Privacy in the Oman Printing online system
This document represents the personal data protection policy in accordance with the General Data Protection Regulation (GDPR) for company TISKARNA OMAN PETER OMAN S.P., which acts as the data controller (hereinafter: Controller).
The Controller manages a set of online services (hereinafter: Services) for advertising, promotion, marketing and sales (www.omantisk.si). In pursuit of its business, the Controller processes and stores personal data of users of Services (hereinafter: Individual).
The Individual uses Services provided by the Controller for their own benefit, at their own responsibility, and voluntarily. In the same way, the Individual shares their personal data with the Controller, as the Controller requires as much information as possible to provide the highest quality of Service; by submitting personal data to the Controller, the Individual personalises their user experience when using the Services.
The Controller undertakes to handle personal, sensitive and commercially sensitive information in a legal and correct manner, which is necessary for the successful operation and quality of the Services.
We are committed to the principles regarding the processing of personal data of Individuals, which are:
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- storage limitation
- integrity and confidentiality
To ensure quality Services and to fulfil legal obligations, the Controller must collect, store and handle the Individual’s personal data in accordance with the principles of processing of personal data.
To ensure legislative compliance, the Controller must have legitimate grounds for processing (collection, use, controlling or disclosure) of personal data. In certain circumstances, the Individual’s consent is not required.
The data protection policy explains and ensures legislative compliance. For the avoidance of doubt, this document aims to provide a detailed and intelligible explanation, in order to reduce risk and thereby protect the Individual.
The General Data Protection Regulation requires a clear, intelligible and transparent explanation of the types of processing of the Individual’s personal data, which is provided in this document, thereby establishing legislative compliance.
Collection of personal data
The Controller collects data in accordance with the data protection policy. This applies to personal data collected in person, by telephone or electronically via forms.
When collecting personal data, the Controller provides, if possible, to the Individual clear and intelligible explanations on the personal data collected, the purposes it will be used, consequences of not providing a consent to personal data processing, and explanations regarding parties that such data could be disclosed to.
The above items ensure that the Individual has sufficient information to provide their consent.
They are situations when personal data collection is implicit, e.g. when communication with support services via telephone or e-mail, as personal data is necessary for processing the request.
Storage of personal data
Personal data and records of Individuals are stored securely, and can be accessed only by authorised individuals (employees).
Personal data shall be stored only as long as is necessary for processing. Data that is no longer necessary for further processing shall be disposed of in accordance with the law.
Access to Individual’s data
Every individual is entitled to obtain information on the Individual’s personal data stored by the Controller. The Controller shall implement measures to ensure currency of such data by submitting questions regarding changes to the Individual.
All Controller’s employees are obligated to ensure that the Individual’s personal data is correct and objective.
The Controller shall also ensure the following:
- It has appointed a data protection officer, which shall ensure compliance with this personal data protection policy.
- Anyone processing personal data understands that they are responsible for respecting good practice for data protection.
- Anyone processing personal data is provided appropriate training in personal data processing.
- Anyone processing personal data is appropriately supervised.
- Anyone processing personal data shall reports of any suspicious or actual misuse of data, using the procedure for reporting a data breach.
- Instructions for obtaining information on personal data processing are presented clearly and intelligibly.
- Information on personal data processing is clearly presented.
- The Controller shall regularly review and correct procedures and methods of personal data processing to ensure their legislative compliance.
- The Controller regularly reviews and assesses methods and performance regarding personal data processing.
- All Controller’s employees and contractors are aware that any misuse or failure to follow rules and procedures defined herein can result in disciplinary proceedings.
According to the General Data Protection Regulation, there must be a legitimate basis for personal data processing before personal data can be processed. If there is no other legitimate purpose, the Individual must consent to personal data processing.
Personal data processing is considered lawful if:
- Personal data processing is necessary for the performance of the contract with the Individual, or for concluding a contract with the Individual. For example, purchase of product or similar transaction.
- Personal data processing is necessary to fulfil legal obligations.
