Pravila zaštite privatnosti
LEGAL BASES AND PURPOSES FOR PROCESSING PERSONAL DATA
The controller processes personal data on one of the following legal bases, depending on the purpose:
Contractual obligations
The controller processes personal data for the purposes of concluding and performing a contract in cases where the data subject orders or purchases any of the controller’s products and/or programmes.
In the context of contractual obligations, the Controller sends SMS messages to inform cases:
where the customer opts for payment via UPN, where the controller provides the customer with the payment details via SMS; and to inform customers regarding the processing of their orders (e.g. in case of delay in dispatch, etc.).
Consent
The controller processes personal data on the basis of the data subject’s consent in cases where the data subject subscribes to receive the controller’s regular communications/newsletters, to a prize draw, or where the data subject uploads a prescription or an opinion to the controller’s website. Consent is also used to send notifications via SMS (e.g. when a user leaves the shopping basket on the Controller’s website without completing a purchase).
The individual may withdraw his/her consent at any time without adverse consequences. He or she may do so by using the opt-out options contained in the individual message or by contacting the Controller in accordance with the contact details set out in this Policy.
Legal obligations
In certain cases, the processing of personal data is necessary for the fulfilment of the controller’s legal obligations (e.g. processing of personal data for the invoicing of purchased goods/services).
Legitimate interest
The controller uses legitimate interest as a legal basis for the processing of personal data in the case of sending emails when a user leaves the shopping cart on the controller’s website without completing the purchase, and in cases where the controller processes personal data of website visitors in order to prevent, detect and sanction any abuse or attempted abuse of the controller’s website.
STORAGE AND DELETION
The personal data contained in the user profile are retained by the controller for as long as the user is registered on the controller’s websites.
Personal data processed on the basis of consent are stored permanently or until the individual withdraws consent.
The controller shall keep data on invoices issued for 10 years from the date of issue.
Data necessary for the conclusion and performance of a contract between the controller and the purchaser of products/programmes shall be kept for 5 years from the performance of the contract.
Upon expiry of the above retention periods, the personal data shall be erased or anonymised, which means that the controller shall modify them in such a way that the data can no longer be linked to the data subject.
VOLUNTARY NATURE OF DATA PROVISION AND CONSEQUENCES OF NON-PROVISION
The provision of personal data is voluntary. If the data subject does not provide his/her personal data, he/she cannot benefit from certain services of the controller (e.g. it is not possible to conclude a contract for the purchase of products/programmes, as the personal data are necessary for the delivery of the order and the invoicing).
ACCESS TO PERSONAL DATA
The controller does not disclose or make available personal data to unauthorised third parties. Outside the Controller – Malinca d.o.o., access to personal data is granted only to those persons who have concluded a written contract with the Controller for the processing of personal data, on the basis of which they carry out certain tasks related to the processing of data and are obliged to comply with the legislation and the Controller’s requirements regarding the processing and protection of personal data (so-called contractual processors).
The contractual processors to whom the controller’s personal data is processed are:
Marketing service providers;
providers of email messaging services;
providers of text messaging services;
software solution providers;
delivery services.
Contract processors may only process personal data in the context of the controller’s instructions and may not process personal data for their own purposes. They are obliged, together with their employees, to protect the confidentiality of personal data.
THE RIGHT OF INDIVIDUALS
An individual who wishes to exercise any of his or her rights relating to his or her personal data or who has any questions concerning the processing of his or her personal data may do so at any time using the contact details provided in the introduction to this Policy.
The Controller will request additional information from the data subject for the purpose of reliable identification in the event of the exercise of rights relating to personal data, and may refuse to act only if it proves that the data subject cannot be reliably identified.
The controller undertakes to respond to a request from an individual to exercise any of the rights set out below within 30 days at the latest. If the request cannot be complied with in full within the time limit, the controller shall inform the data subject thereof, together with an explanation.
Right to information
The data subject has the right to be informed of what personal data the controller processes, on what basis, for what purpose and for how long it is kept.
Right to be forgotten
If the data subject no longer wishes his or her personal data stored and processed by the controller to be processed, and provided that there are no other legal grounds for their continued storage and processing, he or she may, at any time, request the controller to erase such personal data.
Right to request rectification, erasure or lodge a complaint
The data subject may, at any time, request the rectification or erasure of personal data and lodge a complaint concerning the processing of personal data concerning him or her by the controller, using the contact details provided in this Policy.
The data subject may unsubscribe at any time from the mailing list, using the contact details provided in this Policy or by clicking on the link at the bottom of the promotional emails.
Registered users may stop using the Online Shop at any time and may cancel their registration. They can do so by notifying the cancellation of their registration in writing.
Before cancelling the registration, the user must pay to the operator any outstanding balance due from purchases made in the online shop. The Controller will protect the confidentiality of personal data and the privacy of the users of the online shop within the scope of this Policy, even in the event of cancellation of registration.
Right of portability
The data subject may request the controller to provide him or her with personal data concerning him or her that he or she has provided to the controller in a structured, commonly used and machine-readable format.
Right to a remedy and sanctions
The data subject has the right to lodge a complaint with a supervisory authority (the Information Commissioner of the Republic of Slovenia), as well as the right to seek legal remedies against a decision of the supervisory authority or in the event of inaction by the supervisory authority.
In any event, the controller asks that the individual first exercise his or her right to lodge a complaint directly with the controller.
Rights relating to automated processing
The data subject has the right not to be subjected to measures resulting solely from profiling, analysis or predictions made using automated means of processing. In this case, the individual may lodge a complaint with the controller.
Right to withdraw consent
The data subject shall have the right to withdraw the consent to further processing of personal data where the processing is based on consent (e.g. in the case of receipt of promotional communications).
Any changes to the Privacy Policy will be published on this website.
Updated: 29.01.2025