Quick navigation to additional information:
1. Personal data protection policy
As the controller of personal data, the company Ljubljanske mlekarne wishes to inform at this point the individuals whose personal data it processes on this site about the purposes and legal bases for the processing of personal data, measures for data security as well as of their rights regarding the processing of personal data, performed by the company.
The company Ljubljanske mlekarne processes personal data in accordance with Regulation (EU) 2016/697 on the protection of individuals in the processing of personal data and on the free flow of such data (hereinafter: “General Regulation”), valid Slovenian legislation in the field of personal data protection and privacy in electronic communications and other regulations governing the protection of personal data. The legal basis for the legal processing of personal data derives from Article 6(1) of the General Regulation, namely: consent (a), execution of a contract (b), fulfillment of a legal obligation (c), performance of a task in the public interest (e) and legitimate interest (f).
The personal data protection policy describes, among other things, for what purposes and in what way we process personal data that we receive from you on the basis of the legal bases described below.
1.1 Who is the controller?
The controller of the personal data under this policy is:
Ljubljanske mlekarne d.o.o., Tolstojeva ulica 63, 1000 Ljubljana, info@si.lactalis.com.
1.2 Information on appointment of the data protection officer
In accordance with Article 37 of the General Regulation we have appointed as data protection officer the company Info hiša d.o.o. dpo@info-hisa.si, tel. št. 01/2355-036.
1.3 Which personal data is collected by the company Ljubljanske mlekarne and with what purpose?
1.3.1 Subscription to e-news
The information (email address), which the user enters in the form on the website for subscription to e-news will be used by the owner of the website solely for the purposes of informing the user of the novelties, for sending the notifications and news. The owner of the website processes the e-news through the application for send e-notifications Mailchimp. Personal data is stored in the application MailChimp until the user unsubscribe from e-news. The cancellation of the subscription from e-news is possible at any time in a way that the user clicks the link for cancellation of the subscription in the footer of any e-news, received by the owner. Legal basis for processing personal data is consent which can be revoked at any time. The data will be used by the maintenance of the website and external contractors of the used services. The users process the personal data solely according to the instructions and under control of the controller.
1.3.2 Websites
- analytical monitoring of the website
The website www.l-m.si uses cookies in order to provide the users smooth and pleasant user experience. With this purpose, we use either internal or external tools for analyzing the use of applications and users experience.
With internal tools we rely on the legal basis of our legitimate interest and in the case of third-party analytical tools, we will ask you for your consent to transfer data to these tools before using them.
For analytical processing, we will store your personal data for a maximum of two years after the end of the calendar year in which they were created, or until you revoke your consent.
- cookies
Information on cookies is in the document, accessible here. In this document, you also have an option of adjusting the consent for each type of cookies.
1.4 Storage and deletion of the personal data
Personal data is processed as long as it is necessary for the fulfilment of the purpose for which the personal data was collected and processed. If the data is used based on the law, it is stored as long as the individual law prescribes.
Personal data necessary for the performance of the contract is kept for as long as it is necessary for the execution of the contract and for five years after the end of the calendar year in which the contract was terminated, except in the case where a longer retention period would be necessary due to a dispute related to the contract . In such a case, the individual’s personal data is kept for 10 years after the end of the calendar year in which the court decision, arbitration or court settlement became final, or – if there was no legal dispute – 5 years after the end of the calendar year of the date of peaceful resolution of the dispute.
Personal data that is processed on the basis of personal consent or legitimate interest is kept for a maximum of one year after the end of the calendar year. In case of revocation of consent, personal data is deleted within three months at the latest. We can delete this data even before revocation, when the purpose of personal data processing has been achieved or if it is stipulated by law. Revocation of consent does not affect the legality of data processing that was carried out on the basis of consent until its revocation.
Exceptionally, we can refuse a request for deletion out of reasons from the General Regulation (EU), such as: exercise of the right to freedom of expression and information, fulfillment of the legal obligation of processing, reasons of public interest in the field of public health, purposes of archiving in the public interest, scientific-research or historical-research purposes or statistical purposes, exercise or defense of legal claims.
After the storage period, personal data is effectively and permanently deleted or anonymized, so that it can no longer be linked to a specific individual.
1.5 Contractual processing and export of personal data
When processing personal data, each processing or parts of processing may be entrusted to contractual processors with whom we have concluded a contract on contractual processing. These processors can process the data entrusted to them exclusively on our behalf, within the limits of the authorizations set out in the written contract or another legal act and in accordance with the purposes defined in this privacy policy.
