject with regard to data processing
The data subject shall have the right to request
access to personal data as well as rectification or erasure of personal data
which concern them, or the restriction of processing relating to them, as well
as the right to object to processing and the right to data portability. The
request of the data subject shall be treated in accordance with the provisions
of the General Regulation and the applicable data protection legislation.
You can exercise all of these rights and raise any
questions by sending a request to the company. The company will respond to the
individual's request without undue delay, no later than one month after
receiving the request. This time limit may be extended by up to two additional
months, taking into account the complexity and number of requests, and the
individual will be informed of this, together with the reasons for the delay.
Exercising rights is free of charge for the individual, but the company may
charge a reasonable fee if the request is manifestly unfounded or excessive, in
particular if it is repetitive. In such a case, the company may also refuse the
request. If there is any doubt about the identity of an individual, additional
information may be requested that the company needs to establish the identity.
In the
decision on the request, the company will also inform the individual of the
reasons for the decision and of his or her right to lodge an appeal with the
supervisory authority within 15 days of being informed of the decision. The
right to lodge a complaint with the supervisory authority may be exercised by
lodging a complaint with: the Information Commissioner of the Republic of
Slovenia at: Dunajska 22, 1000 Ljubljana (e-mail: gp.ip@ip-rs.si, website:
www.ip-rs.si).
The Privacy Policy is valid from 01/10/2023.
PIŠEK – VITLI KRPAN, d.o.o.
Director Franc Pišek