Privacy in the SKUPONI online system
This document represents the personal data protection policy under the General Data Protection Regulation (GDPR) for Qualitas d.o.o., which acts as a “controller” (hereinafter the Controller).
The operator manages a family of online services (hereinafter Services), intended for advertising, promotion, marketing and sales (skuponi.si). The Manager processes and stores the personal data of service users (hereinafter referred to as the Individual) for its basic operation.
The individual uses the Services offered by the Manager for his own benefit, at his own risk and voluntarily. In the same way, the Individual also shares his personal data with the Manager, as the Manager needs as much information as possible from the Individual to ensure the best possible quality of the Service, or the Individual personalizes the experience in using the Services by providing personal data to the Manager.
The controller is committed to the lawful and correct handling of personal, sensitive and commercially sensitive data, which is essential for the successful operation and quality assurance of the Services.
We are committed to respecting the principles regarding the processing of personal data of Individuals, which are:
- Legality, fairness and transparency
- Purpose limitation
- Minimum amount of data
- Storage restriction
- Integrity and confidentiality
In order to provide quality services and to fulfill legal obligations, the controller must collect the Individual's personal data and store and handle them appropriately and in accordance with the principles for the processing of personal data.
In order to comply with the law, the controller must provide at least one legitimate reason for the processing (collection, use, management or disclosure) of personal data. In some circumstances, the consent of the Individual is not required.
The data protection policy is designed to interpret and ensure compliance with the law. Where there is a possibility of ambiguity, the document tries to explain in detail and understandably, in order to reduce the risk and thus protect the Individual.
The General Data Protection Regulation (GDPR) requires a clear, comprehensible and transparent interpretation of the methods of processing the Individual's personal data, which is explained in this document, thus also proving compliance with the law.
Collection of personal data
The controller ensures the collection of data in accordance with the data protection policy. This applies to personal data collected in person, by telephone or electronically via forms.
In each collection of personal data, the controller ensures, if possible, the presence of clear and understandable explanations to the Individual, what personal data we collect, for what purposes they will be used, what are the consequences of disagreement with the processing of personal data and explanations. personal data shared.
The points listed above ensure that the Individual has sufficient information to submit consent.
There are situations in which the collection of personal data is implicit; such as communication with support by telephone or e-mail, where personal data is strictly necessary to process the request itself.
Storage of personal data
Personal data and records related to Individuals are stored securely, only authorized individuals (employees) have access to this data.
Personal data will only be stored for as long as it takes to process it. Data that is no longer necessary for further processing will be removed in accordance with the law.
Access to Individual data
Each individual has the right to obtain information about the personal data of the Individual, which the Manager keeps about him. The controller will take measures to ensure that this information is up-to-date with questions to the Individual about changes.
All employees of the Manager are obliged to ensure that the personal data of the Individual are real and objective.
The operator will ensure that:
- It has a designated personal data protection officer to ensure compliance with this personal data protection policy
- Anyone who processes personal data understands that by processing this data, they are responsible for following good data protection practices.
- Anyone who processes personal data receives appropriate training in the processing of personal data
- Everyone who processes personal data is adequately controlled
- Anyone who processes personal data shall report suspected or actual misuse of data following the data protection breach reporting procedure.
- Anyone who would like to obtain information about the processing of personal data clearly understands what they need to do to do so
- It clearly presents how it processes personal data
- It will regularly review and correct the procedures and methods of processing personal data so that they comply with the law
- It regularly reviews and evaluates methods and performance related to the processing of personal data
- All employees and contractual employees of the Manager are aware that any abuse or non-compliance with the rules and procedures defined in this document may initiate disciplinary proceedings against them.
Under the General Data Protection Regulation (GDPR), a legal requirement for the processing of personal data is required before personal data can be processed. If there is no other lawful purpose, the Individual must consent to the processing of personal data.
The processing of personal data is considered lawful if:
- The processing of personal data is necessary for the performance of a contract with an Individual, or for entering into a contractual relationship with an Individual. Such an example could be the purchase of a coupon or product and the like
- The processing of personal data is necessary to fulfill legal obligations
- The processing of personal data is necessary to protect the interests of the Individual or another person
- The processing of personal data is necessary for the performance of tasks in the public interest, or for the exercise of official powers vested in the Controller
- The processing of personal data is necessary for the purposes of the legitimate interests of the Controller and does not outweigh any damage to the rights and interests of the individual.
