The purpose of this privacy policy is to inform individuals, customers, product or service users, collaborators, employees, and other persons (hereinafter referred to as "individual") who engage with SIMPOS trgovina in storitve d.o.o., Plešivo 1, 5212 Dobrovo v Brdih, company registration number: 2268701000, tax number: SI 92189164 (hereinafter referred to as "the company"), about the purposes, legal bases, security measures, and the rights of individuals regarding the processing of personal data carried out by the company.
We value your privacy, and thus we always diligently protect your data.
We process personal data in accordance with applicable personal data protection legislation and other laws that provide us with a legal basis for processing personal data.
Any changes to this document will be published on our website. By using the website, you confirm that you are familiar with the entire content of the privacy policy.
Data Controller:
COMPANY: SIMPOS trgovina in storitve d.o.o.
ADDRESS: Plešivo 1
CITY: 5212 Dobrovo v Brdih
Email: gdpr@simpos.si
Phone: +386 5 39 59 100
Website: https://www.simpos.si
Personal data means any information related to an identified or identifiable individual; an identifiable individual is one who can be directly or indirectly identified, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.
The company collects and processes personal data on the following legal bases:
Warehouse Pickup
When an individual physically picks up ordered goods from the warehouse, due to the high value of some orders, it is not possible to carry out the pickup without processing personal data. In accordance with Article 85 of the Personal Data Protection Act (ZVOP-2), the company records the entry and exit of individuals into and from the company's warehouse spaces, loading dock areas, and other locations where goods are located or loading activities take place.
The collection of entry and exit data may only process the following personal data when necessary: full name, number and type of official identification document, address of residence, employment, type and registration number of the vehicle, and the date, time, and reason for entry into or exit from the premises.
Personal data mentioned above may be stored for a maximum of two years from the end of the calendar year in which the personal data were entered into the collection, after which they are deleted or otherwise destroyed unless another law specifies differently.
Email Communication, e.g., Newsletters
The company may inform its clients, customers, and service users about its services, events, trainings, offers, and other content via their email addresses as part of its legitimate business activities. Individuals may request at any time to stop such communication and the processing of personal data, and to unsubscribe from receiving messages via the unsubscribe link in the received message or by sending a request via email or regular mail to the company's address.
The legal bases for processing data are legitimate interest and consent. Data will be processed until the withdrawal of consent to receive messages or until the purpose of processing is fulfilled. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Video Surveillance
In the organization SIMPOS trgovina in storitve d.o.o., we conduct video surveillance. Through video surveillance (cameras are located around the entrances to the organization, and in some indoor areas as well), we monitor entries into and exits from the premises (based on Article 77 of the ZVOP-2). Video surveillance is also conducted to protect individuals (users, employees, and visitors) and the organization's property (based on legitimate interest as defined in point (f) of paragraph 1 of Article 6 of the General Data Protection Regulation). Inside certain workspaces, video surveillance is conducted where it is deemed absolutely necessary for the safety of people or property, or for the protection of confidential information or trade secrets.
Execution of the Contract
In cases where an individual enters into a contract with a company, this contract serves as the legal basis for the processing of personal data. The company may thus process personal data for the conclusion and execution of the contract, such as the sale of goods and services, preparation of an offer, participation in various programs, etc. If the individual does not provide personal data, the company cannot enter into the contract, nor can it perform the service or deliver goods or other products in accordance with the contract, as it lacks the necessary data for execution. On this basis, the company processes only those personal data that are necessary for the conclusion and proper execution of contractual obligations.
The legal basis for data processing is the contract. The retention period is until the purpose of the contract is fulfilled or up to 6 years after the termination of the contract, except in cases where a dispute arises between the individual and the company regarding the contract. In such cases, the company retains the data for 10 years after the legal decision, arbitration, or court settlement becomes final, or, if there was no legal dispute, 5 years from the day of amicable dispute resolution.
