GDPR GAJCOM
Privacy Policy
1) About the Privacy Policy at Gajcom d.o.o.
This document aims to inform you in the simplest possible way how Gajcom d.o.o., Pot heroja Trtnika 45, 1000 Ljubljana (hereinafter: Gajcom) collects, stores, and processes personal data and manages individuals’ rights in the field of personal data protection (GDPR).
The Policy includes, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter General Data Protection Regulation), the following information:
- contact information of the company and the data protection officer,
- purposes, bases, and types of processing various types of personal data of individuals, including profiling of individuals’ personal data,
- data transfer to third parties and to third countries,
- retention periods of different types of personal data,
- rights of individuals regarding the processing of personal data,
- the right to file a complaint regarding the processing of personal data. Where appropriate, the provisions relating to individuals also apply to issues of secrecy and confidentiality of communications from users who are legal entities. 2) Data Controller and Data Protection Officer The Data Controller of personal data of individuals, which are processed in accordance with the Data Protection Policy, is Gajcom d.o.o. Gajcom d.o.o. has not appointed a specific Data Protection Officer, however, for additional questions regarding this matter, we are available at the email address [email protected].
3) Purposes of processing and bases for data processing GDPR
Processing based on a contract or transaction – Gajcom d.o.o. stores and processes personal data of individuals to fulfill its obligations under the contractual relationship, including processing orders, communication with the client during the order processing, issuing invoices, informing about the status of the order, and delivering services and goods.
The data of individuals who order online are stored in the online store database, while the data of individuals who purchase via email is stored in the accounting system. We use the data of customers who order physically in the store for the purpose of processing the order and handing over the goods or services.
4) Storage of personal data
We store personal data about individuals for legitimate business interests (issuing an invoice, warranty, record for possible reorder) for an indefinite time.
5) Processing of personal data based on the law
In accordance with the General Data Protection Regulation, direct marketing is also considered a legitimate interest. For direct marketing purposes, Gajcom can, without consent, create profiles of individuals based on basic information about past orders, expressed interest, or lack of interest in certain services or goods. Such basic profiling will never include data about traffic or the content of electronic communication services. An individual can object to this processing or has, in each message received from Gajcom d.o.o., the option to request an unsubscribe from a specific set of notifications or from all notifications (deletion of legally specified data related to a business contract is not possible where data must be retained for business legal reasons or for the protection of individual rights).
Based on legitimate interest, Gajcom d.o.o. may contact individuals to determine their satisfaction with services or user experience even in cases where it is not strictly necessary for the execution of the contract. Due to weighing this interest with the interests of the individual, Gajcom does not contact again those individuals who have objected to this.
6) Processing based on consent for the processing of personal data:
Data processing can be based on consent given by the individual to Gajcom d.o.o. Consent may, for example, relate to notifications about offers and services, preparation of an offer tailored to the individual’s user habits, or the performance of value-added services. Notifications are carried out through the channels selected by the individual in the consent (natural person or authorized representative of a legal entity).
The individual to whom the personal data pertains may withdraw or amend their consent at any time in the same manner as it was given or in another manner defined by Gajcom d.o.o., for which Gajcom d.o.o. reserves the right to identify the customer. The change of consent can be managed, among other ways, through the online store, via contact email, or at the headquarters of Gajcom d.o.o. The withdrawal or amendment of consent applies only to data processed based on consent. The last given consent by the individual received by Gajcom is valid. The possibility of revoking consent does not represent a termination right in the business relationship of the individual with Gajcom d.o.o.
Where consent includes direct marketing based on the individual’s profile, Gajcom may conduct profiling of the individual based on past purchases.
Data for which consent has been given are processed for an indefinite period in the absence of revocation.
7) Disclosure of data to third parties and disclosure of data to third countries (countries that are not members of the European Union or the European Economic Area)
Gajcom forwards personal data about buyers related to legal obligations to external accounting services, which currently have a business cooperation agreement with Gajcom d.o.o. All data is recorded in the business system, which allows the issuance of VAT-approved invoices and collects all data of clients, buyers, and potential buyers who have come into contact with Gajcom d.o.o. The data is stored by the company with which Gajcom d.o.o. has a business cooperation agreement in connection with the management and processing of business documents. Gajcom does not forward data to other third parties or third countries.
8) Data retention period for personal data
Data on issued invoices and related contact details of individuals are stored for the purpose of fulfilling contractual obligations until full payment of the service or at least until the expiration of the limitation periods related to each claim, which can legally range from one to five years. Invoices are kept for 10 years after the end of the year to which the invoice relates, in accordance with the law governing value-added tax.
