1. Data Controller and Definitions
Controller is the owner, provider and manager of the Unicrystals (Website).
1.1 Personal Data
Personal data is any piece of information relating to an identified or identifiable natural person, e. g. name and surname, email address, IP address, telephone number, location, delivery address, data about purchases, etc.
A natural person is identifiable if she or he can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Controller is the legal or natural person in charge of, and responsible for, collection, storing and processing of Personal Data, regardless of whether these operations are conducted by Controller proper or by one or several third persons (Processors) on behalf of the Controller and under Controller’s orders and supervision. Regarding one individual’s Personal Data, certain processing operations may be carried out by the Controller, whereas other processing operations may be carried out by the Processors.
According to the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC – General Data Protection Regulation (GDPR) a controller is a natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of Personal Data.
1.3 Personal Data Processing
Processing of Personal Data means any operation performed on or in connection with Personal Data, such as, among others, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Put simply, most anything a Controller (or Processors, on Controller’s behalf) does with Personal Data, amounts to processing of such Personal Data.
1.4 Other Definitions
2. Personal Data that is Being Processed
Which Personal Data is being processed depends on the level of your engagement with the Controller. In principle, regarding Personal Data processing you can either be a Website visitor or a buyer of the Products, but other types of engagement with the Controller are also possible.
Please note that the Personal Data from Points 2.1 to 2.4 may be aggregated. E.g. an individual who is a buyer of Products is also invariably a Website visitor and possibly also a newsletter subscriber.
2.1 Website Visitors
The following Personal Data of every Website visitor is being processed:
- IP address of the network from which you are accessing the Website,
- Data about your device through which you access the Website,
- Data about the use of the Website:
- Dates and times of visiting the Website,
- Actions taken on the Website (pages visited, links clicked).
2.2 Buyers of the Products
The following Personal Data of every buyer of the Products is being processed:
- Personal Data about buyers (name, surname, address, country, email address, telephone number),
- Data about the purchase order and the purchased Products (date and time of placing the purchase order, payment method, date & time of received payments, type of Products, net price, amount of taxes, discounts, promo codes, final price, delivery costs),
- Data about the delivery of the Products (delivery address, date and time of shipping the Products, date and time of delivery of the Products, shipping provider, potential non-acceptance (date of return of the Products), potential claims and communication regarding delivery),
- Data about issued invoices (number and date of the invoice, date and time of sending the invoice),
- Data about possible Products-related claims, such as warranties and withdrawals from the contract (date and time of the claim, contents of the claim, data and time of the resolution of the claim, the result of the resolution of the claim).
2.3 Newsletter Subscribers
The following Personal Data of newsletter subscribers is being processed:
- Email address,
- Date, time and subject of every sent newsletter,
- Data on newsletter interaction: status (delivered, undelivered, opened), links clicked in the newsletter, time spent on the page visited from newsletter link.
2.4 Offline Contacts
The following Personal Data of individuals who interact with Controller off the Website and emails are being processed:
- Name, surname, email address,
- Occasion of obtaining Personal Data, e.g. event, presentation, trade-show,
- Date of obtaining Personal Data.
2.5 No Obligation to Provide Personal Data
An individual may freely decide whether they want to provide their Personal Data or not. There is no obligation and there are no negative legal consequences if one chooses not to provide it. However, not providing certain Personal Data may result in the inability to use the Website or some of its functionalities or to buy Products (e. g. we cannot and shall not allow the User to place a purchase order and buy Products on the Website if they fail to provide us with the delivery address).
3. Purposes of Personal Data Processing
3.1 Concluding and Fulfilling a Contract
Controller has to process (use) certain Personal Data, such as contact and payment data, in order to be able to process purchase orders made on the Website and to be able to fulfill its obligations regarding the purchase order (e .g. delivery of the purchased Products). Controller also needs certain Personal Data to be able to issue and send an invoice for the purchases, which is its legal obligation.
Controller needs certain Personal Data, such as email address, to communicate with the User in relation to the purchase orders, delivery of Products, and possible claims.
Controller also sends newsletters to Users who consented (subscribed) to receive them. Users can unsubscribe at any time.
