Privacy Policy

PRIMA IP d.o.o.

The purpose of the Privacy Policy (hereinafter referred to as the "Policy") is to inform customers, potential customers or visitors of PRIMA IP websites about the purposes and legal basis for the processing of personal data.

PRIMA IP disability company d.o.o., Brnčičeva ulica 31, 1231 Ljubljana - Črnuče, Slovenia, e-mail address info@prima-ip.si ("PRIMA IP", "the Provider" or "the Data Controller") protects your personal data to ensure that it is kept secure at all times during the course of business.

At PRIMA IP, we value your privacy, which is why we always protect your data carefully. This privacy policy may be changed or amended at any time, without prior notice or warning. By using the Provider's website after a change or amendment, the individual confirms that he or she agrees to the changes and amendments.

All our activities in relation to the processing of personal data are in compliance with applicable European legislation (in particular Regulation (EU) 2016/697 on the protection of individuals with regard to the processing of personal data and on the movement of such data (General Data Protection Regulation or GDPR) and Council of Europe Conventions (ETS No.108, ETS No.181, ETS No. 185, ETS No. 189)) and the national legislation of the Republic of Slovenia (the Personal Data Protection Act (ZVOP-1, Official Gazette of the Republic of Slovenia, No. 94/07), the Electronic Commerce on the Market Act (ZEPT, Official Gazette of the Republic of Slovenia, No. 96/09 and No. 19/15), etc.).

This Privacy Policy addresses the handling of personal data that PRIMA IP receives from you when you visit and use PRIMA IP websites or otherwise provide PRIMA IP with personal data.

Controller and Data Protection Officer

The controller of the personal data is PRIMA IP disability company d.o.o., Brnčičeva ulica 31, 1231 Ljubljana - Črnuče, Slovenia.

Basic concepts

• Personal data means any information from which an individual can be identified (e.g. name, surname, email address, telephone number, etc.).
• Administrator means the legal person who determines the purposes and means of the processing of your personal data.
• Processor means a legal or natural person who processes personal data on behalf of the controller.
• Processing means the collection, storage, access and all other uses of personal data.
• EGP means the European Economic Area, which includes all the Member States of the European Union, Iceland, Norway and Liechtenstein.

Personal data

Personal data is information that identifies you as a specific or identifiable individual. An individual is identifiable when he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or by reference to one or more factors specific to the individual's physical, physiological, genetic, mental, economic, cultural or social identity.

The Provider collects the following personal data in accordance with the purposes set out below in this Policy:

• Basic information about the user (name and surname, residential address, date of birth, location).
• Contact details and details of your communication with the controller (e-mail address, telephone number, date, time and content of postal or e-mail communication, date, time and duration of telephone calls, recording of telephone calls).
• Channel and campaign - the way the member was recruited or the source through which the user came into contact with the operator (website and advertising campaign, call centre, physical shop).
• Information about the user's purchases and invoices issued (date and place of purchase, items purchased, prices of items purchased, total amount of purchase, method of payment, delivery address, invoice number and date of issue, identification of the person issuing the invoice, etc.) and information on the resolution of product complaints.
• Data on the user's use of the website of the controller (dates and times of visits to the website, pages or URLs visited, time spent on each page, number of pages visited, total time spent on the website, settings made on the website) and data on the use of the messages received from the controller (e-mail, sms).
• Personal data voluntarily provided by the user by filling in forms, e.g. in the context of prize draws or the use of configurators to identify the optimal products for the user's needs.
• Other information that the user voluntarily provides to the provider when making a request for certain services, insofar as this information is necessary for the provision of the service. The Provider does not collect or process your personal data except when you allow or consent to the Provider to do so, e.g. through the use of the website, when ordering products or services, when subscribing to receive an e-magazine, when participating in a prize draw, etc. The Provider also processes your data where there is a legal basis for collecting your personal data, a contractual basis or where the Provider has a legitimate interest in the processing.

We also obtain personal data about you through the use of cookies on our website. You can read more about our use of cookies here.