- Processing has the consent of the Individual
A valid consent is considered if:
- Consent is given voluntarily: The individual has the opportunity to choose and control how his personal data can be processed
- Consent is specific and informed: The individual understands all the purposes of the processing of personal data. If there are several different purposes of processing, consent must be given for each of them
- Consent is unequivocal: The individual knows what he agrees with and that he has given consent
- Consent is given as an intentional action of the Individual, for example signature, oral, electronic choice of options
Consent can be implied, for example, by completing a questionnaire. Personal data collected on the questionnaire may only be processed for the purposes described on the questionnaire. Personal data may not be used for other methods of data processing, unless the Individual has given special consent for other methods of data processing.
Consent may be considered as consent to subsequent communication between the Manager and the Individual. For example, in the case of collecting personal data for one type of service, if the Manager offers another, similar service, it is reasonable for the Manager to contact the Individual in connection with another service, if at the same time offer the possibility to revoke consent to communicate in relation to another service.
OBTAINING, STORING AND MANAGING CONSENT
Consent must be clear and recognizable from other matters, written in an understandable form and in clear and understandable language.
It must be clear who agrees, when consent was given, how it was given, what it was given for, and when the Individual terminated the consent.
If the Individual is still interacting with the Manager in a way for which the Individual has already given consent for the processing of personal data, the consent is considered still valid. If the Individual is no longer interacting with the Manager, it may be necessary to request re-consent after the re-interaction, depending on the time elapsed since the last interaction.
Where consent has been obtained in accordance with Directive 95/46 / EC, the Individual is not required to give consent again for the processing of data if the consent has been given in a manner consistent with the conditions laid down in the current GDPR.
The Manager provides the Individual with information about his / her rights in a concise, transparent, understandable and easily accessible form, as well as in clear and simple language, in writing or in e-form. The administrator shall implement the request for rights without undue delay within one month of receiving the request, or a maximum of two additional months later, taking into account the complexity and number of requests.
If the Individual submits the request in electronic form, the response shall, where possible, be provided by the Manager in electronic form.
An individual has the option of filing a complaint with the supervisory body and the option of exercising legal remedies.
If the requirements of the Individual are obviously unfounded or excessive, especially if they are repeated, the Manager may:
- It shall charge a reasonable fee, taking into account the administrative costs of providing the information, communication or implementation of the required action.
- Refuse to act on the request, with the burden of proof being manifestly unfounded or excessive
The Individual has the right to access the following information when Personal Data is obtained from the Individual:
- Identity and contact details of the operator and his representative, if any
- Contact details of the data protection officer, if any
- Purposes of personal data processing, legal basis for their processing
- Legitimate interests pursued by the Manager or a third party
- Users or categories of users of personal data, if any
- Information on possible transfers of personal data to a third country
The Individual has the right to the following information, to ensure fair and transparent processing, when Personal Data is obtained from the Individual:
- The period of retention of personal data, or the criteria used to determine this period
- Existence of the right of the Individual to request withdrawal from the processing of personal data, or correction or deletion of personal data, or restriction of processing, the existence of the right to object to the processing and the right to transfer data
- Where processing is based on consent, the existence of a right to withdraw consent without prejudice to the lawfulness of the processing carried out on the basis of consent until its withdrawal
- Existence of the right to lodge a complaint with the supervisory authority
- Existence of a right to information if the provision of personal data is a statutory or contractual obligation or an obligation necessary for the conclusion of a contract and the possible consequences if such data are not provided
- Existence of automated decision-making, including profiling, reasons, significance and intended consequences
The individual has the right to request confirmation from the Controller if his personal data are processed and how. In the event that his personal data is processed, the Individual has the right to obtain the following information about the processing:
- Purpose of processing
- Types of personal data
- Users or categories of users to whom personal data are disclosed, in particular in the case of users in third countries
- Where possible, the envisaged retention period of personal data, or the criteria according to which the retention period is determined
- Existence of the right to request from the Controller the correction or deletion of personal data, or restriction of the processing of personal data and the existence of the right to object to such processing
- The right to lodge a complaint with the supervisory authority When personal data are not collected from the Individual, information on their sources
- Existence of automated decision making, information on the reasons, meaning and intended consequences
The Individual has the right to be deleted, or the right to be forgotten, whereby the Manager must delete the Individual from storage without undue delay if:
- Personal data are no longer required for the purposes of the processing for which they were collected or otherwise processed
- The individual revokes the consent on the basis of which the processing takes place and there is no other legal basis for further processing
- The individual objects to the processing, and there are no overriding legitimate reasons for the processing
- Personal data has been processed illegally
- Personal data must be deleted in order to fulfill a legal obligation under EU law or the law of a Member State applicable to the Controller
The individual has the right to restrict processing to the Manager in the following cases:
- An individual disputes the accuracy of data for a period that allows the Controller to verify the accuracy of personal data
- The processing is illegal and the individual opposes the deletion of personal data, and instead requests a restriction on use
- The controller no longer needs personal data for the purposes for which they were collected, but the individual needs them to enforce, implement or defend legal claims.
