Carmec d.o.o. pays special attention to the processing of personal data. All forwarded personal data are treated confidentially and only used for the purpose for which they had been forwarded. The company handles personal data with maximum diligence, taking into account the applicable legislation and the highest processing standards. Among other, it ensures personal data security with appropriate organisational measures, working procedures and appropriate technological solutions with the aim of maximising the efficiency of personal data protection by using the appropriate level of protection and reasonable physical, electronic and administrative measures to protect the collected data against unintentional or illegal destruction, loss, alteration, unauthorised disclosure of personal data or unauthorised access to personal data that had been transferred, stored or otherwise processed.
- the company’s contact information,
- purposes, bases and types of processing of different types of personal data of the data subjects,
- time of storage of individual types of personal data,
- data subject’s rights related to personal data processing,
(Information on personal data controller and contact data)
The controller’s phone number is +386 5 305 44 68 and the e-mail address email@example.com
The company collects no data on the visitors of its website.
The company collects the following data on the data subjects who subscribe to the E-newsletter:
The company collects the following data on the data subjects who submit inquiries about individual products:
- item no.
(Data subject categories)
(The purposes and the bases for the processing of personal data - based on a contract)
In the framework of exercising the contractual rights and meeting the contractual obligations, the company processes personal data for the following purposes: data subject identification, preparation of an offer, conclusion of a contract, provision of ordered services, provision of information about potential changes, additional details and instructions for the use of services, charging of services and for other purposes needed for performing or concluding the contractual relationship between the company and the data subject.
When charging the services based on the applicable tax provisions, the company obtains and processes also the address for the correct issue of invoice.
(The purposes and the bases for the processing of personal data - based on legitimate interest)
Based on legitimate interest, personal data are used for detecting and preventing abuse, in the framework of maintaining a stable and secure operation of the system and the services and also for the purpose of implementing the information safety measures, fulfilment of requirements related to the quality of services and detection of technical defects in the systems or services. In line with the General Data Protection Regulation, the company is entitled to process the data on the data subjects for the purpose of identifying and preventing potential fraud or abuse and to forward such data to other providers of such services, business partners, the police, the state prosecutor or other competent authorities in the case of suspected abuse in the appropriate and proportional scope. For the purpose of preventing future fraud or abuse, the data on the history of established fraud or abuse in relation to a data subject, including the data on subscriptions, can be stored for five years after the termination of the business relationship.
(The purposes and the bases for the processing of personal data - based on consent to process personal data)
The processing of personal data can also be based on a data subject’s consent submitted to the company.
The consent is related to providing information about the offers, campaigns and other new developments in the area of the company’s operations. The purpose of providing such information is for the company to inform the data subject of the issues that could be interesting for them.
or by sending a written request to the address of the company’s registered office.
The withdrawal or change of consent only refers to the data processed on the basis of a consent. The last consent received by the company shall be deemed valid.
A cancellation of consent does not affect the legality of data processing which took place on the basis of the consent until it was cancelled.
(Restriction of personal data forwarding)
If necessary, the company will authorise other companies and individuals for the performance of certain operations that contribute to its services. In such case, the company can forward personal data also to such carefully selected external processors that will sign a personal data processing contract with the company or a substantively similar agreement or other binding document (hereinafter: the Processing Contract) The company shall forward such data or make them available to such outsourced processors only in the scope required for the specific purpose. The outsourced processor may not use such data for any other purposes and must meet at least all personal data processing standards foreseen by the applicable legislation. The outsourced processors are contractually bound to the company to comply with the confidentiality requirements regarding your personal data.
Based on a grounded request, the company forwards personal data to the competent state bodies on appropriate legal basis. The company will respond to the requests by the courts, law-enforcement authorities which can include the national authorities of other EU Member States.
(Period of personal data storage)
The period of storage is specified for the category of individual data. Personal data are stored for as long as necessary to achieve the purpose for which they have been collected or further processed or until the expiry of the periods foreseen for meeting the obligations or the storage periods foreseen by the law.
The accounting data and the related contact data on data subjects can be stored for the purpose of meeting the contractual obligations until full repayment of the service or no longer than until the expiry of the periods foreseen for individual claims, which is between one and five years pursuant to the law. The invoices are kept for ten years after the end of the year to which they refer pursuant to the law regulating value added tax.
Other data obtained on the basis of a consent are stored until revocation.
After the expiry of the storage period, data are erased, destroyed, blocked or made anonymous unless stipulated otherwise by the law for individual types of data.
(Rights of data subjects related to personal data processing)
The company grants the following rights to data subjects in respect of the processing of their personal data:
a) the right to access data,
b) the right to rectification,
c) the right to erasure (‘right to be forgotten’),
d) the right to restriction of processing,
e) the right to data portability,
f) the right to objection,
g) the right of appeal.
The company provides for the exercising of these rights in relation to personal data processing without undue delay. The matter shall be decided within one month of receiving the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The company shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
The requests related to the exercising of the data subject’s rights can be sent to the company’s e-mail address firstname.lastname@example.org
or via regular mail to Carmec d.o.o., Miren 227 A, 5291 Miren.
Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
Where the company has reasonable doubts concerning the identity of the natural person making the request relating to any of the rights, the company may request the provision of additional information necessary to confirm the identity of the data subject.
If the requests of the data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the company may charge a reasonable fee based on administrative costs of forwarding information or messages or implementing a required measure, or refuse taking any actions in relation to the matter.
(Right to access data)
The data subject shall have the right to obtain from the company confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the type of personal data to be processed;
- the users or categories of users to whom personal data have been or will have been disclosed;
- the anticipated period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source.
(Right to rectification)
The data subject shall have the right to obtain from the company without undue delay the rectification of inaccurate personal data concerning him or her and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
(Right to erasure (‘right to be forgotten’))
The data subject shall have the right to obtain from the company the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data were processed illegally;
- the personal data must be deleted to meet a legal obligation under the EU or the Slovenian law.
(Right to restriction of processing)
The data subject shall have the right to obtain from the company restriction of personal data processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the company to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pending the verification whether the legitimate grounds of the company override those of the data subject.
Where processing has been restricted under the previous paragraph, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.
A data subject shall be informed by the company before the restriction of processing is lifted.
(Right to data portability)
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the company to which the personal data have been provided, where processing is based on their consent and is carried out with automated means. At the data subject’s request personal data can be transmitted directly from one controller to another, where technically feasible.
(Right to object)
Where personal data might lawfully be processed based on the legal interest for the purpose of marketing, a data subject can object to such processing at any time.
The company shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the data subject’s interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
(Right of data subjects to file complaints related to personal data processing)
A data subject may file a complaint to the data protection officer if he or she believes that their personal data are processed contrary to the Slovenian or the EU regulations governing personal data protection.
If a data subject claimed the right to access the data and believed, after receiving the decision, that the received personal data were not the data they requested or that they did not receive all requested data, they have the right to lodge a grounded complaint with the company’s data protection officer within 15 days, prior to filing a complaint with the Information Commissioner. The company must decide on such a complaint as a new request within five business days.