The company collects and processes your personal data on the following legal bases:

• the processing is necessary for compliance with a legal obligation to which the controller is subject;
• the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of measures at the request of such data subject prior to the conclusion of the contract;
• the processing is necessary for the legitimate interests pursued by the controller or a third party;
• the data subject has consented to the processing of his or her personal data for one or more specified purposes;
• processing is necessary to protect the vital interests of the data subject or of another natural person.

Based on the provisions of the law, the company processes data on employees, which is allowed under labour and social security legislation. Based on the legal obligation, the company processes mainly the following types of personal data for recruitment purposes: name and surname, gender, date of birth, EMN, tax number, place, municipality and country of birth, nationality, residence, etc. Certain personal data is stored on the basis of tax and other legislation. When a company processes data on the basis of the law, it will keep it for the period prescribed by law. In this case, some data will be kept for the duration of the engagement with the company, while some data must be kept permanently.

Where an individual enters into a contract with a company, this constitutes the legal basis for the processing of personal data. Personal data may therefore be processed for the conclusion and performance of a contract, such as the purchase and delivery of products, etc. We process the following data about the payer for the successful completion of the order and delivery: name, surname, country, residential address, telephone, e-mail address, place of delivery, method of payment and any other data. If the invoice is for a company, we also need the name and tax number of the company. If the individual does not provide the personal data, the company cannot conclude the contract, nor can the company perform the service or deliver the goods in accordance with the contract. The company may, on the basis of its lawful activity, inform individuals and users of its services of its services, events, training, offers and other content by sending an e-mail to their e-mail address. Individuals may at any time request to cease such communications and processing of personal data, and may opt-out of receiving communications via the unsubscribe link in the communication received, or as a request by email to info@pinnashop.si or by regular mail to the Company’s address.

Personal data processed by the company on the basis of a contractual relationship with an individual shall be kept by the company for the period necessary for the performance of the contract and for 6 years after its termination, except in cases where there is a dispute between the individual and the company in relation to the contract. In such a case, the company shall keep the data for 10 years after the final decision of a court, arbitration or court settlement or, if there has been no litigation, for 5 years from the date of amicable settlement of the dispute.

The company may also process personal data on the basis of a legitimate interest pursued by the company. The latter shall not be admissible where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. Where legitimate interest applies, the company shall always carry out an assessment in accordance with the GDPR. The processing of personal data of individuals for direct marketing purposes is considered to be carried out in the legitimate interest. The company may also process personal data of individuals which it has collected from publicly available sources or in the course of the lawful exercise of its business for the purposes of offering goods, services, informing about benefits, events, etc. For these purposes, the company may use ordinary mail, telephone calls, e-mail and other means of telecommunication. For direct marketing purposes, the company may process the following personal data of individuals: name and surname of the individual, address of permanent or temporary residence, telephone number and e-mail address. For the purposes of direct marketing, the company may also process the aforementioned personal data without the individual’s explicit consent. The individual may at any time request to cease such communication and processing of personal data and to withdraw from receiving communications via the unsubscribe link in the communication received, or as a request by e-mail to info@pinnashop.si or by regular mail to the company’s address.

Personal data processed by the company on the basis of legitimate interest will be kept by the company until an objection or a request for erasure is received. Upon receipt of an objection or a request for erasure (see section 9 for more information on rights and limitations), the data will be erased within 15 days at the latest. The company may also delete the data where the purpose of the processing of personal data has been achieved or where required by law.

If the company does not have a legal basis based on the law, a contractual obligation or a legitimate interest, it may ask the individual for consent or assent. In this way, it may also process certain personal data of the data subject for the following purposes where the data subject has given his or her consent:

• your home address and email address for information and communication purposes;
• photographs, videos and other content relating to an individual (e.g. posting images of individuals on the company’s website) for the purposes of documenting activities and informing the public about the company’s work and events;
• other purposes for which the individual consents.

If the data subject has given his or her consent to the processing of personal data and at some point no longer wishes to do so, he or she may request that the processing of personal data be terminated by sending a request by e-mail to info@pinnashop.si or by regular mail to the Company’s address. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.

Personal data processed by the company on the basis of the individual’s personal consent will be kept by the company until the consent is withdrawn or until a request for deletion of the data is made (for more information on rights and limitations, see Chapter 9). Upon receipt of a revocation or a request for deletion, the data will be deleted within 15 days at the latest. The company may also delete the data if the purpose of the processing of the personal data has been achieved or if required by law.

The company may process the personal data of the data subject insofar as this is necessary to protect his or her vital interests. In urgent cases, the company may search for a personal document of the data subject, check whether that person exists in its database or contact his or her relatives, without the company needing the data subject’s consent. The above applies where it is strictly necessary to protect the vital interests of the individual.

