The Controller of the website is the one who manages the personal data and determines the purposes and means for the processing of your personal data.
The Controller of the users’ personal data and this website is:
Name of the legal entity: GO TO, trgovina in storitve, d.o.o.
Address of the legal entity: Brezovce 6
Postcode and place: 1236 Trzin, Slovenija
VAT number: SI 64342786, taxpayer
Registration number: 5460905000
Contact e-mail: firstname.lastname@example.org
Contact telephone number: + 386 (0)1 51 90 853
Data on the entry in the register or any other public records: 14.02.1991
Contact person and contact for providing information related to user’s personal data: Franci Turk, email@example.com
The Processor of personal data is the one who processes personal data on behalf of the Controller. The Processor may only process personal data determined in documented instructions by the Controller and only for the purposes determined in documented instructions by the Controller.
Our Processors process users’ personal data in accordance with the applicable legislation, based on an existing contractual relationship which regulates all areas of processing.
The Processors of personal data who processes personal data on behalf of the Controller are:
The Controller and their Processors respect the general principles related to the processing of the users’ personal data:
1. We process users’ personal data in a legal, fair, and transparent manner.
2. We collect personal data for purposes which are determined in advance, explicit, and legal, and we do not further process the data for other purposes, except for the purposes of scientific or historical research or statistics under certain conditions.
3. We process personal data in the smallest extent possible and for the purposes of processing.
4. We make sure that the processed personal data are accurate and regularly updated, whereby we rectify or erase the inaccurate data.
5. We only keep personal data for as long as it is necessary for the purposes of processing.
6. We ensure adequate protection of personal data, which includes the prevention of unauthorised or unlawful processing and unintentional loss, destruction, or damage of data, by implementing adequate technical and organisational measures.
Personal data refers to any information related to an identified or identifiable individual who is a natural person. Identified individual is someone whose personal data are identified and processed according to the purposes determined by the Controller. Identifiable individual is someone who can be directly or indirectly identified and whose personal data can be processed according to the purposes determined by the Controller.
User is an individual who is a natural person and whose personal data are processed based on a legal or contractual basis which exists between the Controller and the individual or based on an explicit consent provided to the Controller by the individual.
The Controller determines the purposes and means of processing within the framework of their registered activity and/or legal authorisations. The user is informed in advance on who the Controller and the Processor of their personal data are.
The Subrocessor processes personal data of individuals on behalf of and according to the instructions of the Processor within the framework of legitimate purposes and means of processing. The Subprocessor is directly responsible to the Processor and the Processor is directly responsible to the Controller.
Processing of personal data refers to any action or set of actions performed in relation to personal data or set of personal data with or without automated means, which includes actions such as collection, recording, editing, structuring, saving, adjustment or modification, recovery, inspection, use, disclosure by transfer, dissemination or any other way of providing access, adaptation or combining, restriction, erasure, or destruction.
Legal basis means that the Controller processes personal data of users because the legislation requires them to do so in order to fulfil the legal obligations imposed on the Controller.
In the Republic of Slovenia, legal obligations of processing of certain personal data are mainly determined by:
1. the Value Added Tax Act ZDDV-1;
2. the Rules on the implementation of the Value Added Tax Act;
3. the Tax Procedure Act;
4. the Companies Act,
5. the Slovenian Accounting Standards;
6. the Accounting Act.
If the Processor is processing personal data of the user because the user performed an online purchase or ordered a service from the Controller, they shall keep the invoice for 10 years (as well as the data of the user/buyer on the invoice).
Contractual basis for processing of personal data of users means that the processing is necessary for:
1. fulfilling the contract whose contracting party is the user to whom the personal data relate; or
2. implementing measures at the request of such user before concluding the contract.
The Controller does not require an explicit consent for contractual processing of the user’s personal data.
If the user fails to provide all the personal data that the Controller needs to fulfil the contractual obligation, the Controller is unable to complete the user’s order. The Controller undertakes to only collect and process personal data from the user in the scope needed to fulfil the contract.