The Provider shall only collect personal data that is relevant and necessary to fulfil the purposes for which the data is processed.

The period of time during which the Provider retains the collected data is defined in more detail in the Retention of Personal Data section of this Policy.

Legal basis for data processing

The Provider collects and processes your personal data on the following legal bases: 

• Processing under the law
• Processing on the basis of a contract
• Processing based on the consent of the data subject
• Processing based on legitimate interest 

Processing on the basis of a contract

We need your data when it is necessary for the conclusion, performance and fulfilment of our contractual obligations. In this case, the provision of personal data is voluntary. If you do not provide personal data, you cannot enter into a contract with the provider, nor can the provider guarantee the performance of services or supply of products.

Processing on the basis of consent

We process your data when you give us your explicit consent to do so. Where processing is based on consent, we will ensure that you are provided in advance with all the information you need to make your decision. You may withdraw your consent at any time. If you withdraw your consent, the provider will not be able to provide certain services to you.

Processing based on legitimate interest

The Provider may also process data on the basis of legitimate interests pursued by the Provider, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. Where legitimate interest applies, the provider shall always make an assessment in accordance with the General Data Protection Regulation.

In the case of processing based on legitimate interest, the user has the right to object.

You can read more about your rights in the policy below.

Processing under the law

We process your personal data where we are required to do so by the law to which we are subject (e.g. tax law requires us to keep invoices). We process this personal data in accordance with the requirements of the law.

Purposes of the processing of personal data

The Provider collects and processes your personal data for the following purposes:

• Communicating with you about the provision of our services and responding to your enquiries.
• Concluding and fulfilling the obligations arising from the contract.
• Directly informing customers about special offers, discounts and other content via email.
• General statistical processing of data on customers and their orders and potential customers (contacts) for the purposes of internal sales analysis, repeat purchases, aggregate customer behaviour, advertising optimisation and business optimisation.
• Automatically communicate via email with the user based on his or her initiation of the online purchase process.

Retention of personal data

The Provider will only keep your personal data for as long as is necessary to fulfil the purpose for which the personal data was collected.

The Provider shall keep the personal data processed by the Provider on the basis of the law for the period prescribed by law.

The Provider shall keep the personal data processed by the Provider for the performance of the contractual relationship with the individual for the period necessary for the performance of the contract and for 5 years after its termination, except in cases where there is a dispute between you and the Provider in relation to the contract, in which case the Provider shall keep the data for 5 years after the final decision of a court or arbitration award or a settlement or, if there has been no court dispute, for 5 years from the date of the amicable settlement of the dispute.

The Provider shall keep the personal data processed by the Provider on the basis of the individual's personal consent permanently, until the withdrawal of this consent by the individual. The Provider shall delete such data before revocation only if the purpose of the processing of the personal data has already been achieved. After the retention period has expired, the personal data shall be effectively and permanently erased or anonymised by the controller so that they can no longer be associated with a specific individual.

Contractual processing of personal data

The Provider may entrust individual tasks related to the processing of your data to other persons (contract processors). The contract processors may process the entrusted data exclusively on behalf of the Provider, within the limits of the Provider's authorisation (in a written contract or other legal act) and in accordance with the purposes defined in this Privacy Policy.

The contractual processors with which the provider cooperates are:

• accounting services; law firms and other providers of legal advice;
• data processing and analytics providers;
• IT system maintainers;
• email providers (e.g. Mailchimp and others);
• payment system providers such as Adyen, Paypal, Payu, Klarna, Sofort, Multibanco, Dotpay and others);
• providers of customer relationship management systems (e.g. Microsoft);
• online advertising solution providers (e.g. Google, Facebook).

The Provider will not pass on your personal data to unauthorised third parties. Contract processors may only process personal data within the framework of the controller's instructions and may not use personal data to pursue any of their own interests. The controller and users do not export personal data to third countries (outside the European Economic Area - EU member states plus Iceland, Norway and Liechtenstein) and international organisations, except to the USA - all contract processors in the USA are members of the Privacy Shield programme.