- The individual files an objection and the verification of the legal reasons of the Manager over the reasons of the individual has not yet been completed
Where the processing of personal data is restricted, such personal data, except for the storage, enforcement, execution or defense of legal claims or for the protection of the rights of another natural or legal person, or for the public interest of the EU or a Member State, shall be processed only with the individual's permission.
The controller communicates changes, corrections, deletions or restrictions on the use of personal data to other personal data processors, except in cases when this requires a disproportionate effort or proves impossible.
An individual has the right to receive personal data relating to him held by the Controller in a structured, commonly used and machine-readable form, and the right to pass this data on to another controller without the Controller holding his personal data. information is provided, obstructing where:
- processing is based on consent (or contract),
- processing is carried out by automated means.
The individual has the right to object to the processing of his personal data at any time. In this case, the controller shall cease the processing of personal data, unless he proves the necessary legitimate reasons for the processing that prevail over the interests, rights and freedoms of the individual, or for the assertion, implementation or defense of legal claims.
An individual has the right not to be subject to a decision based solely on automated processing that has legal effects in relation to him or in a similar way significantly affects him. However, it is permissible if the decision is:
- Necessary for the conclusion or implementation of a contract between the Individual and the Manager
- Permitted in EU law or the law of a Member State that applies to the Manager and also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the Individual
- Justified with the express consent of the Individual
The rights of the individual may be restricted by law in the following cases:
- If it is in the interest of national security
- For defense purposes For public safety reasons
- In order to prevent, investigate, detect or prosecute criminal offenses or to enforce criminal sanctions
- In order to protect the independence of the judiciary and the judicial process
- Due to the enforcement of civil claims
Violations of personal data protection
In the event of a personal data breach, the Controller shall notify the competent supervisory authority without undue delay, no later than within 72 hours of notifying the breach, unless it is unlikely that the personal data breach would jeopardize the personal data breach. If the notification has not been given within 72 hours, the Operator shall attach the reasons for the delay to the notification.
The Processor shall notify the Controller without undue delay after becoming aware of the personal data breach.
The notification shall contain:
- Description of the type of infringement,
- the number of Individuals concerned, the types and number of records of personal data concerned
- Name and contact details of the data protection officer
- Description of the likely consequences of the personal data breach
- A description of the measures taken by the Operator to address and mitigate any adverse effects of the breach, if applicable
If the information cannot be provided at the same time, it shall be communicated gradually, without undue delay.
The controller shall document any personal data breach, including the facts relating to the personal data breach, its effects and the measures taken. The documentation shall enable the supervisory authority to verify compliance with this Article.
NOTICE TO AN INDIVIDUAL ON BREACH OF PERSONAL DATA PROTECTION
If it is probable that the personal data breach poses a significant risk to the rights and freedoms of Individuals, the Controller shall without undue delay notify the Individual that the breach has occurred and clearly describe the type of personal data breach in the message and include information and recommendations regarding the breach. .
An individual message is not required if:
- The Controller has already taken appropriate technical and organizational measures to protect personal data, in particular measures to make personal data incomprehensible to anyone not authorized to access it, such as encryption
- The Manager has taken measures to ensure that the high risk to the rights and freedoms of Individuals is unlikely to materialize.
- That would require a disproportionate effort
What personal information do we collect?