3.3 Security and Prevention of Fraud
Certain Personal Data, such as IP address, is needed for security reasons, such as to prevent, detect, fight and prosecute attacks or fraud attempts on the Website.
3.4 Statistics and Analytics
Certain Personal Data, such as the data about the use of the Website, is needed for statistical and analytical purposes, with the aim of improving Website functioning and functionalities. Normally, such data is being processed in an aggregated and therefore anonymised form.
4. Legal Grounds for Processing
4.1 Contractual Relationship with the Buyer of Products
By paying for the purchase order placed on the Website, the User enters into a contract with the Controller. Certain Personal Data is needed by the Controller in order for it to be able to fulfill its contractual obligations stemming from the contract, such as, among others, delivery of the purchased Products.
4.2 Compliance with a Legal Obligation
In certain circumstances, the Controller needs to process Personal Data to comply with a legal obligation, e.g. to issue and send an invoice for the Purchased items or to respond to court or law enforcement orders to provide or disclose certain information, such as information about (credit card) fraud, or to inform the Users of a security incident regarding their Personal Data.
4.3 Controller’s Legitimate Interest
In certain cases the Controller has a legitimate interest in the processing of Personal Data. Such cases may include:
- Communication related to the Website, such as notifications of new functionalities, scheduled maintenance, security risks etc.,
- Use of Personal Data for the development, provision, enhancement, and improving the Website,
- Sending of surveys and polls,
- Sending of promotional messages related to the purchases on the Website (in line with the EU rules on commercial messages based on the ePrivacy Directive / Regulation),
- Prevention and detection of illegal or harmful activities, e.g. by storing Users’ IP addresses and the dates and times of their visits to the Website,
- Sale of the Website to a third party, mergers and acquisition: in such a case the Controller may transfer the Personal Data to a third party.
4.4 User’s Consent
The Controller may ask the Users to consent to:
- Receiving of newsletter,
- Promotional communication by our partner companies (3rd parties),
- Marketing automation, segmentation and profiling,
- Transfer of Personal Data to third parties (unless we are obliged by the law to transfer the data or unless some other legal grounds for the transfer exists),
- Transfer of Personal Data to countries other than the European Economic Area (EEA) members (unless some other legal grounds for the transfer exists).
Users have to be at least 15 years of age to be able to give a valid consent.
Users may withdraw their consent at any time without any negative legal consequences and free of charge. Click here for more.
5. Storage (Retention) Period
Unless expressly stated otherwise hereunder, the Controller shall retain and process the Personal Data for as long as necessary for the purposes for which the personal data are processed.
The Controller shall retain certain Personal Data for as long as necessary to comply with its legal obligations, to resolve disputes, and to enforce the contract. Typically, the retention period for this type of data shall be 5 years from the date of delivery of the Products. In case of a dispute, the retention period shall typically be 5 years from the date of the final judgment or other decision or agreement.
The Controller shall store the data related to security and prevention of illegal or harmful activity (e.g. Users’ IP addresses and the dates and times of their visits to the Website) for 12 months.
The Persona Data which is being processed based on User’s consent, shall be stored for as long as the consent has not been withdrawn, unless the purpose for which the data has been processed has been fulfilled before that.
After the expiry of the retention period, the Controller shall either delete or anonymise the Personal Data.
6. Location of Personal Data and Access
Controller keeps the Personal Data on servers located in the European Economic Area (EEA) countries. Controller does not transfer or give access to Personal Data to persons who would transfer the data outside the EEA.
Controller uses the services of certain 3rd parties which may, in the performance of their services, process Personal Data or have access thereto. Their processing of Personal Data shall always be governed by a written agreement entered into between Controller and such third parties, making sure that they only process the Personal Data for the defined purposes and in line with Controller’s written instructions. Such 3rd parties include:
- Server hosting providers,
- Email (marketing) providers,
- Digital marketing providers,
- Web Analytics providers,
- Marketing automation providers,
- Accounting services providers,
- Legal services providers.
Controller enables access to Personal Data to its employees, officers and other persons working on its behalf and under its supervision on a strict need-to-know basis, such access being limited to certain sets of Personal Data, in line with Controller’s internal policies on Personal Data processing and safety.
