The use of Website is not allowed to persons under 16 years of age.
All our personal data processing activities are carried out according to Regulation (EU) 2016/697 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (The EU General Data Protection Regulation (GDPR)) and the legislation of the Republic of Slovenia (Personal Data Protection Act (ZVOP-1, Official Gazette No. 94/07), Electronic Communications Act (ZEKom-1, Official Gazette No. 109/12) and others).
You can send any inquiries about personal data, including claims and demands, to email@example.com.
What Personal Data is Being Processed
RLS collects and further processes the following Users’ personal data:
From All Users:
- IP number of the network from which the User accessed (visited) the Website, date and time of each access (visit) to the Website, duration of each access (visit).
From Registered Users:
- First name, last name, email address, telephone number, country of residence (mandatory data);
- Information about signing-up for newsletter (whether the User opted for receiving the newsletter or not);
- Information about address: street address, city, ZIP/postal code (mandatory information); company, VAT number (non-mandatory information);
- Date and time of registration on the Website;
- Date and time of sending the confirmation email;
- Date and time of each login on the Website;
- Date and time of editing information, including password update.
From Buyers of RLS Products (and/or Their Contact Persons):
- Date and time of purchase of product(s) on the Website;
- The product(s) purchased on the Website: name(s), type(s), quantity, price of each product, total price, discounts, amount of value added tax (VAT);
- Billing address: first name, last name, email address, telephone number, street address, city, ZIP/postal code, country (mandatory information); company, VAT number, fax number (non-mandatory information);
- Shipping address (if different from billing address): first name, last name, email address, telephone number, street address, city, ZIP/postal code, country (mandatory information); company, VAT number, fax number (non-mandatory information);
- Information whether or not the User made the registration (created an account for later use);
- Information about signing-up for newsletter (whether the User opted for receiving the newsletter or not);
- Information about where the User heard about RLS (optional)
- Information about payment: payment method chosen by the User, date and time of receiving information about payment;
- Information about shipping: shipping method chosen by the User; date and time of delivery;
- Information about User’s withdrawal from the contract/order: date and time of receiving User’s notice; date and time of receiving returned products, date and time of return of payment made by the User, number of bank account to which the payment was transferred;
- Any comments the User posted at checkout (non-mandatory);
- Information on Users’ claims and communication based on RLS’s warranty for products;
- Same information as listed under From Users Signed-up for the Newsletter below, with the exception of “Date and time of signing-up”.
From Users Signed-up for the Newsletter:
- Email address;
- Date and time of signing-up;
- Date and time of receiving each newsletter;
- Date and time of signing-out from further receiving.
Purposes and Legal Grounds for Personal Data Processing
The Controller collects, stores and processes Users’ personal data based on the following legal grounds:
- contractual or pre-contractual relationship between RLS and the User (or the entity for which the User is a contact person);
- User’s consent;
- RLS’s legitimate interest;
- the law.
Data Processing Based on the Contractual or Pre-contractual Relationship
All the personal data listed under From Buyers of RLS Products (and/or Their Contact Persons) are necessary for RLS to enter into contract with the User (or the entity for which the User is a contact person) and to fulfil this contract, including, but not limited to, fulfilling its obligations based on warranties for the sold product and on User’s (or buyer’s) withdrawal from the contract.
The User is no way obliged to provide the personal data; however, the personal data marked as mandatory are mandatory for the conclusion and fulfilment of the contract between RLS and the User (or the entity for which the User is a contact person). Should the User not provide the mandatory data, the contract cannot be concluded, and the User cannot purchase products on the Website.
Personal Data Processing Based on the Law
In addition to concluding and fulfilling the contract, addressing the claims based on warranties and based on User’s (or buyer’s) withdrawal from the contract is a legal obligation of RLS based on Slovenian legislation. Therefore, the personal data listed under “Information about User’s withdrawal from the contract/order” and under “Information on Users’ claims and communication based on RLS’s warranty for products” is also being processed on these legal grounds.
