ZAVOD SAVINA ATAI – Data protection policy
Data protection policy
This Data Protection Policy (hereinafter ”Policy”) is meant to inform subscribers, users and others (hereinafter ‘’Individuals’’) about purposes and lawful basis for the processing of personal data by company SAVINA ATAI ZAVOD (hereinafter ‘’company’’) and inform Individuals about their rights as data subjects. In this Policy it’s also further clarified about the consent for personal data processing.
In accordance with the Regulation EU 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: GDPR), this Policy contains this information about:
- Company contact information and contact of authorized Data Protection Officer
- Purposes and lawful basis for personal data processing, types of personal data processing, including profiling of personal data
- Sharing personal date with third-parties and into third countries
- Personal data retention
- Rights of data subjects regarding the processing of personal data
- Right to file a complaint regarding personal data
Where appropriate, the provisions in this Privacy related to Individuals also apply for issues of secrecy and confidentiality of communications with users, who are legal persons.
Name and address of the controller and authorized data protection officer
The controller of the personal data is SAVINA ATAI ZAVOD, ULICA MIRKA VADNOVA 1, 4000 KRANJ.
Purposes and lawful basis for personal data processing personal data processing
On the basis of contract:
Company processes personal data of Individuals for the purpose of informing them about new blog entries on website (subscribing for Sunday letters and latest discoveries in the field of women’s care and on the glow of women’s energies), for purposes of direct marketing (subscribing to exclusive invitations to workshops, programs and events), segmentation (apply for friendly and individualized e-mails and ads on Facebook created for Individuals).
In the context of exercising the rights and fulfilment of contractual obligations, the company processes personal data for following purposes:
- E-mail and name (for the purpose of informing, sending e-mail newsletters, advertising on Facebook)
- Telephone number (for the purpose of notification in case of events, courses)
- Home address (for the fulfilment of duties under the sales contract and for sending invoices)
- Information about the company, from which personal data can be identified (for the fulfilment of duties under the sales contract and for sending invoices)
On the basis of legal obligation:
Company processes personal data of Individuals for the purpose of concluding, implementing, monitoring and terminating the contracts.
On the basis of individuals consent:
Processing can base on Individuals consent. Consent can be given for notification about the services, for offers personalized to Individuals user habits or offers for value-added services. The Individual selects trough which channels the communication shall be carried through when giving consent. Informing by using an email address includes forwarding an email address to external processor, for purpose of displaying adds of company in internet browsers.
Individual who has given consent for processing of his personal data can always withdraw the consent or change the consent the same way as consent was given or in any other way, as the company defines it and the company reserves the right to identify the individual. The withdrawal or change of consent only refers to personal data that is processed on the basis of consent. Last given consent of individual is valid. The possibility of revocation of consent does not constitute as one of the reasons for withdrawal in the business relationship between individual and the company.
Parents or guardians of children, who in accordance with applicable law cannot give consent, have to give consent on behalf of them. Consent shall be valid, until one of the parents or a guardian or the child itself, when in accordance with applicable law has required the right, does not revoke or change it.
Transmitting personal data to third parties and transmitting of personal data to third countries (countries, who are not part of EU or EEA).
In compliance with purposes for processing personal data, company can transmit personal data to:
- undertakings or individuals, who carry out individual processing tasks on behalf of company, such as preparing and sending invoices or data analytics, for maintaining and developing services, when they contain processing of personal data in the extent necessary
- undertakings or individuals, who provide sales and marketing services for the company, including field sales and marketing, or undertakings/individuals that cooperate with the company in the field marketing and sales of companies services or services third parties to the extent necessary for such tasks in the context of the purposes and bases specified in this Policy
In case undertaking acquires the company or company merges with undertaking, personal data are transferred in accordance with applicable law to the other entity. By using our services, Individual consents with further processing by acquiring undertaking.
For the purpose of complying with contractual obligations, the accounting data and related personal data can be kept until the full payment for the service or at longest, by the expiration of the limitation period in relation to each Individual claim, which can last from one to five years in accordance with applicable law.