Legitimate Interest
The company may also process personal data on the basis of legitimate interest it pursues. This is not permissible when such interests are overridden by the interests or fundamental rights and freedoms of the individual whose personal data are being processed, requiring the protection of personal data. In the case of using legitimate interest, the company conducts an assessment in accordance with the legislation. Processing personal data of individuals for direct marketing purposes is considered to be conducted under legitimate interest.
The company may process personal data of individuals collected from publicly available sources or within the legitimate conduct of its activities, also for the purposes of offering goods, services, employment, informing about benefits, events, etc. To achieve these purposes, the company may use regular mail, phone calls, email, and other telecommunication means. For direct marketing purposes, the company may process the following personal data of individuals: name and surname, address of permanent or temporary residence, telephone number, and email address. The company may process these personal data for direct marketing purposes even without the express consent of the individual. The individual may request at any time to stop such communication and processing of personal data and revoke receiving messages through the unsubscribe link in the received message or by sending a request via email or regular mail to the company's address.
The legal basis for data processing is legitimate interest. Data will be processed until the withdrawal of consent to receive messages or until the purpose of processing is fulfilled. Withdrawal does not affect the legality of processing based on consent before its withdrawal.
Processing Based on Consent
If the company does not have a legal basis proven by law, contractual obligation, legitimate interest, or the protection of the individual's life, it may ask the individual for consent. Thus, it can process certain personal data of the individual also for the following purposes, when the individual gives their consent:
If the individual wishes to revoke their consent for the processing of personal data, they can request the cessation of processing personal data with a request sent by email or regular mail to the company's address. Revocation of consent does not affect the legality of processing based on consent before its revocation. Upon receipt of the revocation or request for deletion, the data will be deleted no later than 15 days. The company may also delete these data before the revocation if the purpose of processing personal data has been achieved or if so required by law.
Exceptionally, the company may refuse a request for deletion for reasons set out in the General Data Protection Regulation in cases of exercising the right to freedom of expression and information, fulfilling a legal obligation of processing, reasons of public interest in the area of public health, purposes of archiving in the public interest, scientific or historical research purposes, statistical purposes, execution, or defense of legal claims.
The legal basis for data processing is consent. Data will be processed until the revocation or withdrawal of consent or until the purpose of processing is fulfilled. Revocation of consent does not affect the legality of processing based on consent before its revocation.
Protection of the Individual's Vital Interests
A company may process the personal data of the individual to whom the data pertains if it is necessary to protect their vital interests. In urgent cases, the company may seek an individual's personal document, verify whether this person exists in its database, examine their medical history, or make contact with their relatives, for which the company does not need the individual's consent. This applies when it is urgently necessary to protect the individual's vital interests.
The company will store personal data only as long as necessary for the purpose for which the personal data were collected and processed. If the company processes data based on law, it will store them for the period prescribed by law. Some data are stored during the cooperation with the company, while some data must be stored permanently. Personal data processed on the basis of a contractual relationship with an individual will be kept for the period necessary to fulfill the contract, and for 6 years after its termination, except in cases where a dispute arises between the individual and the company regarding the contract. In such a case, the company keeps the data for 10 years after the legal decision, arbitration, or court settlement becomes final, or, if there was no legal dispute, 5 years from the day of amicable dispute resolution. Personal data processed on the basis of the individual's consent or legitimate interest will be stored until the consent is revoked or a request for data deletion is made. Upon receiving a revocation or deletion request, data are deleted without unnecessary delay. The company may also delete these data before the revocation if the purpose of processing personal data has been achieved or if so required by law. In the case of asserting an individual's rights, the company keeps the personal data of this individual until a final decision is made on the matter, and afterwards in accordance with the final decision.
Exceptionally, the company may refuse a deletion request for reasons such as: exercising the right to freedom of expression and information, fulfilling a legal obligation of processing, reasons of public interest in the field of public health, purposes of archiving in the public interest, scientific or historical research purposes, or statistical purposes, execution or defense of legal claims. After the storage period expires, the company must effectively and permanently delete or anonymize the personal data so that they can no longer be associated with a specific individual.
