Privacy Statement


PERSONAL DATA PROTECTION POLICY

The purpose of the Personal Data Protection Policy is to inform data individuals, service users, colleagues, employees and other persons (hereinafter referred to as "Data Subject") who interact with Kibuba, d.o.o. (hereinafter referred to as "Company") about the purposes, legal bases, safeguards and rights in relation to the processing of personal data carried out by our company.
Your privacy is of upmost importance to us, therefore your personal data is being carefully protected at all times.
The personal data processing is done in accordance with European legislation (Regulation (EU) 2016/697 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "GDPR”)), applicable Slovenian legislation in the field of personal data protection and other legislation that provides us with a legal basis for processing personal data.

Definitions
"Company" KIBUBA, družba za trgovino in založništvo, d.o.o., Selo pri Vodicah 11c, 1217 Vodice, Slovenia;
"You" indicates the user of the Website and/or Online Store;
"User" indicates the user of the Website and/or Online Store regardless of gender;
"Cookies" are small text files that are installed on your computer's hard drive when you visit our Website and allow us to collect information about your activities on the Website and identify your computer;
"Personal Information" indicates the information provided by you, as well as any information relating to your activities on the Website.

1. Data Controller

The Data Controller is the Company:
Kibuba d.o.o. 
Selo pri Vodicah 11c
1217 Vodice
phone: +386 40 166 484
e-mail: info@kibuba.eu

2. Data Protection Officer  

In accordance with Article 37 of GDPR, we have appointed the following company as the Data Protection Officer:
DATAINFO.SI, d.o.o.
Tržaška cesta 85, SI-2000 Maribor
https://datainfo.si
e-mail: dpo@datainfo.si
phone: +386 (0) 2 620 4 300

3. Personal data

Personal data means any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

4. Purposes and grounds for data processing

The Company collects and processes your personal data on the following legal bases:
  • processing is necessary for compliance with legal obligation to which Data Controller is subject;
  • processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
  • processing is necessary for the purposes of the legitimate interests pursued by Data Controller or by a third party;
  • the Data Subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary in order to protect the vital interests of the Data Subject or of another natural person.


4.1 Fulfilling a legal obligation

Based on the provisions of the law, the Company processes data on its employees, as allowed by labour and social security legislation. Based on legal obligation, the Company processes the following types of personal data for recruitment purposes: first and last name, gender, date of birth, registration number, tax number, place, municipality and country of birth, nationality, place of residence, etc.


4.2 Performance of the contract

When the Data Subject enters into contract with the Company, this constitutes the legal basis for processing of personal data. We may process personal data for the conclusion and performance of the contract, such as the sale of goods and services, VIP club memberships, participation in events, courses, promotions, etc. If the Data Subject does not provide the personal data, the Company cannot conclude the contract, nor can the Company perform the service or deliver the goods in accordance with the contract. The Company may, on the basis of carrying out legitimate activities, inform Data Subjects and users of its services, events, courses, offers and other content by sending an email to their email address. The Data Subject may at any time request the suspension of such communication and processing of personal data and may withdraw from the newsletter by clicking on the unsubscribe link provided in the e-mail, or by sending a request via email to info@kibuba.eu or via regular mail to the Company's address.


4.3 Legitimate interest

The Company may also process personal data on the basis of a legitimate interest pursued by the Company. The latter shall not be admissible where such interests are overridden by interests or the fundamental rights and freedoms of the Data Subject, which require the protection of personal data. Where legitimate interest applies, the Company shall always carry out an assessment in accordance with GDPR. Processing personal data for direct marketing purposes may be regarded as carried out to pursue a legitimate interest. The Company may process personal data of individuals collected from publicly accessible sources or in the course of the legitimate exercise of its activities, including for the purposes of offering goods, services, employment, benefits and discount information, events, etc. To achieve these purposes, the Company may use mail, telephone calls, e-mail and other means of telecommunication. For direct marketing purposes, the Company may process the following personal data of Data Subjects: name and surname, address of permanent or temporary residence, telephone number and e-mail address. For direct marketing purposes, the Company may also process the personal data referred above without the explicit consent of the Data Subject. The Data Subject may at any time request the suspension of such communication and processing of personal data and may withdraw from the newsletter by clicking on the unsubscribe link provided in the e-mail, or by sending a request via email to info@kibuba.eu or via regular mail to the Company's address.

