PERSONAL DATA PROTECTION at DOREWE doo
At DoReWe, we ensure the protection of personal data of all individuals in accordance with the Personal Data Protection Act (ZVOP-1) and the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR Regulation).
Personal data controller
The controller of personal data is DoReWe, music center, doo, Mestni trg 10, 1000 Ljubljana.
Purposes of personal data processing
These provisions apply to the processing and use of any personal data by the controller.
We may use your personal data for one or more of the following purposes:
-
Communicating with you regarding the provision of our services and responding to your inquiries;
-
Conclusion of the contract and fulfillment of the obligations arising from the concluded contract;
-
Marketing communication (sending e-mail, regular mail and SMS messages);
-
Marketing communication based on customized or individualized offers and messages, based on the creation of user profiles or classification into groups, each of which can receive marketing communications with different content. When creating profiles, we also monitor the individual's activity (such as the time the individual spends on certain content, which content they are interested in and the opening of e-mail messages) as well as the frequency and value of past purchases;
-
To enforce any legal claims and resolve disputes;
-
For statistical analyzes on the sale of our goods/services and on the use of our websites;
Legal basis for processing personal data
We may process your personal data on the following legal bases:
-
When this is necessary to fulfill our legal obligations (e.g. issuing invoices for purchased goods or services);
-
When the processing of your personal data is necessary for the conclusion and fulfillment of the contract you concluded with us or because you wanted an offer from us;
-
When you have given your consent to the processing of your personal data for an individual processing purpose, where you always have the right to withdraw the given consent (e.g. for personalized information about our offer based on profiling);
-
When we have a legitimate interest in processing your personal data (when we send you an e-mail in the event that you have left the shopping cart on our website without completing the purchase, you have indicated an interest in education,...).
Types of personal data processed
We process the following personal data:
-
Basic contact information (name, surname, address, telephone number, e-mail address, etc.);
-
Information about the use of our websites (clicks on links, time spent) and information regarding the response to our e-mail messages (whether the message was opened, which links were clicked);
-
The information we need to fulfill the contract and deliver the purchased goods (item of purchase, price, delivery address, delivery time, payment method, payment date, information on complaints, information on the issued invoice, registration number, etc.).
Personal data retention period
We keep basic personal data as long as you have the status of our registered user on our websites, subscribe to our news or use our services. We store personal data that we process based on your consent permanently or until you revoke this consent. We keep data on issued invoices for 10 years from the date of issue. We keep the data necessary for the conclusion and fulfillment of the contract between you and us for another 5 years from the fulfillment of the contract. After the retention period has expired, we effectively delete or anonymize personal data, which means that we process them in such a way that they can no longer be linked to you or attributed to you.
Access to personal data
We do not pass on your personal data to third parties (outside DoReWe doo) except for those who have a written contract with us, on the basis of which they carry out certain tasks related to data processing and are obliged to comply with the legislation regarding processing and protection personal data (these contract processors). The contractual processors to whom we provide personal data are marketing service providers and providers of sending e-mail messages. Contract processors may only process personal data within the framework of our instructions and may not process personal data for their own purposes. Together with their employees, they are committed to protecting the confidentiality of your personal data.
Voluntary provision of data and consequences of non-transmission
Providing personal data is voluntary. You are not obliged to provide us with personal data, but if you do not provide it, you cannot receive certain services or enter into a contract with us. We will indicate which data are such that their non-transmission causes the stated consequences each time we obtain personal data from you.
Rights in relation to personal data
Regarding your personal data, you have the right to request from us at any time:
-
Confirmation of whether we are processing your personal data;
-
Access to personal data and the following information: processing purposes; types of personal data; users or categories of users to whom personal data has been or will be disclosed, especially users in third countries or international organizations; the intended period of retention of personal data or, if this is not possible, the criteria used to determine this period; the existence of automated decision-making, including profiling and the reasons for it, as well as the meaning and intended consequences of such processing for you;
-
One (free of charge) copy of personal data in the form you determine yourself (if the request is made by electronic means of communication and you do not request otherwise, the copy will be provided in electronic form); we may charge a reasonable fee for any additional copies you request, taking account of costs;
-
Correction of inaccurate personal data;
-
Limitation of processing when:
- you dispute the accuracy of personal data, namely for a period that allows us to verify the accuracy of personal data;
- the processing is illegal and you object to the deletion of personal data and request a restriction of their use instead;
- we no longer need personal data for processing purposes, but you need them to assert, implement or defend legal claims; -
Deletion of all personal data (right to be forgotten), if the assumptions from Article 17 of the General Data Protection Regulation are met, and especially in case, when you revoke your consent to the processing of personal data;
-
Printout of personal data in a structured, commonly used and machine-readable format, with the right to forward this data to dcu without us hindering you in doing so;
o stop using personal data for direct marketing purposes, including creating profiles; -
That you are not subject to a decision based solely on automated processing, including the creation of profiles if the assumptions from Article 22 are met
In accordance with the General Data Protection Regulation, you have the right to file a complaint against us with the Information Commissioner if you believe that the processing of your personal data violates the General Data Protection Regulation.
Procedure for exercising rights
You can address your requests regarding the exercise of rights in relation to personal data in writing to any contact listed at the top of this document under Personal data controller and contact information. For the purposes of reliable identification in the case of exercising rights in relation to personal data, we may request additional information from you, and we may refuse to take action only if we prove that we cannot reliably identify you. We must respond to your request to exercise your rights in relation to personal data without undue delay and no later than one month after receiving your request.