- Personal data processing is necessary to protect the interests of the Individual or other person.
- Personal data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
- Personal data processing is necessary for the purposes of the legitimate interests pursued by the Controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the Individual.
- The Controller has obtained the Individual’s consent.
The consent is considered valid if:
- It is given voluntarily. The Individual has a choice and can control how their personal data is processed.
- The consent is specific and informed. The Individual understand all purposes of personal data processing. If there are more processing purposes, a consent must be given for each purpose.
- The consent is unambiguous: The Individual knows what they are consenting to and has given their consent.
- The consent is given as an intentional action by the Individual, e.g., signature, verbally, electronic choice.
The consent can be implied, e.g., by filling out a questionnaire. Personal data obtained via a questionnaire can only be processed for the purposes listed on the questionnaire. Personal data can not be used for any other manners of data processing, unless the Individual gives a special consent for different manner of data processing.
The consent can be construed as agreement on continued communication between the Controller and the Individual. For example, in the event of personal data collection for one type of service, and the Controller offers a second, similar service, it is reasonable for the Controller to contact the Individual regarding the second service if it provides the option to withdraw the consent for communication regarding the second service.
OBTAINING, STORING AND MANAGING CONSENTS
The consent must be clear and identifiable from other matters, and written in legible form in clear and intelligible language.
It must clearly show who is giving the consent, when it was given, how it was given, for what purpose, and when the Individual withdrew the consent.
If the Individual is still interacting with the Controller in a manner for which the Individual has already given their consent for personal data processing, the consent is considered valid. If the Individual is no longer interacting with the Controller, a consent may be required after re-establishing the interaction, depending on the time of the last interaction.
When the consent is given in accordance with Directive 95/46/EC, the Individual is not required to give another consent for data processing if the consent was given in a manner that complies with the provisions of the applicable General Data Protection Regulation.
The Controller provides the Individual with information on the Individual’s rights in a concise, transparent, easy to understand and easily accessible form, in a clear and plain language, in writing or in electronic form. The Controller fulfils any requests regarding the rights without undue delay within one month of receiving the request, or within two additional months, considering the complexity and number of requests.
If the Individual submits a request in electronic form, the Controller provides the answer in electronic form, if possible.
The Individual is entitled to file a complaint with the supervisory authority and seek legal remedy.
If the Individual’s requests are manifestly unfounded or excessive, in particularly repetitive, the Controller can:
- Charge a reasonable fee, considering the administrative costs for submitting information or message or carrying out the requested measure.
- Reject the measure regarding the request, whereby the Controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.
The Individual is entitled to access the following information, when personal data is collected on the Individual:
- the identity and the contact details of the Controller and, where applicable, of the Controller’s representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing and the legal basis for the processing;
- the legitimate interests pursued by the Controller or by a third party;
- the recipients or categories of recipients of the personal data, if any;
- information on transfer of personal data to a third country.
The Individual is entitled to the following information, to ensure fair and transparent processing, when personal data is collected on the Individual:
- the period for which the personal data will be stored, or the criteria used to determine that period;
- the existence of the Individual’s right to request from the Controller cessation of processing of personal data, rectification or erasure of personal data, restriction of processing, or to object to processing as well as the right to data portability;
- where the processing is based on a consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the right to lodge a complaint with a supervisory authority;
- the right to information whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well the possible consequences of failure to provide such data;
- the existence of automated decision-making, including profiling, the logic involved, the significance and the envisaged consequences.
The Individual has the right to request from the Controller to confirm if their personal data is being processed and how. In the event that their personal data is processed, the Individual is entitled to the following information on the processing:
- the processing purpose;
- the types of personal data;
- the recipients or categories of recipients to whom the personal data have been disclosed, in particular for any recipients in third countries;
- if possible, the envisaged period of personal data storage, or criteria for determining the storage period;
- the existence of the right to request from the Controller a rectification or erasure of personal data, restriction of processing, or to object to such processing;
- the right to lodge a complaint with a supervisory authority; when personal data is not collected from the individual, the information on the source;
- the existence of automated decision-making, logic involved, the significance and the envisaged consequences.