9) Rights of individuals regarding the processing of personal data
Gajcom d.o.o. ensures that individuals can exercise their rights without undue delay and in any case within one month of receiving the request.
Gajcom d.o.o. accepts requests regarding individual rights at the email address [email protected] or by mail at Gajcom d.o.o., Pot heroja Trtnika 45, 1000 Ljubljana. An individual can also submit the request at the company’s headquarters Gajcom d.o.o.
When an individual, to whom the personal data relates, submits a request by electronic means, the information is generally provided by electronic means, unless the individual concerned requests otherwise.
When there is a justified doubt regarding the identity of the individual who submits a request concerning any of their rights, Gajcom d.o.o. may request the provision of additional information necessary to confirm the identity of the individual to whom the personal data relates.
Gajcom d.o.o. provides individuals with the following rights related to the processing of personal data:
the right to access data,
the right to correct data,
the right to delete data (the so-called ‘right to be forgotten’),
the right to restrict data processing,
the right to data portability,
the right to object
10) The right to access data
The individual to whom personal data relates has the right to obtain information from Gajcom d.o.o. about whether their personal data is being processed and, if so, access to the personal data and additional information related to the processing of personal data, including:
- the purposes of the processing;
- the types of personal data;
- the recipients or categories of recipients to whom personal data has been or will be disclosed, particularly recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing concerning the individual to whom personal data relates, or the existence of the right to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data is not collected from the individual, any available information as to its source;
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual.
- Upon an individual’s request, Gajcom d.o.o. provides a copy of their personal data being processed.
11) Right to rectification
The individual to whom the personal data relates has the right to ensure that Gajcom d.o.o. rectifies inaccurate personal data related to them without undue delay. The individual, taking into account the purposes of the processing, also has the right to have incomplete personal data completed, including by means of a supplementary statement.
12) Right to erasure (‘right to be forgotten’)
The individual to whom the personal data relates has the right to ensure that Gajcom d.o.o. erases personal data related to them without undue delay, and the company has the obligation to erase personal data without undue delay if:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- the individual withdraws consent on which the processing is based, and there is no other legal ground for the processing;
- the individual objects to the processing based on the legitimate interest of Gajcom d.o.o., and there are no overriding legitimate grounds for the processing;
- the individual objects to the processing for direct marketing purposes;
- when personal data must be deleted to fulfill a legal obligation in accordance with EU law or Slovene legal order; when it concerns data related to the provision of information society services, improperly collected from a child who, in accordance with applicable legislation, cannot provide such data.
- When it concerns directory or otherwise published data, it takes reasonable measures, including technical ones, to inform the controllers who process personal data that the individual to whom the personal data pertains requests them to delete any links to these personal data or their copies.
13) Right to restriction of processing
The data subject has the right to obtain restriction of processing where:
– the data subject contests the accuracy of the data, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise, or defense of legal claims;
– the data subject has objected to processing, pending the verification of whether the legitimate grounds of the controller override those of the data subject.
14) Right to data portability
Gajcom d.o.o. does not share personal data with third parties, even at the request of the individual.
15) Right to Object
An individual whose personal data is processed has the right, based on reasons related to his or her particular situation, to object at any time to the processing of personal data when this processing is based on legitimate interests pursued by or a third party. The processing of personal data shall stop unless there are compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the individual, or for the establishment, exercise, or defense of legal claims. When personal data is processed for direct marketing purposes, the individual has the right to object at any time to the processing of personal data for such marketing purposes, including profiling to the extent that it is related to such direct marketing. If the direct marketing is based on consent, the right to object can be exercised by withdrawing the given personal consent.
16) The right to lodge a complaint related to the processing of personal data under GDPR
An individual may submit any complaint regarding personal data processing to Gajcom d.o.o. using the published contact details. Each individual also has the right to file a complaint directly with the Information Commissioner if they believe that the processing of personal data concerning them violates Slovenian regulations or EU regulations on personal data protection.
If an individual has exercised their right to access data and, after receiving the response, believes that the personal data received is not the personal data they requested or that they have not received all the requested personal data, they can submit a reasoned complaint to Gajcom d.o.o. before filing a complaint with the Information Commissioner. Gajcom d.o.o. must decide on the complaint as a new request within 15 days within five working days.
17) Validity of the policy
This policy is published on www.Gajcom.si and takes effect on 25.05.2018, with the latest revision date of 24.03.2022.