The company may entrust a contractual processor with the processing of personal data on the basis of a contractual processing agreement. Contract processors may process the entrusted data exclusively on behalf of the controller, within the limits of the controller’s authorisation, which is enshrined in a written contract or other legal act and in accordance with the purposes set out in this Privacy Policy.

The contractual processors with which the company cooperates are mainly:

• accounting services and other providers of legal and business advice;
• infrastructure maintenance (video surveillance, security services);
• information systems maintainers;
• email service providers and software providers, cloud services (e.g. Arnes, Microsoft, Google);
• social networking and online advertising providers (Google, Facebook, Instagram, etc.).

In order to improve the overview and control of the contractual processors and the regularity of the contractual relationship between them, the company also maintains a list of contractual processors, which lists all the specific contractual processors with which the company cooperates.

Under no circumstances will the Company disclose the personal data of an individual to unauthorised third parties. Contract processors may only process personal data within the scope of the Company’s instructions and may not use personal data for any other purpose.

The company as controller and its employees do not export personal data to third countries (outside the Member States of the European Economic Area – EU Member States plus Iceland, Norway and Liechtenstein) and to international organisations, except to the USA, where the relationship with US contract processors is governed by standard contractual clauses (standard contracts adopted by the European Commission) and/or binding corporate rules (adopted by the company and approved by the supervisory authorities in the EU).

The company takes care of information security and infrastructure security (premises and application system software). Our IT systems are protected by antivirus and firewall software, among other things. We have put in place appropriate organisational and technical security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access and against other unlawful and unauthorised forms of processing. In the case of transmission of special types of personal data, we transmit them in encrypted and password-protected form.

It is the individual’s responsibility to ensure that his or her personal data is provided securely and that the data provided is accurate and reliable. The Company will endeavour to ensure that the personal data it processes is accurate and, where necessary, kept up to date, and we may from time to time contact the individual to confirm the accuracy of the personal data.

Under the GDPR, the data subject has the following data protection rights:

• He or she can request information about whether we hold his or her personal data and, if so, what data we hold, on what basis we hold it and why we use it;
• can request access to his or her personal data, which allows him or her to receive a copy of the personal data held by the company and to check whether the company is processing it lawfully;
• may request rectification of personal data, such as the rectification of incomplete or inaccurate personal data;
• may request the erasure of his/her personal data where there is no longer any reason for further processing or where he/she exercises his/her right to object to further processing. Exceptionally, a company may refuse a request for erasure on the grounds set out in the General Regulation, such as the following: the exercise of the right to freedom of expression and information, compliance with a legal obligation to process, grounds of public interest in the field of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the exercise or defence of legal claims. After the retention period has expired, the company must effectively and permanently erase or anonymise the personal data so that it can no longer be linked to a specific individual;
• to object to further processing of personal data where the company relies on legitimate business interest (including in the case of legitimate interest of a third party), where there are grounds relating to the particular situation of the data subject; the data subject has the right to object at any time if the company processes personal data for direct marketing purposes;
• may request the restriction of the processing of his or her personal data, which means the interruption of the processing of personal data, for example, if the data subject wishes the company to establish its accuracy or to verify the grounds for further processing of personal data;
• may request the transfer of his/her personal data in a structured electronic format to another controller, insofar as this is possible and feasible;
• he/she may withdraw the consent or consent he/she has given to the collection, processing and transfer of his/her personal data for a specific purpose; upon notification that he/she has withdrawn his/her consent, the company will cease to process the personal data for the purposes for which he/she originally consented, unless the company has no other lawful legal basis to do so lawfully.

If an individual wishes to exercise any of the above rights, he or she may send a request by e-mail to info@pinnashop.si or by regular mail to the Company’s address (Vandotova ulica 57, 1000 Ljubljana). The company will respond to the request concerning the rights of the individual without undue delay and in any event within one month of receipt of the request. Should this time limit be extended (by up to two additional months), taking into account the complexity and number of requests, you will be informed accordingly. Access to the personal data and the rights invoked is free of charge for the data subject. However, the company may charge a reasonable fee if the data subject’s request is manifestly unfounded or excessive, in particular if it is repetitive. In such a case, the company may also refuse the request. In the case of the exercise of rights under this Title, the company may need to request certain information from the data subject to help it confirm the identity of the data subject, which is only a precautionary measure to ensure that personal data are not disclosed to unauthorised persons.

To exercise their rights under this title, individuals can use the Information Commissioner’s form, which is available on their website. Link to: https://www.ip-rs.si/obrazci/.

We do not use automated decision-making, including profiling.

If an individual considers that his or her rights have been violated, he or she may seek protection or assistance from a supervisory authority (the Information Commissioner). Link to: https://www.ip-rs.si/en/data-protection/how-to-file-an-application.

If you have any questions regarding the processing of your personal data, you can always contact our company by email at info@pinnashop.si or by regular mail to our company address.