Date of publication of the latest version of the policy: 24. 5. 2018
- personal data operator
- what personal data we process
- purposes of processing
- how long we keep your personal data
- voluntary provision of data and consequences
- who has access to your personal data
- your rights, including withdrawal of consesnt and consequences of withdrawal
- procedure for exercising your rights
Personal data operator and contact details
This Policy applies to the processing (use) of any personal data by or on behalf of Uspeh d.o.o. (the Operator).
Information about the Operator:
Zarečje 27a, 6250 Ilirska Bistrica
Business premises: Stegne 21c, 1000 Ljubljana
Registration number: 1616951
Telephone: 01 511 30 71
What personal data we process
- Basic contact details (first name, last name, gender – for naming purposes, phone number, email);
- Data on the use of our websites (clicks on links, time spent) and data on the response to our emails (we only track the anonymised cumulative percentage of opened messages and clicks on links);
- The information we need to fulfil the contract and deliver the products purchased (subject of purchase, price, delivery address, delivery time, method of payment, date of payment, details of complaints, invoice details, etc.).
Legal bases for the processing of personal data
We may process your personal data on the following legal bases:
- where it is necessary for the performance of our legal obligations (e.g. invoicing for a service or product purchased);
- where the processing of your personal data is necessary for the conclusion and performance of a contract you have entered into with us or because you have requested a quotation from us;
- where you have given your consent to the processing of your personal data for a specific processing purpose, in which case you always have the right to withdraw your consent;
- when we have a legitimate interest in processing your personal data.
Purposes of the processing of personal data
We may use your personal data for one or more of the following purposes:
- to communicate with you about the provision of our services and to respond to your enquiries;
- to enter into a contract and to perform our obligations under that contract;
- marketing communications (sending emails, regular mail and SMS messages);
- to pursue any legal claims and resolve disputes;
- for statistical analysis of the sale of our services and products and the use of our websites.
How long we keep your personal data and what happens to it after that
We keep basic personal data for as long as you are a subscriber to our newsletter or have not asked us to delete your data.
Personal data that we process on the basis of your consent is stored permanently or until you withdraw your consent.
We keep data on invoices issued for 10 years from the date of issue.
We retain the data necessary for the conclusion and performance of a contract between you and us for 5 years from the performance of the contract. However, we will retain information about which services or products you have purchased from us permanently or until we receive a request from you to delete the information.
After the retention period has expired, we effectively delete or anonymise the personal data, which means that we process it in such a way that it can no longer be linked to you or attributed to you.
Voluntary provision of data and consequences of non-provision
The provision of personal data is voluntary. You are not obliged to provide us with personal data, but if you do not provide us with personal data, you may not be able to receive certain services or enter into a contract with us. We will specify what information is such that failure to provide it will have the consequences set out above each time we obtain personal data from you.
Who has access to your personal data
We do not transfer your personal data or make it available to third parties (outside Uspeh d.o.o.), except for those who have a written contract with us, on the basis of which they carry out certain tasks related to the processing of data and are obliged to comply with the legislation on the processing and protection of personal data (so-called contractual processors). The contractual processors to whom we transfer personal data are:
– Customer Relationship Management (CRM) provider (Intera Intrix CRM system);
– email messaging provider (Mailchimp);
– online programme platform provider (Kajabi);
– accounting service (Vizija Accounting).
Contract processors may only process personal data within the scope of our instructions and may not process personal data for their own purposes. They, together with their employees, are committed to protecting the confidentiality of your personal data.
Contract processors do not export personal data to third countries (outside the member states of the European Economic Area – these are EU member states plus Iceland, Norway and Liechtenstein).
The exceptions are Kajabi and Mailchimp, which adheres to the requirements of the EU-US Privacy Shield and strives to ensure the highest security of the data stored by various physical, technical and organisational measures, such as encryption of web connections, prevention of access by unauthorised persons, use of secure passwords and intrusion prevention. Mailchimp monitors the delivery performance of sent emails by collecting data on opened messages, clicks on links, email clients and browsers, approximate location, IP address, logins and unsubscribes, and failed email delivery.
What rights you have in relation to your personal data, how you can withdraw your consent to processing and what the consequences of withdrawal are
You have the following rights in relation to your personal data:
A. to request from us at any time:
- a confirmation of whether we are processing your personal data;
- access to personal data and the following information: the purposes of the processing; the types of personal data; the users or categories of users to whom the personal data have been or will be disclosed, in particular users in third countries or international organisations; the envisaged period of retention of the personal data or, if this is not possible, the criteria to be used to determine that period;
- one (free) copy of the personal data in the format you specify (if the request is made by electronic means of communication and you do not request otherwise, the copy will be provided in electronic form); we may charge a reasonable fee, taking into account costs, for additional copies you request;
- correction of inaccurate personal data;
- restriction of processing where:
- you contest the accuracy of the personal data for a period which allows us to verify the accuracy of the personal data;
- the processing is unlawful and you object to the erasure of the personal data and request instead that its use be restricted;
- we no longer need the personal data for the purposes of the processing, but you need it to assert, exercise or defend legal claims;
- erasure of all personal data (right to be forgotten), provided that the conditions set out in Article 17 of the GDPR are met, and in particular where you withdraw your consent to the processing of personal data;
- extract personal data in a structured, commonly used and machine-readable format, with the right to transmit that data to another operator without hindrance from us;
- cessation of the use of personal data for direct marketing purposes.
B. the right to lodge a complaint against us with the Information Commissioner if you consider that the processing of your personal data breaches the General Data Protection Regulation.
Procedure for exercising your rights
You may address your requests concerning the exercise of your rights in relation to personal data in writing to the contact listed at the top of this document under Data Controller and contact details.
We may request additional information from you for the purposes of reliable identification in the event that you exercise your rights in relation to personal data, and we may refuse to take action only if we can demonstrate that we cannot identify you reliably.
We must respond to your request to exercise your rights in relation to personal data without undue delay and at the latest within one month of receipt of your request.