4.4 Processing on the basis of consent or agreement

If the Company does not have a legal basis based on the law, a contractual obligation or a legitimate interest, it may ask the Data Subject for consent or agreement. It may also process certain personal data of the Data Subject for the following purposes when given consent:
  • home address and email address for information and communication purposes;
  • photographs, videos and other content relating the Data Subject (e.g. posting images of Data Subjects on the Company's website) for the purposes of documenting activities and informing the public about the Company's work and events;
  • other purposes for which the Data Subject consents.
If the Data Subject has given consent to the processing of personal data and at some point no longer wishes to do so, the Data Subject may request that the processing of personal data be terminated by sending a request by e-mail to info@kibuba.eu or by regular mail to the Company's address. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

4.5 Processing is necessary to protect the vital interests of the Data Subject

The Company may process the personal data of the Data Subject insofar as this is necessary to protect the Data Subject’s interests. In urgent cases, the Company may look up the Data Subject's ID, check whether that person is entered in its database, examine the Data Subject’s medical history or contact the Data Subject's relatives, without the need for the Data Subject's consent. This applies only when strictly necessary to protect vital interests of the Data Subject.

5. Retention and deletion of personal data

The Company will only keep personal data for as long as necessary to fulfil the purpose for which the personal data was collected and processed. If the Company processes the data on the basis of the law, the data shall be stored for the period prescribed by the law. In this case, some data is stored for the duration of the engagement with the Company, while some data must be stored permanently. Personal data processed by the Company on the basis of a contractual relationship with the Data Subject shall be kept by the Company for the period necessary for the performance of the contract and for 6 years after its termination, except in cases where there is a dispute between the Data Subject and the Company in relation to the contract. In such a case, the Company shall keep the data for 10 years after the final decision of the court, arbitration or court settlement or, if there was no court dispute, for 5 years from the date of amicable settlement of the dispute. The personal data that are processed by the Company on the basis of the Data Subject's personal consent or legitimate interest will be kept by the Company until the consent is withdrawn or a request for data deletion is received. Upon receiving the consent withdrawal or a deletion request, the data shall be deleted within 15 days at the latest. The Company may also delete this data before withdrawal where the purpose of the processing of personal data has been achieved or where required by law.

As an exception, the Company may refuse a deletion request on the grounds set out in GDPR, such as the following: exercise of the right to freedom of expression and information, compliance with a legal obligation to process, grounds of public interest in the field of public health, archiving purposes in public interest, scientific or historical research purposes or statistical purposes, exercise or defence of legal claims. After the retention period, the Company must effectively and permanently delete or anonymise the personal data so that it can no longer be linked to a specific Data Subject.

6. Subcontracting personal data processing and data export

The Company may entrust processing of personal data to a contractual processor on the basis of a data processing agreement. Contractual data processors may process the entrusted data solely on behalf of the controller, within the limits of the controller's authorisation, as set out in a written contract or other legal act, and in accordance with the purposes set out in this Privacy Policy.

The contractual data processors with which the Company cooperates are mainly:
  • accounting services and other providers of legal and business counseling;
  • infrastructure maintainers;
  • information systems maintainers;
  • providers of e-mail services, software and cloud services;
  • social networking and online advertising providers (Google, Facebook, Instagram, etc.).
To improve the overview and control of the contractual data processors and the regularity of the contractual relationship between them, the Company also keeps a list of contractual data processors with all contractual data processors with which the Company cooperates.
Under no circumstances shall the Company disclose the personal data of a Data Subject to unauthorised third parties. Contract data processors may only process personal data within the scope of the Company's instructions and may not use personal data for any other purpose.
The Company as a controller and its employees do not export personal data to third countries (outside the Member States of the European Economic Area – EU Member States plus Iceland, Norway and Liechtenstein) and to international organisations, except to the US, where the relationship with US contractual data processors is governed by standard contractual clauses (standard contracts adopted by the European Commission) and/or binding corporate rules (adopted by the Company and approved by supervisory authorities in the EU).