In our work, we cooperate with contract processors from the following fields:
- provision of hosting servers;
- maintenance of information systems;
- e-mail service providers and providers of software, cloud services;
- providers of social networks (Facebook).
In order to better review and control individual processors and to ensure that mutual contractual relations are regulated, we also maintain a list of contractual processors with whom we cooperate.
For some services, we may also forward your personal data to potential partners in projects, supervisory authorities or based on the request of the judicial branch of government. In no case will we send your personal data to unauthorized third parties.
In order to send notifications via Mailchimp and with some elements of the website, we also forward your personal data to a third country (outside the member states of the European Economic Area), namely to the USA, where the country’s legislation may also allow access to your personal data to the services of that country. Relations with contract processors, co-managers or managers in third countries are governed by standard contracts adopted by the Commission (EU), whereas in cases where we cannot establish appropriate protective measures in relation to a foreign partner, we rely on your express consent.
1.6 Data security and accuracy care
As a controller, we take care for information security ad well as for infrastructure security (areas and application system software)
We have implemented appropriate organizational and technical security measures, aimed at protecting personal data against accidental or illegal destruction, loss, modification, unauthorized disclosure or access, as well as against other illegal and unauthorized forms of processing.
As an individual, you are responsible for providing us with your personal information securely and that the information provided is accurate and authentic. We, as the controller, will also do our best to ensure that the personal data we process is accurate and, if necessary, updated. Therefore, from time to time it may happen that we contact you to confirm the accuracy of the processed personal data.
1.7 The rights of an individual regarding the personal data
In accordance with the General Regulation (EU) you as individual have the following rights relating to the personal data protection:
- you can request information about whether or not we process your personal data and, if so, what data we process and on what basis we process it and why we use it;
- you can request access to your personal data, which allows you to receive a copy of the personal data we process and to check whether or not we are processing it lawfully;
- you can request corrections to your personal data, such as the correction of incomplete or inaccurate personal data;
- you can request the deletion of your personal data when there is no reason for further processing or when you exercise your right to object to further processing;
- you can object to the further processing of personal data where the organization refers to a legitimate interest (even in the case of a legitimate interest of a third party), when there are reasons related to your special situation; you have the right to object at any time if we process personal data for direct marketing purposes;
- you can request the restriction of the processing of your personal data, which means the termination of the processing of personal data, if e.g. you want us to establish the accuracy or to check the reasons for further processing of personal data;
- for data processed on the basis of a contract or consent, you can request the transfer of your personal data in a structured electronic form to another controller, insofar as this is possible and feasible;
- you can revoke the consent or consent you gave for collecting, processing and transferring of your personal data for a specific purpose; upon receipt of notification that you have withdrawn your consent, we will stop processing personal data for the original purpose, unless we have another lawful legal basis for carrying out the processing.
Rights can be exercised by a written notice sent by e-mail to info@si.lactalis.com or by regular mail to the address Tolstojeva ulica 63, 1000 Ljubljana. We will respond to a request relating to individual rights without undue delay and in any case within one month of receiving the request. In the event that this deadline is extended (by a maximum of two additional months) taking into account the complexity and number of requests, you will be notified. Access to an individual’s personal data and asserted rights is free of charge to the individual, but we may charge you a reasonable fee to the extent that your request is excessive, manifestly unfounded or excessive, particularly if it is repeated. In such a case, we may also reject your request. In the case of exercising the rights under this title, we may need to request certain information from you that will help it to confirm your identity, which is a security measure to ensure that your personal information is not disclosed to unauthorized persons.
At any time, and especially if you think that our enforcement of your rights from the protection of personal data is not adequate, you can also contact our data protection officer at the address dpo@info-hisa.si.
When exercising these rights, or if you believe that your rights have been violated, you can contact the supervisory authority, which is the Information Commissioner in Slovenia, Dunajska 22, 1000 Ljubljana, https://www. ip-rs.si/.
1.8 Questions, comments and reporting of the breaches
Possible questions, comments and report of the breaches may be sent to the email address: info@si.lactalis.com or by regular post to our address.
1.9 Change of the policy
We are using our best efforts for this policy to be always in accordance with the legislation and our real performance in the field of processing of personal data, which is why we will be amending this policy occasionally and publish it on our website.
Ljubljanske mlekarne, d.o.o.
Last confirmation of the changed policy: 27 07. 2022