Freedom of choice

You control the information you provide about yourself. If you choose not to provide your information to the provider, then we may not be able to provide certain services to you.

If you wish to unsubscribe from the PRIMA IP newsletter, please send us an e-mail to info@prima-ip.si.

If your personal data (postcode, e-mail address, physical address, telephone number) changes, please inform us of the changes by e-mail to info@prima-ip.si.

Automatic recording of information (non-personal data)

Whenever you access the website, general, non-personal information (number of visits, average time on site, pages visited) is automatically recorded (not as part of the login). We use this information to measure the attractiveness of our website and to improve content and usability. Your data is not subject to further processing and is not passed on to any third party.

Cookies

Cookies are invisible files that are temporarily stored on your hard drive and allow the provider to recognise your computer the next time you visit a website. The Provider uses cookies only to collect information relating to the use of the website and to optimise its internet advertising activities.

Advertising cookies track an individual's use of the Provider's website, unless the individual does not consent to the use of cookies on the site. You can read more about cookies and their use here.

Security

The Provider is committed to ensuring the security of personal data. Your data is protected at all times against loss, destruction, falsification, tampering, manipulation and unauthorised access or unauthorised disclosure.

We take organisational and technical measures to protect personal data, such as:

• Staff training;
• Supervision of staff and regular reviews of individual staff members' performance;
• Careful selection and monitoring of contract processors;
• backing up electronically stored data;
• regular maintenance and updating of computer equipment;
• Adoption of appropriate internal policies and guidelines on the protection of personal data.

Rights of the data subject with regard to data processing

If you have any questions about our privacy policy or the processing of your personal data, you can contact us at any time. Please contact us at info@prima-ip.si or call us on +386 (0)590 73 614. Upon your request, we will provide you with the requested information or (in accordance with the law) make arrangements to exercise your rights.

You have the following rights in relation to processing:

Right to withdraw consent: if you, as an individual, have consented to the processing of your personal data (for one or more specified purposes), you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing of the data carried out on the basis of the consent until its withdrawal.

Consent may be withdrawn by written declaration sent to the controller at one of the contacts indicated on the website. https://prima-ip.si/.

Withdrawal of consent to the processing of personal data does not have any negative consequences or sanctions for the data subject. However, it is possible that the controller may no longer be able to provide one or more of its services to the data subject after the withdrawal of the consent to the processing of personal data, in the case of services that cannot be provided without the personal data (e.g. a benefits club or personalised information).

Right of access to personal data: as an individual, you have the right to obtain confirmation from the provider (personal data controller) as to whether personal data relating to you are being processed and, where this is the case, access to the personal data and certain information (on the purposes of the processing, on the types of personal data, on the users, on the retention periods or. The existence of the right to rectification or erasure, the right to restrict and object to processing and the right to lodge a complaint with a supervisory authority, the source of the data if the data were not collected from you, the existence of automated decision-making, including profiling, the reasons for it and the meaning and effects of such processing for you, and other information in accordance with Article 15 of the GDPR).

Right to rectification of personal data: as an individual, you have the right to have inaccurate personal data concerning you corrected by the provider without undue delay. As an individual, you have the right, taking into account the purposes of the processing, to have incomplete data completed, including by submitting a supplementary declaration.

Right to erasure of personal data ("right to be forgotten"): as an individual, you have the right to have personal data relating to you erased by the provider without undue delay, and the provider must erase the data without undue delay where one of the following reasons applies:

• the data are no longer necessary for the purposes for which they were collected or otherwise processed,
• if you withdraw your consent and there is no other legal basis for the processing,
• if you object to processing and there are no overriding legitimate grounds for the processing,
• the data has been processed unlawfully,
• the data must be erased in order to comply with legal obligations under EU law or the law of the Member State to which the provider is subject,
• data collected in relation to information society service offerings.

However, as an individual, you do not have the right to erasure in certain cases described in Article 17(3) of the GDPR.