The individual purposes for such processing of personal data are stated by the Controller at the website, where the user can submit their consent. The Controller shall inform the user on the purposes of processing in an accessible form and in a clear and simple language and shall give the user the option of explicit consent for each individual purpose.
The Controller shall ensure the user the right to withdraw their explicit consent at any time and in a simple manner. Cancellation of the consent does not affect the lawfulness of the processing on the basis of the consent before its cancellation.
The Controller may process personal data of users if the processing is necessary for:
1. performing tasks in the public interest, or
2. exercising public authority given to the Controller.
If the processing is necessary due to a legitimate interest of the Controller or a third party, the Controller can process the personal data of users in the extent strictly necessary to fulfil these legitimate interests, provided that these interests are not overruled by the interests and fundamental rights and freedoms of the user to whom the personal data relate, particularly when the processing involves personal data of individuals under 16 years of age.
The Controller can process personal data if the processing is necessary for the protection of vital interests of the user or other natural person.
Types of users’ personal data processed for the purposes determined in advance include:
The Controller processes personal data of users for the following purposes and, at the same time, defines the legal basis for the processing of these data and determines whether the user’s explicit consent is necessary or not:
The Controller can only process personal data for new purposes for which they do not have an adequate legal basis nor an explicit consent, if they provide the user with all the necessary information for the processing of their personal data for new purposes and obtain from the user a new explicit consent for the processing of personal data.
The Controller may transfer personal data of users to third parties only in case of criminal and civil proceedings in the extent permitted by the legislation.
1. types and names of cookies
2. purpose of their use and
3. duration of each individual cookie.
The Controller shall provide the notification without consent when using the following cookies:
1. cookies necessary solely for transferring messages through the electronic communication network and
2. cookies which are essential to ensure the information society service explicitly requested by the client or user.
The Controller shall provide the notification at a special link on the website.
The user may request form the Controller the following:
1. access to personal data;
2. rectification of personal data;
3. erasure of personal data (right to be “forgotten”);
4. restriction of processing of personal data;
5. objection to processing of personal data; and6. portability of personal data.
The Controller shall respond to the user’s request within no later than 30 days after receiving the request.
The user has the right to receive confirmation from the Controller on whether or not personal data related to them are being processed.
The Controller shall provide the information on:
1. the purposes of processing;
2. the categories of personal data that they process;
3. the processors to whom personal data were transferred for processing or disclosed;
4. the anticipated time of retention of personal data;
5. the user rights to erasure and rectification of data, and to restriction of processing or objection to processing;
6. the right to lodge a complaint with a supervisory body;
7. the sources from which the Controller received the data, provided that they were not submitted for processing by the user; and
8. the existence of automated decision-making, including profiling.
The user may exercise this right through this form: EN - Exercising_rights_form
The user may request from the Controller to without undue delay:
1. rectify inaccurate data concerning the user which are processed by the Controller (or their processors) or
2. complete incomplete personal data.
The Controller provides the following form for submitting a supplementary statement: EN - Exercising_rights_form
The user may request from the Controller to erase the user’s personal data without undue delay if at least one of the following conditions is met:
1. The personal data is no longer required for the purpose for which they were collected or otherwise processed.
2. The user withdraws the consent given to the Controller for the processing, whereby there is no other legal basis for the processing.
3. The user objects to the processing of their personal data for the following reasons:
3.1. Personal data are processed for the purposes of the public interest.
3.2. Personal data are processed for legitimate interests of the Controller.
3.3. Personal data are processed for the purposes of direct marketing and/or profiling.
4. The personal data have been unlawfully processed.
5. The personal data must be erased to comply with a legal obligation imposed to the Controller by the legislation.6. The personal data was collected in connection with offering information society services to a person younger than 16.
The user may exercise their right to erasure of personal data through this form: EN - Exercising_rights_form
The user may request from the Controller the restriction of processing in one of the following cases:
1. The accuracy of the personal data is contested by the user, for a period enabling the Controller to verify the accuracy of the personal data.
2. The processing of the user’s personal data is unlawful, and the user opposes the erasure of the personal data and requests the restriction of their processing or use instead.