The company may entrust certain processing of personal data based on a data processing agreement to a processor. Contract processors may only process the entrusted data on behalf of the controller, within the limits of its authorization recorded in a written contract or another legal act, and in accordance with the purposes defined in this privacy policy.
Contract processors with whom the company cooperates include:
For better oversight and control over contract processors and the regulation of mutual contractual relations, the company also maintains a list of contract processors, where all specific contract processors with whom the company cooperates are listed.
Under no circumstances will the company disclose personal data of an individual to third unauthorized parties. Contract processors may only process personal data within the framework of the company's instructions and must not use the data for any other purposes.
The company as controller and its employees do not transfer personal data to third countries (outside the European Economic Area member states - EU member states, Iceland, Norway, and Liechtenstein) and international organizations, except to the USA, where relations with contract processors in the USA are regulated based on standard contractual clauses (model contracts adopted by the European Commission) and/or binding corporate rules (adopted by the company and approved by regulatory authorities in the EU).
The company's website operates with the help of so-called cookies, which are essential for providing online services. They are used for storing data about the state of individual web pages, assisting in collecting statistics about users and site visitation, etc. Upon entering the website, only those cookies that are strictly necessary for the website's operation (e.g., for the shopping cart) are loaded onto the device. Other cookies will only be loaded with the individual's consent. Settings can be changed at any time, and cookies can be deleted (instructions are available on the websites of each browser).
The website uses the following mandatory cookies:
|
Cookie Name |
Duration |
Function |
|
_RequestVerificationToken |
until session expires |
Enables secure submission of forms. |
|
DefLngLcid |
365 days |
"Default Language LCID" cookie for storing the user's language. |
|
_ga |
365 days |
Enables user differentiation. |
|
_gid |
24 hours |
Enables user differentiation. |
|
analytic_consent |
1 month |
Permission to use cookies. |
|
analytic_consentNoPopUp |
1 month |
Permission to use cookies. |
|
_gat_gtag_UA |
1 minute |
Limits queries to Google Analytics. |
The company ensures information security and infrastructure security (spaces and application-system software). Our information systems are protected, among other things, with antivirus programs and a firewall. We have implemented appropriate organizational and technical security measures aimed at protecting personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and against other illegal and unauthorized forms of processing. In the case of transmitting special categories of personal data, they are sent in encrypted form and protected with a password. Individuals are responsible for securely transmitting their personal data and ensuring the transmitted data is accurate and authentic.
The individual, whose personal data is concerned, has the right to request access to personal data and the correction or deletion of personal data or restriction of processing related to him or her, and the right to object to processing and the right to data portability. The individual's request will be handled in accordance with the provisions of the General Regulation and applicable data protection legislation.
All mentioned rights and any questions can be asserted by a request sent to the company's address. The company will respond to the individual's request without undue delay, at the latest within one month after receiving the request. This period may be extended by a maximum of two additional months, taking into account the complexity and number of requests, of which the individual will be informed, along with the reasons for the delay. Exercising rights is free of charge for the individual, but the company may charge a reasonable fee if the request is clearly unfounded or excessive, especially if it is repetitive. In such a case, the company may also refuse the request. In case of doubt regarding the individual's identity, additional information may be required that the company needs to determine the identity.
The company will also inform the individual about the reasons for the decision and information about the right to lodge a complaint with the supervisory authority within 15 days from being informed about the decision. The right to lodge a complaint with the supervisory authority can be exercised at: Information Commissioner of RS, Dunajska 22, 1000 Ljubljana (email: gp.ip@ip-rs.si, website: www.ip-rs.si/en/).
The privacy policy is valid from 19 March 2024 onwards.
Simpos d.o.o.
Marijan Rusjan, Director