Electronic Communications Act allows RLS to send to its buyers emails with information and offers about similar products and services to those bought by the User. The User has the right to opt-out at any time, by clicking the unsubscribe link in any email received.
Electronic Communications Act allows RLS to send to companies’ (legal entities’) email addresses emails with commercial contents. The User has the right to opt-out at any time, by clicking the unsubscribe link in any email received.
Personal Data Processing Based on User’s Consent
The personal data listed under From Users Signed-up for the Newsletter is being processed based on User’s consent.
The personal data listed under From Registered Users is being processed based on User’s consent. The registration enables Users to shorten the purchase process on the Website, as they do not need to enter the billing address (and/or) shipping address at each purchase.
Personal Data Processing Based on Legitimate Interest of RLS
IP number of the network from which the User accessed (visited) the Website, date and time of each access (visit) to the Website and duration of each access (visit) are processed based on legitimate interest of RLS for the purpose of preventing and detecting of and acting against any illegal User’s activity on the Website. RLS has a legitimate interest to prevent any damage caused to the Website, other Users, RLS or any third person, and to act in order to remedy such damage.
Other Use of (Non-Personal) Data
RLS also uses data about visits to the Website when bidding for ad impressions on Google Ads. Namely, RLS is willing to bid higher (pay more) for the ads shown to users who have in the past accessed the Website than to users who have not accessed the Website. Given that the data about which user has in the past accessed the Website is provided by Google and not shared with RLS, this act doesn’t constitute processing in the sense ascribed to it in the GDPR. The ads shown are in no way personalised or adapted.
RLS also uses the data on users’ demographics and interest to better serve ads in Google Adwords. The data is collected by Google and not shared with RLS.
RLS uses the Hotjar service to understand how users interact with the Website. The service is fully anonymised and aggregated and does not constitute personal data processing.
How Long is the Personal Data Being Stored and What Happens Next
Unless stipulated otherwise herein, RLS stores and processes the personal data for the time necessary to achieve the purpose for which the personal data was collected and further processed.
The following categories of personal data are being stored for time stated hereunder (hereinafter Storage Period):
- IP number of the network from which the User accessed (visited) the Website, date and time of each access (visit) to the Website, duration of each access (visit): 10 days
- Information listed under From Registered Users: 6 months after RLS has received User’s request to delete or stop processing the data;
- Information listed under From Buyers of RLS Products (and/or Their Contact Persons): 5 years from the delivery of products (general statute of limitations period); 5 years from the resolution of User’s (buyer’s) claim based on the purchase of products; 5 years from the resolution of User’s (buyer’s) claim based on the withdrawal from the contract;
- Information listed under From Users Signed-up for the Newsletter: until the User has opted-out (unsubscribed).
After the expiry of the Storage Period, the Controller effectively and permanently either deletes or anonymises the personal data so that, in the latter case, they can no longer be linked to an individual User.
Who Has Access to Personal Data (Contractual Processing)
Processors to whom the personal data are transmitted or who are granted access to the personal data include the following:
- Website hosting provider;
- email storage, sending and email marketing provider(s);
- hosting (server capacity) provider,
- provider(s) of payment and card processing systems;
- providers of systems (applications) for managing customer relationships – CRM;
- providers of delivery services;
- providers of technical support;
- providers of solutions for online advertising;
- tax authorities (per request).
The Controller and Processors do not transmit personal data to third countries (outside of member countries of the European economic area – members of EU and Iceland, Norway and Liechtenstein) and to international organisations, except USA – all Processors in the USA were part of the Privacy Shield programme. Given that the Privacy Shield programme has been stuck down by the Court of Justice of the European Union (Schrems II), we are currently examining the possibilities for compliant transfers to the USA.
Security of Processing Personal Data
RLS uses all reasonable efforts to ensure security of Users’ personal data. Personal data is, to the maximum extent reasonable – based on the risks involved by the processing – protected from loss, destruction, falsification, manipulation, processing for purposes for which it has not been collected and from unauthorised access and disclosure.
RLS has in place strict internal procedures in case of security incidents relating to personal data.