3. The controller no longer needs the personal data for the purposes of the processing for which they had a legal basis or the explicit consent of the user, but they are required for the establishment, exercise, or defence of legal claims.
4. The user has submitted an objection (right to object) pending the verification whether the legitimate grounds of the Controller override those of the user to whom the personal data relate.
When the user is exercising this right, the Controller may only save their data and only process them if:
1. the user provided (subsequent) explicit consent;
2. required for the establishment, exercise, or defence of legal claims;
3. required for the protection of rights of other users (natural or legal persons); and
4. required for an important public interest of the European Union or the Republic of Slovenia.
The user may exercise this right through this form: EN - Exercising_rights_form
The user has the right to receive from the Controller the personal data concerning them which are being processed by the Controller. The Controller must provide the user these data in:
1. a structured format;
2. commonly used format;
3. machine-readable format, which allows the user to read the information without any problems.
The user also has the right to transmit the obtained data to another controller without hindrance from us, the Controller, if:
1. the data was processed based on an explicit consent and
2. the processing is carried out by automated means.
The user has the right to have their data transmitted from one controller to another, where technically feasible.
The user may exercise this right through this form: EN - Exercising_rights_form
The user may at any time object to the processing of personal data concerning them, when the Controller processes their personal data:
1. in public interest or
2. for legitimate interests of the Controller, including profiling of this user.
The Controller shall not cease to process the user’s personal data at the request of the user if:
1. they can prove the existence of necessary legitimate reasons for processing which overrule the interests, rights, and freedoms of the user; or
2. the data are required for the establishment, exercise, or defence of legal claims.
The Controller shall always grant the user’s request when the user objects to the processing of their personal data for the purposes of direct marketing, including profiling to the extent that it is related to direct marketing. The Controller is obliged to stop the processing of such personal data for the purposes of direct marketing.
For this purpose, the Controller shall, at places where they ask the user to consent to processing of their data for the purposes of direct marketing, provide the user with a clear and separate information on the possibility that the user may at any time withdraw their consent and object to the processing of their data for these purposes.
The user may exercise their right to object through this form: EN - Exercising_rights_form
The user has the right to not be subject to a decision based solely on automated processing of their data, including profiling, which produces legal effects concerning them or similarly significantly affects them.
The user may not exercise their right to prevent the automated processing of their data, including profiling, if such decision (automated processing) is:
1. necessary for concluding or implementing a contract between the user and the Controller (e.g. online shopping cart);
2. authorised by the law of the European Union or the Republic of Slovenia and which also lays down suitable measures to safeguard the user’s rights and freedoms and legitimate interests (e.g. processing of FURS data); or
3. justified by the user’s explicit consent (e.g. for direct marketing through systems for automated sending of marketing messages).
Where explicit consent is required, the Controller shall provide the user with suitable notifications and a confirmation window for explicit consent.
In any form of direct marketing, the Controller is bound to provide the user with the possibility to enforce their right to exemption, given to them by the legislation, with an e-mail notification.
The Controller shall within 15 days stop the use of personal data for the purposes of direct marketing and inform that to the user who submitted this request in a written form within the following five days or in an otherwise agreed manner.
It is prohibited to copy or otherwise use the content and texts on the Controller’s website outside the needs of the collaboration between the Controller and the user, unless otherwise stated on the website. Any copyright interference is considered as violation of intellectual property rights and may be subject to suitable legal procedures initiated by the Controller.
All photos, videos, and other audiovisual works published on the website are copyright work and property and/or in possession of the Controller and they must not be copied or otherwise used outside the needs of the collaboration between the Controller and the user, unless otherwise stated on the website.
Any copyright interference is considered as violation of intellectual property rights and may be subject to suitable legal procedures initiated by the Controller.
2. The Controller shall inform the users on any changes regularly and timely, in a written form with an electronic message.
The Controller and the user shall strive to solve any potential disagreements and disputes peacefully and by mutual agreement. If mutual agreement is not possible, disputes shall be resolved by the competent court of the Controller’s headquarters in the Republic of Slovenia.
The legal conditions apply from: 29.03.2019 10:37