Right to restriction of processing: as an individual, you have the right to have the provider restrict processing where one of the following applies:

• if you contest the accuracy of the data for a period that allows the provider to verify the accuracy of the data,
• the processing is unlawful and you object to the erasure of the data and instead request a restriction on its use,
• the provider no longer needs the data for the purposes of the processing, but you need the data for the establishment, exercise and defence of legal claims,
• you have lodged an objection to processing, pending verification that the legitimate grounds of the provider override your own.

Right to data portability: as an individual, you have the right to receive personal data relating to you that you have provided to a provider in a structured, commonly used and machine-readable format and to have that data transferred to another controller without hindrance from the provider to whom the personal data have been provided, where:

• the processing is based on consent or on a contract; and
• processing is carried out by automated means.

In exercising that right to data portability, you as an individual have the right to have your personal data directly transferred from one controller (provider) to another, where this is technically feasible.

Right to object to processing: as an individual, you have the right, on grounds relating to your particular situation, to object at any time to processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the provider (point (e) of Article 6(1) of the GDPR) or is necessary for the pursuit of legitimate interests pursued by the provider or by a third party (point (f) of Article 6(1) of the GDPR), including profiling on the basis of the said processing; the provider ceases to process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where personal data are processed for marketing purposes, the data subject shall have the right to object at any time to processing of data concerning him or her for the purposes of such marketing, including profiling insofar as it is related to such direct marketing; where the data subject objects to processing for direct marketing purposes, the data shall no longer be processed for those purposes.

Where data are processed for scientific or historical research purposes, or for statistical purposes, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest;

Right to lodge a complaint with the supervisory authority: without prejudice to any other (administrative or other) legal remedy, you have the right as an individual to lodge a complaint with a supervisory authority, in particular in the country in which you are habitually resident, where you work or where the alleged infringement took place (in Slovenia, the Information Commissioner), if you consider that the processing of personal data relating to you infringes data protection rules.

Without prejudice to any other (administrative or extra-judicial) remedy, you have the right as an individual to an effective remedy against a legally binding decision of the supervisory authority concerning your complaint, including if the supervisory authority does not consider your complaint or does not inform you within three months of the status of the case or of the decision on the complaint. The courts of the Member State where the supervisory authority is established have jurisdiction over proceedings against the supervisory authority.

The data subject may address any request concerning the exercise of the rights relating to personal data in writing to the controller, using one of the contact details provided on the website. https://prima-ip.si/.

For the purposes of reliable identification in the event of the exercise of rights relating to personal data, the controller may request additional data from the data subject, but may refuse to act only if it demonstrates that the data subject cannot be reliably identified.

The controller shall respond to a request by an individual to exercise his or her rights concerning personal data without undue delay and at the latest within one month of receipt of the request.

Notification of a personal data breach to a supervisory authority

In the event of a personal data breach, the Provider is obliged to notify the competent supervisory authority, except where it is likely that the breach has not jeopardised the rights and freedoms of individuals. Where, in the event of a breach, there is a suspicion that a criminal offence has been committed, the Provider is obliged to notify the police and/or the competent prosecutor's office of the breach.

In the event of a breach that may result in a high risk to the rights and freedoms of natural persons, the Provider is obliged to inform the data subjects of the breach without undue delay or, where this is not possible, without undue delay. The notification to the data subject must be made in plain and intelligible language.

Access to social networks

Through our website, you can access the web plug-ins defined below, which are used by the provider in its operation:

• Facebook
• Instagram
• LinkedIn 

Each of these social networks operates in accordance with its own terms of use and privacy policies when providing its services. PRIMA IP accepts no liability in connection with the use of the social networks to which it provides access via its website. Questions and the exercise of rights should be addressed to the individual social network.

The privacy policies are available at the links below:

• Instagram https://help.instagram.com/519522125107875
• Facebook: https://www.facebook.com/about/privacy/
• Youtube: https://policies.google.com/privacy?hl=sl (we don't have a ytb channel)

Publication of amendments

Any changes to our privacy policy will be posted on this website.