7. User’s Rights and Enforcement
Users can send any claims or inquiries related to Personal Data and to the enforcement of their rights related thereto to the email address email@example.com. Controller may ask for additional information if it is reasonably unable to identify the User based solely on the email message. Controller may refuse the execution of the claim or request if it is unable to identify the User.
7.1 Right to Information and to Access Personal Data
Users have the right to obtain confirmation from controller as to whether or not their Personal Data is being processed, and, where that is the case, right to access to the Personal Data and the following information: the purposes of the processing, the categories of Personal Data concerned, its users, the period for which the Personal Data will be stored, or the criteria used to determine that period, the right to request rectification or erasure of Personal Data or restriction of or objection to processing of Personal Data, the right to lodge a complaint with a supervisory authority, the source of the data if the data were not collected from the User, the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the User.
Users may request a copy of their Personal Data which is being processed. For any further copies, Processor may charge a reasonable fee based on administrative costs. If the request is made by electronic means, and unless otherwise requested, the information shall be provided in a commonly used electronic form.
7.2 Right to Withdraw Consent
Users may withdraw their consent to processing of their Personal Data at any time. The withdrawal of consent only affects those sets of Personal Data that were being processed based on such consent. Controller may still process other sets of Personal Data based on other legal grounds (click here for more information about legal grounds for processing).
Consent can be withdrawn by a written statement that is sent to the email address firstname.lastname@example.org or (in case of newsletter) by clicking on the unsubscribe link.
Withdrawal of consent bears no adverse negative effect for the User. It is however possible that Processor may not be able to provide some of our services after the withdrawal of consent, if such services cannot be performed without the processing of Personal Data in question.
7.3 Right to Deletion of Personal Data (Right to be Forgotten)
Users have the right to request Controller to delete without undue delay their Personal Data when one of the below reasons exists:
- The Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- User has withdrawn their consent, and there are no other legal grounds for further processing;
- User has objected to the processing of their Personal Data, and there are no overriding legitimate grounds for processing;
- Personal data has been unlawfully processed;
- Personal data has to be erased for compliance with a legal obligation in the European Union or Member State law;
- The Personal Data has been collected in relation to the offer of information society.
Under certain circumstances, as defined in Article 17, paragraph 3 GDPR, Users do not have the right to data deletion.
7.4 Right to Rectify Personal Data
Users have the right to request Controller to rectify inaccurate Personal Data without undue delay.
7.5 Right to Restriction of Processing
Users have the right to request Controller to restrict the processing of their Personal Data where one of the following applies:
- User contested the accuracy of the Personal Data, for a period enabling Controller to verify the accuracy of the claim;
- The processing is unlawful, and User opposes the erasure of the Personal Data and requests the restriction of their use instead;
- Controller no longer needs Personal Data for the purposes of the processing, but they are required by the User for the establishment, exercise or defence of legal claims;
- User has objected to processing pending the verification whether Controller’s legitimate interests override User’s rights.
7.6 Right to Data Portability
Users have the right to receive the Personal Data concerning them, which they have provided to Controller, in a structured, commonly used and machine-readable format, and have the right to transmit such data to another controller without hindrance from Controller, where:
- The processing is based on consent or on a contract; and
- The processing is carried out by automated means.
In exercising the right to data portability, Users have the right to have their Personal Data transmitted directly from Controller to another controller of their choice, if this is technically feasible.
7.7 Right to Object to Personal Data Processing
Users have the right to object, on grounds relating to their particular situation, at any time to processing of their Personal Data that is necessary for the purposes of the legitimate interests pursued by Controller, including profiling based on the Personal Data; Controller shall no longer process the Personal Data in question unless it can demonstrate compelling legitimate grounds for the processing which override User’s interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
Where Personal Data is processed for direct marketing purposes, Users have the right to object at any time to processing of their Personal Data for such marketing, which includes profiling, to the extent that it is related to such direct marketing.
7.8 Right to Lodge a Complaint With the Supervisory Authority
Users have the right to lodge a complaint with a supervisory authority, in particular in the European Union Member State of their habitual residence, place of work or place of the alleged infringement.
In Slovenia, Users can lodge a complaint to: Informacijski poobščenec, Dunajska cesta 22
1000 Ljubljana, email@example.com.