The purpose of the document
The value of personal data and the responsibility to protect them
Personal data is any data which is related to an individual whose identity has been established or can be established (“data subject”); an individual whose identity can be established is a person who can be directly or indirectly identified, particularly with the help of identifiers such as the name, identification number, location information, online identifier or with the help of one or more factors inherent to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
The personal data which the controller collects and processes when performing his activity represents a professional secret. The controller implements measures of technical and organisational security which ensure the lasting confidentiality of all personal data and also encompass the prevention of unauthorised access to personal data and equipment which he uses while processing data or their unauthorised use.
All data on users is safeguarded strictly and is available only to employees who need the data to carry out their work. All controller’s employees are liable for adhering to safe harbour principles.
Particular attention must be taken when handling personal data and it can only be used in accordance with the reason for which it has been collected.
We only collect the personal data which has been voluntarily provided to us or for which there is another legal basis for processing.
Personal data collection and processing
Personal data can only be collected in accordance with the legislation and ethical standards. It is permitted to process personal data only when there is a clearly defined and documented legal basis or a basis arising out of a contract, while all other personal data processing is permitted only with a clearly documented consent of the owner or his proxy.
We collect personal data solely when the data subject consents to it: when registering to the website or through various forms on the website.
The same data is used for the purpose of concluding a contract and to familiarise the seller with the shopping habits of the buyer, as well as for the purpose of information and the promotion of the seller’s products and services.
We primarily collect personal data:
- to respond to your inquiry as efficiently as possible;
- to perform the purchase contract;
- to promote our services and express the intent to conclude the contract;
- for our internal statistical processing of data;
- for the possibility of sending publications, brochures and other promotional materials;
- to perform our legal and contractual obligations;
- for our legitimate interest.
The controller processes personal data solely to the extent necessary to provide the service and achieve the above-mentioned goals. When storing data, personal data is stored in the least possible number of places where it is adequately protected.
If you execute a payment on our website by credit or debit cards, our business partner WSPay, who enables the stated service, provides the following Statement on the protection of personal data transfer.
As the party executing the authorisation and credit card charges, WSPay treats the personal data as the processor and treats the personal data in accordance with the General Data Protection Regulation and in accordance with the strict rules of the PCI DSS L1 regulations on the protection of data entry and transfer.
WSPay uses a 256-bit encryption SSL certificate and TLS 1.2 cryptographic protocol as the highest levels of protection for data entry and transfer.
Personal data which is used for the purpose of authorisation and payment, i.e., to perform the obligations from the contract or based on the contract is considered as confidential data.
To perform the contract (authorisation and payment), the following personal data of the buyer is necessary: Name and surname, e-mail, telephone, address, place, postal code, state, type of card, card number, card expiry date, card CVV.
WSPay does not process or use this personal data, except for the purpose of performing the contract for authorisation and payment.
WSPay guarantees that all conditions established by the personal data protection legislation in force for processors of personal data are met, particularly by undertaking all necessary technical, organisational and security measures and this is also specifically confirmed by the PCI DSS L1 certificate.
As the controller, we always provide you with the possibility of choice regarding the use of your data, including the possibility to decide whether you want your name to be removed from the lists used for marketing campaigns or not. We do not request you to send data in order to enable access to our websites.
The IP address is transferred with every request sent to the server so that the server knows where the answer has to be sent. The internet service provider (ISP) assigns an IP address to everyone when they connect to the internet. The ISP can track which IP address is assigned to individual users at any given moment. As long as the stored IP address is not deleted, theoretically, one could obtain the identity of the end-user through the ISP. That is why the controller does not store the IP addresses of the visitors but rather only uses them to recognise the session and defend from attacks. Therefore, the IP address is deleted directly after that so that the collected data is anonymous and that the identity of the end-user cannot be found out even through the intervention of the ISP.
Moreover, personal data is stored only if you voluntarily place it at our disposal, e.g., through the registration, surveys, prize contests or to perform a contract.
The rights of data subjects
The controller enables the exercise of the data subjects’ rights. You have the right to request, at any given moment:
- the deletion of personal data (“the right to be forgotten”) if the processing of your personal data is no longer necessary in relation to the purpose for which it was collected or if you withdraw your consent for personal data processing or if you file a complaint regarding the processing of your personal data and prove that your legitimate interests for deleting the personal data take precedence over the controller’s legitimate interest for processing your personal data;
- the correction of personal data if some of your personal data has changed or if you noticed an error in your collected personal data;
- the transfer of personal data, i.e., to request the personal data which are related to you in electronic form and transfer them to a third party;
- a complaint if you oppose the purpose for which your personal data is processed;
- the restriction of personal data processing if you dispute the accuracy of the personal data, if you object to the deletion of personal data, instead requesting a restriction of their use; if the controller no longer needs your personal data for the purposes of the processing, but you request them for the submission, exercise or defence of your legal requests; if you have filed a complaint regarding the personal data processing.
You can exercise your rights electronically, without expenses, by contacting us at the e-mail address: info@https://www.artbottega.hr/wp-content/uploads/2022/07/Zasto-pravis-slona-od-mene-PW-1.png.hr.
Exceptionally, in case you request that confirmation be issued to you in another form, other than the electronic one, for the purpose of transferring personal data, the controller reserves the right to charge a reasonable fee for administrative costs necessary to issue an additional copy of the personal data..
In case there is a security breach regarding personal data which could cause you significant damage, the company’s controller shall notify you about it without delay and take all necessary measures to eliminate the damage and limit or mitigate the harmful consequences that occurred due to the personal data security breach.