The Manager collects and stores the personal data of Individuals, to which the Individual voluntarily submits directly to the Manager when he wants to use the Services provided by the Manager. Typically, this happens at the time of registration for use of the Services.
Alternative situations in which the Manager obtains personal information are sweepstakes, registration for secondary Services (for example, registration for receiving electronic notifications).
In all cases where the Controller collects personal data, there is a legal basis or Individual's consent to the processing of personal data.
The personal data collected by the Manager are obtained in the following situations and are as follows:
- Creating a user profile for the use of the Services, or using at least one of the offered Services. Personal data collected in this way are processed either for the quality of the Service or to meet legal requirements for the Service or entering into a contractual relationship with the Manager, such as purchasing a product, booking a travel arrangement (Name, Surname, Email, Address, Phone number, Date of birth, Primary place, Secondary place, photo). Personal data collected in this way may be mandatory or optional. Mandatory personal data are those without which the normal operation of the Services would be limited or impossible (for example, E-mail), and optional personal data are those that improve the user experience but are not essential to the basic operation of the Service (for example delivery of consignments).
- Request help from customer support either via email, online form, or phone support. Personal data collected in this way are necessary for the processing of the request itself (Name, Surname, E-mail address)
- Registration via electronic form, or registration for electronic news (Electronic address, Name, Surname)
- Participation in sweepstakes, questionnaires or any other participation in activities that require the Individual's personal information
Other ways of collecting personal data, or data with the help of which it is possible to determine the Individual, are:
- User account information. These include coupon codes, purchases and communication related to purchases (inquiries and ratings)
- Data on the use of the Services that are automatically collected during the use of the Services (device type, browser type, location, language preferences, cookies, IP address, login time, clicks by categories and pages, added to the cart, purchase, any errors occurred during the use of the Services) and assist the Operator in:
- Ensuring a higher quality of service by recognizing the technical capabilities and preferences of the Individual and his devices with which he uses the Services of the Manager
- Ensuring higher security of the Individual by identifying unusual reports, unusual purchases, attempted abuse
- Ensuring faster and better responsiveness in case of problem and dispute resolution
- Data obtained from Data Processors
How do we process personal data?
The specific method of processing personal data depends on the Service used by the Individual, used and on the preferences of the Individual.
USE OF PRIMARY SERVICES AND PERSONALIZATION
We process an individual's personal data to authenticate and identify the Individual when logging in to the system, to personalize received emails, to record interests and wishes, such as using a shopping cart, or browsing categories.
COMMUNICATION RELATED TO SERVICES
We process an individual's personal data for communication in connection with the services offered by the Manager, or for the provision of the Service as such (communication in connection with the daily offer is also the primary Service of the Manager).
The controller also processes personal data in connection with purchases and coupons. It is not possible to unsubscribe from such processing, as it is necessary to provide the Service as such and is linked to the Individual's entry into a contractual relationship with the Manager (purchase).
The Manager may communicate with the Individual about alternative and new Services that are directly or indirectly related to the Services for which the Manager has already obtained the Individual's consent.
MARKETING AND PROMOTION OF SERVICES
Based on the prior consent or use of the Services, the Manager may recommend, propose or otherwise promote and market new Services or offers within the Services. Withdrawal from such processing of personal data is possible.
To support customers, the processing of the Individual's personal data is essential. For more accurate analysis, faster and better resolution of problems or disputes, the Manager may request additional personal and other information.
SAFETY AND PROTECTION
We process personal data to ensure the security and protection of Individuals, the Manager and the Processors. Such processing includes monitoring service logins, monitoring the use of services, monitoring the activities of the Individual within the Services, which makes it easier for the Manager to identify threats and attempts to abuse the Service, the Individual, the Manager or the Processors.
ENFORCEMENT OF LEGAL INTERESTS
If required by law, the Manager may process personal data without the consent of the Individual, or the continuation of the use of the Service is considered the execution of the contract between the Manager and the Individual. A concrete example of such processing of personal data is, for example, the purchase of a product, whereby the Service cannot be performed without the processing of personal data.
The controller may also process personal data if it is convinced that it is protecting its own legitimate interests or that it is protecting the interests of other natural or legal persons involved.
If none of the above reasons exist for the processing of personal data, and the Individual has agreed to the processing of data for a specific purpose, the Individual's personal data may be processed for this purpose until revoked or until otherwise specified by a change in personal data protection policy.