The Individual has the right to have its data erased – or the right to be forgotten – whereby the Controller must delete the Individual’s data from storage without undue delay if:
- Personal data is no longer required for the purposes for which it was collected or otherwise processed.
- The Individual withdraws their consent used as the legal basis for processing and no other legal basis for further processing exists.
- The Individual objects to data processing, and no overriding legitimate grounds for processing exist.
- Personal data was processed illegally.
- Personal data must be deleted to fulfil legal obligations in accordance with the EU acquis or the legal order of the member country applicable to the Controller.
The Individual is entitled to limit processing by the Processor in the following cases:
- The Individual disputes the accuracy of personal data for the period enabling the Controller to verify the accuracy of the personal data.
- The processing is unlawful and the Individual opposes the erasure of personal data, and requests the restriction of their use instead.
- The Controller no longer needs the personal data for the purposes for which it was collected, but is required by the Individual to establish, exercise or defend legal claims.
- The Individual files a complaint and the review of legitimate grounds of the Controller overriding those of the Individual’s has not yet completed.
When processing of personal data has been restricted, such personal data shall, with the exception of storage, only be processed with the Individual’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a member State.
The Controller shall communicate any rectification or erasure of personal data or restriction of processing to other personal data processors, unless this proves impossible or involves disproportionate effort.
The Individual has the right to receive the personal data concerning them, which they have provided to the Controller, in a structured, commonly used and machine-readable format, and has the right to transmit this data to another controller without hindrance from the Controller to which the personal data have been provided, where:
- the processing is based on consent (or contract);
- the processing is carried out by automated means.
The Individual has the right to object to the processing of their personal data. In this case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Individual or for the establishment, exercise or defence of legal claims.
The Individual shall have the right not to be subject to a decision based solely on automated processing, which produces legal effects concerning the Individual or similarly significantly affects the Individual. However, this does not apply if the decision:
- is necessary for entering into, or performance of, a contract between the Individual and the Controller;
- is authorised by EU or member state law to which the Controller is subject and which also lays down suitable measures to safeguard the Individual’s rights and freedoms and legitimate interests;
- is based on the Individual’s explicit consent.
The Individual’s rights can be restricted by law in the following cases:
- when it is in the interest of national security;
- for purposes of defence; for public safety;
- for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
- for the protection of judicial independence and judicial proceedings;
- for the enforcement of civil law claims.
Personal data breach
In the case of a personal data breach, the Controller shall without undue delay and not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, the Controller shall include the reasons for the delay.
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.
The notification shall include at least:
- a description of the nature of the personal data breach;
- the number of Individual concerned, the categories and the number of personal data records concerned;
- the name and contact details of the data protection officer;
- a description of the likely consequences of the personal data breach;
- a description of the measures taken by the Controller to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.
If it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
The Controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this article.
COMMUNICATION OF A PERSONAL DATA BREACH TO THE INDIVIDUAL
When the personal data breach is likely to result in a high risk to the rights and freedoms of Individuals, the Controller shall communicate the personal data breach to the Individual without undue delay, describing in clear and plain language the nature of the personal data breach and containing at least the information and recommendations regarding this breach.
The communication to the Individual is not required if:
- The Controller has implemented appropriate technical and organisational protection measures for the personal data, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.
- The Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of Individuals is no longer likely to materialise.
- It would involve disproportionate effort.
Which personal data we collect?
The Controller collects and stores Individual’s personal data that the Individual voluntarily shares directly with the Controller when the Individual wishes to use the Services provided by the Controller. Generally, this occurs when transferring files with contents to be printed.
Alternative situations, in which the Controller collects personal data, include registration for secondary Services (e.g. subscription to electronic news), prize draws, etc.
In all cases where the Controller collects personal data, there is legal ground or Individual’s consent to personal data processing.