Rights of Users Regarding Personal Data
In order to ensure reliable identification in case of a User exercising their rights regarding personal data, RLS may request additional data from the user. RLS may refuse to act on User’s request if it can demonstrate that it is not in a position to identify the User.
RLS shall provide information or feedback without undue delay and in any case within one month of receipt of the request.
Users have the following rights regarding fair and transparent processing, based on the GDPR:
The Right to Withdraw Consent
Users have the right to withdraw your consent to processing of your personal data at any time, including the unsubscribing from receiving the newsletter. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Consent can be withdrawn through a written statement that is sent to RLS at firstname.lastname@example.org or (in case of newsletter) by clicking on the unsubscribe link.
Withdrawal of consent bears no negative consequences or sanctions for the User. It is however possible that the Controller may not be able to provide some of its services to User after the withdrawal of consent, if such services cannot be performed without the processing of personal data in question.
The Right to Access Personal Data
Users have the right to obtain confirmation from RLS as to whether or not your personal data are being processed, and, where that is the case, right to access to the personal data and the following information: the purposes of the processing, the categories of personal data concerned, its users, the period for which the personal data will be stored, or the criteria used to determine that period, the right to request rectification or erasure of personal data or restriction of or objection to processing of personal data, the right to lodge a complaint with a supervisory authority, the source of the data if the data were not collected from Users, the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for Users.
The Right to Rectify Personal Data
Users have the right to request from RLS without undue delay the rectification of inaccurate personal data.
The right to Deletion of Personal Data (Right to be Forgotten)
Users have the right to request RLS to delete without undue delay their personal data when one of the below reasons exists:
- the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- User has withdrawn their consent, and there are no other legal grounds for further processing;
- User has objected to the processing of their personal data, and there are no overriding legitimate grounds for processing;
- User’s personal data has been unlawfully processed;
- the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which RLS is subject;
- the personal data has been collected in relation to the offer of information society.
As an individual under certain circumstances, as defined in Article 17, paragraph 3 GDPR, you do not have the right to data deletion.
The Right to Restriction of Processing
Users have the right to request from RLS restriction of processing where one of the following applies:
- User contests the accuracy of the personal data for a period enabling RLS to verify the accuracy of the personal data;
- the processing is unlawful, and User opposes the erasure of the personal data and requests the restriction of their use instead;
- RLS no longer needs the personal data for the purposes of the processing, but they are required by User for the establishment, exercise or defence of legal claims;
- User has objected to processing pending the verification whether the legitimate grounds of RLS override User’s rights.
The Right to Data Portability
Users have the right to receive the personal data concerning them, which they have provided to RLS, in a structured, commonly used and machine-readable format and have the right to transmit such data to another controller without hindrance from RLS, where:
- the processing is based on consent or on a contract; and
- the processing is carried out by automated means.
In exercising the right to data portability, Users have the right to have their personal data transmitted directly from RLS to another controller of their choice, where technically feasible.
The Right to Object to Data Processing
Users have the right to object, on grounds relating to their particular situation, at any time to processing of their personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the provider (Article 6 (1), point (e) of GDPR), processing is necessary for the purposes of the legitimate interests pursued by the provider or by a third party (Article 6 (1) point (f) of GDPR), including profiling based on the data; RLS shall no longer process the personal data in question unless it demonstrates compelling legitimate grounds for the processing which override Users’ interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, Users have the right to object at any time to processing of their personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing; where Users object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
The Right to Lodge a Complaint with the Supervisory Authority
Users have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement.
Notifying the Supervisory Authority and Users of Personal Data Incident
In case of personal data incident, RLS is obliged to notify the supervisory authority without undue delay, unless the it is able to demonstrate that the data breach is unlikely to result in a risk to the rights and freedoms of Users.
In the case of an incident likely to result in a high risk to the rights and freedoms of Users, RLS is obliged to notify the Users immediately or, if that is not possible, without undue delay. The notification should be in clear and comprehensive language.
Changes, Amendments and Updates