For more information on the EU-US Privacy Shield, see the Information Commissioner's website: https://www.ip-rs.si/varstvo-osebnih-podatkov/obveznosti-upravljavcev/prenos-osebnih-podatkov-v-tretje-drzave-in-mednarodne-organizacije/ 

7. Data protection and data accuracy

The Company is responsible for information and infrastructure security (premises and system software). The Company’s IT systems are protected by, among other, antivirus software and a firewall. We have put in place appropriate organisational and technical security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, and against other unlawful and unauthorised forms of processing. Specific types of personal data are provided them in an encrypted and password-protected form.
It is the Data Subject's responsibility to safely provide the personal data and that the data provided is accurate and reliable. The Company will endeavour to ensure that the personal data it processes is accurate and, where necessary, kept up to date, and the Company may from time to time contact the Data Subject to confirm the accuracy of personal data.

8. Rights of the Data Subject with regard to data processing

Under GDPR, the Data Subject has the following data protection rights:
  • to request information about whether we hold the Data Subject’s personal data, if so, what data we hold, on what basis we hold it and why we use it;
  • to request access to personal data, which allows the Data Subject to receive a copy of the personal data held by the Company and to check whether the Company is processing it lawfully;
  • to request rectification of personal data, such as the rectification of incomplete or inaccurate personal data;
  • to request erasure of personal data where there is no longer any reason for further processing or where the Data Subject exercises the right to object to further processing;
  • to object to further processing of personal data where the Company relies on legitimate business interest (including in the case of legitimate interest of a third party), where there are grounds relating to the particular situation of the Data Subject; the Data Subject has the right to object at any time if the Company processes personal data for direct marketing purposes;
  • to request the restriction of the processing of his or her personal data, which means suspension of processing of personal data, for example if the Data Subject requests that the Company establish the accuracy or to verify the grounds for further processing of personal data;
  • to request transfer of personal data in a structured electronic format to another controller, insofar as this is possible and feasible;
  • to withdraw the consent or agreement for collection, processing and transfer of personal data for a specific purpose; upon notification of the Data Subject’s withdrawal of consent, the Company shall cease to process the personal data for the purposes for which the Data Subject originally gave consent, unless the Company has other lawful legal basis to do so lawfully.
If the Data Subject wishes to exercise any of the above rights, the Data Subject may send a request by email to info@kibuba.eu or by mail to the Company's address. The Company will respond to a request concerning the rights of the Data Subject without undue delay and in any event within one month of receipt of the request. Should this deadline be extended (by up to two additional months) on t he account of complexity and number of requests, the Data Subjects will be notified. Access to personal data and exercising the rights shall be free of charge for the Data Subject. However, the Company may charge a reasonable fee if the Data Subject's request is manifestly unfounded or excessive, in particular if it is repetitive. In such a case, the Company may also refuse the request. When rights under this heading are being exercised, the Company may need to request certain information from the Data Subject to help confirm the Data Subject's identity, which is only a precautionary measure to ensure that personal data is not disclosed to unauthorised persons.

To exercise their rights under this heading, Data Subjects can use the Information Commissioner's form, which is available on their website. Link: https://www.ip-rs.si/fileadmin/user_upload/doc/obrazci/ZVOP/Zahteva_za_seznanitev_z_lastnimi_osebnimi_podatki.docx

Where the Data Subject considers that his or her rights under this Regulation, the Data Subject may seek protection or assistance from a supervisory authority (the Information Commissioner). Link: https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/klju%C4%8Dna-podro%C4%8Dja-uredbe/prijava-kr%C5%A1itev

If you have any questions regarding the processing of your personal data, you can always contact our company via email at info@kibuba.eu or via mail sent to our company address.

9. Subscription to e-news:

If you want to receive notifications and information about our services and activities, you can subscribe to our e-news on our website or when registering to our system in one of our stores. Kibuba d.o.o. will inform you via e-mail or phone about the news in the field of services we provide, about actions or prize-winning games, that are directly linked to Kibuba d.o.o. or its services. We will send you news approximately twice a week.
The data are processed on the basis of your consent, and you can cancel your consent to receive advertisements at any time. For more information about your direct marketing rights, see "Your rights."
If you do not want to receive e-news via email, you can unsubscribe using the automatic unsubscribe link in the electronic newsletter, or send us an email with content "UNSUBSCRIBE" to the e-mail address: info@kibuba.eu. If you no longer wish to receive notifications by phone, you can call this number: +386 40 166 484.