Individual’s personal data collected by the Controller is obtained in the following situations, as follows:
- Creating a user profile to use the Services, or use at least one of provided Services. Such personal data collected is processed either to improve the quality of Services or to meet legal obligations in the performance of services or concluding a contractual relationship with the Controller, such as transfers of files with contents to be printed (name, surname, e-mail address, address, telephone number, etc.). Such personal data can be either required or optional. Required personal data is the data without which normal operation of the Services would be limited or impossible (e.g. e-mail), while optional personal data is the data that improves the user experience, but is not essential for the basic operation of the Services (e.g. telephone number for direct communication).
- Request for assistance by user support, either by e-mail, online form, or telephone. Such personal data is necessary for processing the request (name, surname, e-mail address).
- Login via electronic form or subscription to electronic news (e-mail address, name, surname).
- Other participation in activities that requires the Individual’s personal data.
Other ways of collecting personal data, or data that can be used to identify the Individual, include:
- communication regarding purchases (enquiries and evaluations);
- data on the use of services, which are automatically collected during the use of Services (type of device, type of browse, location, language preferences, cookies, IP address, login time, clicks by categories and pages, adding to cart, purchase, potential errors that occurred during the use of Services) and help the Processer in:
- ensuring a higher quality of Services by identifying technical capabilities and Individual’s preferences and devices used for the Controller’s Services;
- ensuring increased security for the Individual by recognising recent logins, recent purchases, misuse attempts;
- ensuring faster and better responsiveness in the event of troubleshooting and disputes;
- data obtained by the data processor.
How is personal data processed?
The specifics of personal data processing depend on the Service used by the Individual and the Individual’s preferences.
USE OF PRIMARY SERVICES AND PERSONALISATION
Individual’s personal data is processed to verify authenticity and identify of the Individual when logging into the system, to personalise received electronic messages, to submit data, such as uploads of files with contents to be printed, or browsing categories.
COMMUNICATION REGARDING SERVICES
Individual’s personal data is processed for communication regarding services provided by the Controller or for providing Services as such (communication regarding offers).
The Controller can communicate with the Individual regarding alternative and new Services that are directly or indirectly related to Services for which the Controller has obtained the Individual’s consent.
MARKETING AND PROMOTION OF SERVICES
Based on prior consent or use of Services, the Controller may recommend, propose, or otherwise promote and market new Services or offers under the Services. Withdrawal from such personal data processing is possible.
Processing of Individual’s personal data is necessary for providing customer support. For a more precise analysis, and quicker and better problem or dispute resolution, the Controller can request additional personal and other information.
SECURITY IN PROTECTION
We process personal information to provide security and protection for Individuals, the Controller and processors. Such processing includes monitoring logins into a Service, monitoring Service use, monitoring Individual’s activities as part of Services, which helps the Controller recognise threats and misuse attempts for Services, the Individual, the Controller or processors.
PURSUIT OF LEGITIMATE INTEREST
If legally required, the Controller can process personal data without the Individual’s consent, or for the performance of a contract between the Controller and the Individual, which represents continued use of Services. A specific example of such processing of personal data is a purchase of a product, whereby the Service is not possible without processing of personal data.
The Controller can process personal data also when it believes that it is protecting its own legitimate interest, or protecting the interests of other involved natural or legal persons.
If none of the above grounds for personal data processing exist, and the Individual consented to data processing for this specific purpose, Individual’s personal data can be processed for this purpose until the consent is withdrawn, or until otherwise determined by a change of the personal data protection policy.
How we share collected data with third parties
To provide the Services and ensure their quality, we can share collected data with third parties. In this case, the Controller has concluded a contract for personal data processing with a processor, unless personal data processing is necessary to pursue legitimate interests.
The Controller never uses personal databases for sale, but processes and transmits data for processing only for the purposes of providing the Services. If there is no other legitimate interest for transmission of personal data to third parties, the Controller obtains from the Individual a consent for such processing.