Invoices shall be kept for 10 years after the year, to which the invoice refers to in accordance with Value Added Tax Act.
If personal data about the traffic are processed on the basis of Individual’s consent for the purpose of marketing the service, sales of goods or carrying out the value-added services, such personal data may be processed to the extent necessary, as long as it is required for such marketing or services..
All other personal data obtained for the purpose of informing Individuals and for direct marketing, shall be kept until the consent is withdrawn.
Individual’s rights in relation to the personal data processing
The company is ensuring Individuals to exercise their rights without undue delay and in each case in one month after receiving Individual’s request. The company may extend this period of Individual’s right up to two additional months, taking into account complexity and numbers of requests.
If the company extends the period, we shall notify Individual about it in one month after receipt of the request with reasons for our delay.
The company accepts request of Individual’s rights by telephone, at 040-763-335 or e-mail [email protected].
When Individual, who is data subject submits a request in electronic means, the information shall, where possible be provided in electronic means, unless Individual, who is data subject requests otherwise.
If there is a reasonable doubt about the identity of the individual who request any of its rights, the company may require additional information to confirm the identity of the Individual, who is data subject.
If the request of the Individual, who is data subjects are manifestly unfounded or exaggerated, especially in case they are repeated, the company may:
- charge a reasonable fee with taking account the administrative costs of providing such information or message or to perform required action or refuse to take actions relating to the request.
The company grants to Individual following rights related to the processing of personal data:
- Right of access by the data subject
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
Righr of access by the data subject.
The Individual, who is data subject shall have the right to obtain from the company confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the company rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The company shall provide upon request a copy of the personal data undergoing processing. For any further copies requested by the Individual, who is data subject, the company may charge a reasonable fee based on administrative costs.
Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
Right to retification
Individual, who is data subject shall have the right to obtain from the company without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (‘right to be forgotten’)
Individual who is data subject shall have the right to obtain from the company the erasure of personal data concerning him or her without undue delay and the company shall have the obligation to erase personal data without undue delay when:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to legitimate interest of the company and there are no overriding legitimate grounds for the processing
- the Individual objects to the processing for direct marketing purposes
- the personal data have to be erased for compliance with a legal obligation in EU or Slovenian law; or the personal data have been collected in relation to the offer of information society, improperly collected from a child who cannot provide such information in accordance with applicable law.
In the case of a directory or otherwise published data, the company shall take reasonable steps, including technical measures, to inform other controllers which are processing personal data that Individual, who is data subject requested erasure by such controllers of any links to personal data or its copies.
Right to restriction of processing
Individual, who is data subject shall have the right to obtain from company restriction of processing when:
- the accuracy of the personal data is contested by the Individual, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the Individual opposes the erasure of the personal data and requests the restriction of their use instead;
- the company no longer needs the personal data for the purposes of the processing, but they are required by the Individual for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing, until the verification whether the legitimate grounds of the controller override those of the Individual.
Right to data portability
Individual, who is data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on Individual’s consent or on a contract and the processing is carried out by automated means
Right to object
Individual, who is data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on legitimate interest pursued by the company or a third party. The company shall no longer process the personal data unless the company demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Individual or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the Individual shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where direct marketing is based on consent the right to object may be exercised by withdrawing of the consent given by Individual.
Right to appeal regarding to processing of personal data
Individual may file potential complaint regarding personal data protection on telephone: 040-765-335 or at e-mail: [email protected] or by regular post at Zavod Savina Atai, Ulica Mirka Vadnova 1, 4000 Kranj.
Every Individual shall have the right to lodge a complaint directly to the Information Commissioner if she/he thinks that the processing of personal data concerning him/her violates laws of Slovenia or EU data protection rules.
If Individual has exercised right to access and the company provided it’s decision, but Individual thinks that received personal data is not personal data that Individual demanded, or did not receive all the requested data, can file, before filing complaint to the Information Commissioner, a reasoned complaint to the company within 15 days. Company must decide on this complaint as a new request within five business days.
This policy is published on the website www.en.savinaatai.com and takes effect on April 9th 2020