10. Registration to the loyalty program:

When registering to our loyalty program and for the needs of our loyalty program called "cones", the company collects the following personal data:

natural person / legal person,
first name,
surname,
gender,
year of birth,
address,
postal code,
city,
country,
phone number,
e-mail,
tax number of the company.

Users are responsible for the accuracy of the provided data.

When a user registers into our loyalty program, we collect information about all purchases of the user for which the user agrees can be entered into the loyalty program.

Users have the ability to write opinions, review products and upload their product photos. When publishing a review, the name and first letter of the surname of the user will appear public, as well as the city specified by the user when registering.

11. Participation in prize-winning games

When participating in prize-winning games or online campaigns, the first name and surname of participants and winners will be made public.
By registering to loyalty program, participating in prize-winning games and subscribing to e-news, the user permits Kibuba d.o.o., to process and store the personal data in accordance with the Personal Data Protection Act.

With this consent, the user permits Kibuba d.o.o. to process the collected personal data for the purpose of sampling, surveying and statistical data processing, for determining the use of services, adapting the offer and segmentation, for market research, informing about the products, novelties and special offers, for sending e-news and other advertising materials, informing users and related persons about the services available on the website www.kibuba.eu and provided by the company Kibuba d.o.o., and for other uses of the collected data, when the user of the website agrees.

The collected data will not be transmitted to third parties.
The personal data settings can be changed by the user at any time under the My Data tab at www.kibuba.eu.

12. Cookies


About cookies

What are cookies and why are they needed?
A cookie is a short text sent from the website to the browser during your visit. This way, the website recognizes you, remembers the information about your visit, and provides you with a user-friendly and simple web service. By using cookies, we customize the content on our website, remember your preferences and record the visits of our online store. Cookies enable browsing through our online store to be more comfortable, quicker and more effective.
Kibuba can use the data in an anonymous summarized form for the purposes of statistical analysis. In no case Kibuba will hand over the data about the user to unauthorized persons. We will provide the delivery service (eg. Pošta Slovenije) with the user's delivery address. We will contact the user via telecommunication means only if the user does not object to this.


The list of cookies we use

Basic website operation:
  • PHPSESSID, provider Kibuba,valid until closing the browser
  • cc_id, provider Kibuba, valid for 30 months
  • cookieconsent_dismissed, provider Kibuba, valid for 1 year
Advertising:
  • NID, provider Google.com, valid for 2 days
  • - IDE, provider Google.com, valid until closing the browser
  • - eid, provider Criteo, valid until closing the browser
  • uid, provider Criteo, valid for 1 year
Analytics:
  • DV, provider Google.com, valid until closing the browser
  • __utma, provider Google.com, valid for 2 days
  • __utmb, provider Google.com, valid until closing the browser
  • __utmc, provider Google.com, valid until closing the browser
  • __utmt, provider Google.com, valid until closing the browser
  • __utmz, provider Google.com, valid for 2 days
Facebook:
  • no name, provider Facebook, valid until closing the browser
  • datr, provider Facebook, valid until closing the browser
  • fr, provider Facebook, valid for 3 months
  • reg_fb_gate, provider Facebook, valid until closing the browser
  • reg_fb_ref, provider Facebook, valid until closing the browser
  • sb, provider Facebook, valid for 2 years


Cookie control

Consent of the user is needed for the use and acquisition of some cookies. You can change your preferences about accepting or rejecting cookies at any time. These settings are usually located in the browser's menu bar: Tools > Internet Options, "Privacy" or "Security" section. The user can change the settings about the types of cookies he/she wants to block.
You can also delete cookies via browser. Deletion is usually available in the tools, under the option "delete browsing data" (you can usually access to this window also by the combination of the following keys: CTRL + Shift + Del) where you choose to delete cookies.

In some browsers, you can generally reject the use of cookies by choosing the option "do-not-track."


13. Publication of amendments

Any changes to our Personal Data Protection Policy will be published on our website: www.kibuba.eu. By using the website, the Data Subject confirms that he or she accepts and agrees to the entire content of this Privacy Policy.
 
The Personal Data Protection Policy was adopted by the responsible person of the Company on 31.07.2020.
 
At Selo pri Vodicah, on 31 July 2020                          Responsible person of the Company: Petra Stritar Pečar


gumbi_podstrani1