How we store and protect the personal data collected
INFORMATION SECURITY AND DATA STORAGE
Individuals’ personal data is stored and processed on web servers in Slovenia. The Controller continually strives to maintain and developed the information system in accordance with the latest technological standards of safety to protect Individual’s personal data.
Despite the high standard and security measures implemented by the Controller in its information system, due to the nature of the Internet, the Controller can not guarantee later misuse of personal data, which could occur after the transmission from the Controller’s servers to the Individual, or in the event of a hack into the information system, as the Controller does not have its own resources or capabilities to prevent such misuse.
HOW LONG WE STORE PERSONAL DATA
The storage duration for personal data depends on the type of personal data, Individual’s use of Services, manner of processing and statutory requirements. When and if personal data is no longer necessary for processing, or if the Individual decides to delete their user profile, the Controller deletes, applies pseudonymisation or renders anonymous such data, except when the data is necessary for continued performance of Controller’s Services or the Controller must store the data due to statutory requirements.
Data for marketing
Data collected for the purposes of a user’s purchase is stored as long as the user of Service is active, or for a reasonable time after the end of activity in case the user decided to become active again.
Activity includes any activity by a user of Services, from a purchase, opening an e-mail message, or visiting the web site. Data that help the Controller process requests or disputes with the Individual, or is subject to other statutory requirements regarding storage, is stored even if the user profile is deleted. A typical example would be data on purchases.
Despite a withdrawal of consent, personal data directly related to marketing (cookies, category clicks, ad clicks) can be stored for a reasonable time after the withdrawal of consent if so necessary for Controller’s business processes or for ensuring the quality of Services. In the event of discontinued use of Services and therefore stopped collection and processing of data directly related to marketing, personal data collected for the purposes of marketing can be deleted in a reasonable time if it has no other effect on the quality of Services provided by the Controller.
Personal data collected through forms and other sources
Personal data collected for the purposes of processing that is not directly related to Services provided by the Controller, can have varied storage durations, depending on the purpose of processing.
If personal data is not otherwise marked for alternative purposes of processing (pursuit of legitimate interests, with the Individual’s consent), such data can be deleted, subject to pseudonymisation or rendered anonymous after the time necessary for processing, depending on the type of data and manner of processing.
Access and control personal data filing systems
The Individual who uses Services provided by the Controller can access personal data filing systems using their user profile, where the Individual can control and update personal data and change any consent.
Certain personal data can not be managed by the user; in this case, the user can contact customer support, which, if possible, enters the change on behalf of the Individual, per the Individual’s request.
As a user, the Individual can also access data that can be used to identify the Individual and was not submitted by the Individual, such as coupons and purchases; however, the Individual can not change this data but can only access it. In the event of changes, the Individual can contact customer support, which enters the change on behalf of the Individual, if possible.
Personal data collected using questionnaires, employment forms or other online or physical forms not listed in the user’s profile and still kept by the Controller are generally valid and processed for a shorter time than personal data collected for the primary processing purpose; therefore, personal data that is not part of the personal data filing system accessible in the user profile are not easily accessible by user, except per request to the customer support, which will provide any such information or enter a change of personal data.
DEACTIVATION OF USER PROFILE
The Individual can delete their user profile if they no longer wish to use the Services provided by the Controller. The Individual can delete their profile by contacting customer support, which will delete the profile – if so possible and not interfering with other business processes or legitimate interests of the Controller or related persons – per request of the Individual.
Alternatively, the Individual can withdraw from certain Services or specific manners of data processing, where a full deletion of the user profile is not necessary.
If a user profile is deleted, the Controller stores certain collected personal data for a reasonable period.
COMBINING USER PROFILES
User profiles that belong to the same person or Individual can not be combined.
DELETION OF PERSONAL DATA
Personal data that the Individual wants deleted, can be erased or their use restricted if this does not interfere with the business processes of the Controller or if the Controller has no other legitimate interests for continued storage of such personal data.