How do we share acquired personal information with third parties?
To ensure the quality of the Services, or to provide the Services, we may share the obtained personal data with third parties. In these cases, the Controller has a contract with the Processor for the processing of personal data, unless the processing of personal data is necessary for the exercise of legitimate interests.
The Operator in no way exploits the databases of personal data for sale, but processes and transmits them for processing only for the purposes of performing the Services. If there is no other legitimate interest in the transfer of personal data to third parties, the Controller obtains consent from the Individual for such processing.
How do we store and protect the personal information we collect?
INFORMATION SECURITY AND DATA STORAGE
Personal data of Individuals are stored and processed on web servers in Slovenia. The controller is constantly striving to maintain and develop the information system in accordance with the latest technological security standards in order to protect the Individual's personal data.
Despite the high standards and implemented protections that the Manager managed to implement in its information system, due to the nature of the Internet it cannot guarantee subsequent misuse of personal data that would occur after transfer from the Manager's servers to the Individual or in case of intrusion into the information system. The operator does not have its own resources or ability to prevent such abuses.
HOW LONG DO WE KEEP PERSONAL DATA?
The duration of the storage of personal data depends on the type of personal data, the individual's use of the Service, the method of processing, legal requirements. When and if personal data are no longer absolutely necessary for processing, or if an Individual decides to terminate a user profile, the Manager shall delete, pseudonymize or anonymize such data, except in cases where it is strictly necessary to continue the Operator's Service. fed due to legal requirements.
The data collected for the needs of the user profile of the user is stored as long as the user of the Service is active, or a reasonable time after the end of the activity in case the user decides to become active again.
The activity is considered to be any activity of the User of the Service, from registration, login, transfer to the shopping cart, purchase, read e-mail or opening of the website. Data that helps the Manager to process claims or disputes by the Individual, or are in any other way legally required to be stored for a longer period of time, is retained even in the event of termination of the user profile. A typical example of this is coupon and purchase data.
Personal data directly related to marketing (cookies, category clicks, ad clicks) may still be kept for a reasonable time after the consent is terminated, if this is necessary for the Operator's business processes or quality assurance of the Service. In the event of termination of use of the Services and thus termination of collection and processing of data directly related to marketing, personal data collected for marketing purposes may be deleted within a reasonable time, unless otherwise affecting the quality of services provided by the Manager.
Personal data collected through forms, sweepstakes and other sources
Personal data collected for processing purposes that are not directly related to the Services provided by the Manager may have different retention times, depending on the purpose of processing.
Unless otherwise marked for personal purposes of personal processing (to ensure legal interests, with the consent of the Individual), such personal data may be deleted, anonymised or pseudonymized after the time required for processing, depending on the type of data and method of processing.
Access and control of personal data files
An individual who is a user of the Services provided by the Manager may access personal data collections through his user profile, where he also has the option of monitoring, updating personal data and changing consents.
Some personal data cannot be managed by the user himself, in these cases a contact of customer support is available, who, if possible, makes the change on behalf of the Individual, at his request.
The Individual as a user may also access data through which the Individual can be identified and they have not been provided by the Individual, such as coupons, purchases, which the Individual cannot change, this data can only be accessed. In the event of a change, a customer support contact is available who, if possible, makes the change on behalf of the Individual.
Personal data collected through questionnaires, sweepstakes, job forms or other online or physical forms that are not linked to the User's profile and are still kept by the Manager are generally valid and processed for a shorter period of time than personal data collected for primary processing purposes. , therefore, personal data that is not part of the database of personal data available in the user profile is not easily accessible to the user, except upon request via the customer support contact, who provides such information upon request or changes personal data.
DEACTIVATION OF USER PROFILE
The individual has the option to terminate the user profile in the event that he no longer wishes to use the Services provided by the Manager. Termination The Individual may make a contact with customer support, which, if possible and if it does not interfere with other business processes, or the legal interests of the Manager or related parties, is performed at the request of the Individual.
Alternatively, it is possible to deviate from individual services or individual methods of data processing, whereby the complete termination of the user profile is not necessary.
In the event of termination of the user profile, the Manager keeps some collected personal data within a reasonable period.
COMBINATION OF USER PROFILES
User profiles that belong to the same person or. To an individual, it is not possible to combine.