Certain types of personal data can be deleted in the user profile; for others without this option, the Individual has to contact customer support, who deletes the data on behalf of the Individual.
REQUEST FOR RESTRICTION OF PERSONAL DATA PROCESSING
The Individual can request a restriction of personal data usage, whereby the Controller reserves the right to request reasons for such a restriction if the type of personal data is not simple, if the restriction of personal data processing can affect the business processes, or if there are other legitimate grounds.
In the event of simple type of personal data, the option of restriction of processing for a specific purpose is already enables and available in the user profile, or in the e-mail footer, where the Individual can manage consents and restrictions of processing for specific personal data for specific purposes. If there is no such option, or the Individual can not find it, the Individual can contact customer support, which will apply a restriction or consent on behalf of the Individual.
PERSONAL DATA PORTABILITY
The Individual can request from the Controller the personal data filing system that the Controller manages regarding the Individual, whereby such a filing system is in machine-readable format that enables a transfer of personal data to other similar services. The Controller provides an option to export personal data filing systems; however, this does not apply to all types of personal data, as not all types can be transferred to other services.
In the event of a request for an export of personal data, the Individual contacts customer support, which prepares such an export in a reasonable time – exporting data is not automatic or immediate. In the event of several and repeating unfounded requests for an export of personal data filing system, or request that the Controller considers unreasonably frequent, the Controller reserves the right to charge a fee for the service of personal data export.
Personal data processors
To provide its Services, the Controller collaborates with other legal persons that process certain types of personal data managed by the Controller.
The Controller has concluded a contract for personal data processing and co-operation with each processor, unless personal data processing is necessary to pursue legitimate interests of the Controller or processor. Personal data processors include, among others:
- service providers for technical and other operational support;
- communication services providers, such as e-mail and other electronic communication;
- providers of customer management tools;
- providers of tools for analysing use of Services and troubleshooting for Services;
- services providers that the Controller promotes, markets, sells.
Personal data processors are as follows (the list can be changes per request of the Controller):
The country depends on the service provider.
Processors and manners of processing not listed above can process personal data that had undergone pseudonymisation or had been rendered anonymous, and is thus exempt from the General Data Protection Regulation.
Reporting breaches and misuse
In the event of suspicion of abuse or breach in personal data processing, the Individual can report the suspicion of breach by e-mail to the Controller’s e-mail address, listed under contact information.
For faster processing of the request, the Individual must provide as much relevant information as possible (which user profile, which personal data are supposed to have been misused, in what way, and why the Individual believes that a breach or misuse occurred).
The Controller fulfils any requests regarding the rights without undue delay within one month of receiving the request, or within two additional months, considering the complexity and number of requests.
The Controller believes that it collects and stores Individuals’ personal data in accordance with the General Data Protection Regulation and other applicable legislation in the territory of the Republic of Slovenia and European Union.
In the event of any questions or complaints regarding the General Data Protection Regulation, contact the data protection authority, which is the Information Commissioner of the Republic of Slovenia, with the following contact information:
Zaloška cesta 59
T: 01 230 97 30
F: 01 230 97 78
This privacy protection policy is available as a PDF file, which is available per request via e-mail at firstname.lastname@example.org.
Personal data is processed by Aleš Ernst s.p. as a joint Controller. If you have any questions regarding personal data and processing, contact us by e-mail at email@example.com.
If you have any requests regarding changes or updating of personal data, user account deletion, logout or any other potential problem with the user profile, contact us by e-mail at firstname.lastname@example.org.
To report a suspicion of a breach in personal data processing, contact us by e-mail at email@example.com.
The Controller undertakes to respond to all requests regarding personal data protection within 30 days of such request. For more complex disputes or problems, we reserve the right to extend this period to additional 60 days.
TISKARNA OMAN PETER OMAN S.P.
Cesta na Rupo 55, 4000 Kranj
For more information regarding the General Data Protection Regulation, visit https://www.eugdpr.org/.