DELETION OF PERSONAL DATA
The personal data that the Individual wishes to terminate may be deleted or their processing may be restricted, provided that this does not interfere with the business processes of the Controller or that the Controller has no other legitimate reasons to continue storing such personal data.
Some types of personal data are such that deletion is already enabled in the user profile, but those that do not have this option are data for which it is necessary to contact user support, which does so on behalf of the Individual.
REQUEST FOR LIMITATION OF THE PROCESSING OF PERSONAL DATA
An individual may request a restriction on the use of personal data, but the Controller reserves the right to request reasons for such restriction if the type of personal data is not simple and if the restriction of personal data processing may affect business processes or other legitimate reasons.
In the case of simple types of personal data, the possibility of restricting processing for a specific purpose is already enabled and available in the user profile or in the foot of the email, where the Individual can manage the consent and restrictions of processing individual personal data for specific purposes. If there is no such option, or the Individual does not find it, he can contact the support of users who change the restrictions or consent instead of the Individual.
TRANSFERABILITY OF PERSONAL DATA
An Individual may request from the Manager a collection of personal data maintained by the Manager about the Individual, such collection being in an electronically readable format, so that it is possible to transfer personal data to another similar Service. The controller provides the possibility to export personal databases, but this does not apply to all types of personal data, as not all types can be transferred to another service.
In the case of requests for the export of personal data, the Individual shall contact the support of users who prepare such exports within a reasonable time, the export is not automatic and is not immediate. In the event of multiple consecutive unfounded requests for exports of personal data files, or requests that the Manager rightly considers to be disproportionately frequent, the Manager reserves the right to charge a fee for the service of export of personal data.
Personal data processors
To provide the Services, the Manager cooperates with other legal entities that may process certain types of personal data managed by the Manager.
For each processor of personal data, the Controller has a contract on cooperation and processing of personal data, unless the processing of personal data is necessary for the legitimate interests of the Controller or the Processor. Processors of personal data may, inter alia:
- Payment processors and payment service providers
- Providers of technical or other business support services
- Providers of means of communication such as electronic notifications and electronic conversation
- Customer management tool providers
- Providers of tools to analyze the use of the Services and facilitate troubleshooting of the Services
- Providers of services promoted, marketed and sold by the Manager
The processors of personal data are as follows (the list may change according to the requirements of the Controller):
Means of payment
The country of the provider depends on the service provider
Processors and processing methods not listed above may process pseudonymous or anonymised personal data and are thus exempt from the requirements
General data protection regulations.
Report violations and abuses
If an individual suspects that there has been an abuse or violation in the processing of his / her personal data, he / she may report the suspicion of a violation to the e-mail address of the Controller provided in the contact information.
In order to process the request as quickly as possible, the Individual must provide as much relevant information as possible (which user profile, which personal data is allegedly misused, in what way and why the Individual considers it a violation or abuse).
The controller shall implement the request regarding breaches and misuse of personal data without undue delay within one month of receiving the request, or a maximum of two additional months later, taking into account the complexity and number of requests.
Data protection authority
The controller is convinced that it collects and stores the personal data of Individuals in accordance with the General Data Protection Regulation (GDPR) and other applicable laws in the territory of the Republic of Slovenia and the European Union.
In case of questions and complaints regarding the general regulation on data protection, you can contact the data protection body, which in the Republic of Slovenia is the Information Commissioner of the Republic of Slovenia, available at the following address:
Zaloška cesta 59
T: 01 230 97 30
F: 01 230 97 78
e-mail: gp.ip (at) ip-rs.si
These privacy policies are also available in a PDF document, which is available upon request via email at email@example.com
Personal data is processed by Qualitas d.o.o., as a joint Manager. For all questions regarding personal data and their processing, you can contact us via email at firstname.lastname@example.org.
For requests related to the change or update of personal data, deletion of user accounts, logout or other possible problem with the user profile, please contact us via e-mail at email@example.com.
To report a suspected violation in the processing of personal data, contact us via e-mail at firstname.lastname@example.org.
The controller undertakes to respond to all requests related to the protection of personal data within 30 days of receiving the request. For more serious disputes or problems, we reserve the right to extend this period to an additional 60 days.
Ljubljanska c. 24b
For more information on the General Data Protection Regulation, visit https://www.eugdpr.org/