Sensilab farmacevtska družba d. o. o., Verovškova ulica 55a, 1000 Ljubljana, Slovenian e-mail address email@example.com (hereinafter: Sensilab or the company or provider or personal data controller) ensure the protection of your personal data and guarantees safety throughout the business interaction.
At Sensilab, we value your privacy and will always diligently protect your data.
All our online activities, connected to the collection and processing of data, are in accordance with European legislation (Regulation (EU) 2016/697 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (The EU General Data Protection Regulation (GDPR)) and Treaty Conventions ETS 108, ETS 181, ETS 185, ETS 189) and national legislation of the Republic of Slovenia (Personal Data Protection Act (ZVOP-1, Ur. l. RS, no. 94/07), Electronic Commerce Market Act (ZEPT, Ur. l. RS, no. 96/09 in 19/15) etc.).
Controller and authorised person for data protection
The personal data controller is the company SENSILAB farmacevtska družba d. o. o., Verovškova ulica 55a, 1000 Ljubljana, Slovenia.
At Sensilab, there is an authorised person in charge of data protection that is available at the following e-mail address: firstname.lastname@example.org
If you have any questions regarding the use of this policy or in connection with the exercising of your rights under this policy, please contact the Data Protection Officer through the contact listed below.
Information about the authorised person
JK Group d.o.o., Stegne 27, 1000 Ljubljana, Slovenia
Personal data or personal information is all information by which an individual can be identified (such as name, surname, e-mail address, telephone number, etc.).
The controller is a legal entity that determines the purposes and means of processing personal data.
The processor is a legal or private individual who processes personal data on behalf of the controller.
Processing is the collection, storage, access and all other forms of use of personal data.
EEA is the European Economic Area, which consists of all members of the European Union, Iceland, Norway and Lichtenstein.
SMS Club is a service provided to Sensilab users, with extra benefits for members.
Personal data is a piece of information that identifies you as an individual. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The provider, according to purposes as defined in this policy, collects the following personal data:
- basic data about the user (name, last name, residential address, date of birth, location),
- contact information and information about the user's communication with the provider (e-mail, phone number, date, time and content of the mail or e-mail communication, date, time and duration of phone calls, recording of phone calls), channel and campaign – manner of acquirement or the source through which the user came into contact with the provider (website and advertising campaign, call centre, physical shop)
- data about all the user’s purchases and issued invoices (date and place of purchase, purchased products, prices of purchased products, total purchase value, manner of payment, delivery address, number and date of the invoice, code of the person who issued the invoice, etc.) and data about resolving reclamations of products data about the user’s usage of the provider’s website (dates and times of visits, visited pages or URLs, time spend on individual pages, the number of visited pages, total time spent on the website, settings modifications on the website) and data about the user’s use (reading) of received messages (e-mail, SMS) from the provider.
- data from forms that the user has voluntarily filled out, e.g. within prize games or using configurators for identifying the optimal products for the user’s needs;
- other data that the user voluntarily provides to the controller when they are required for specific services.
The controller does not collect personal data as a member of the SMS Club unless you consent to it. Data is also collected when there is a legal basis or a legal interest by the controller for data processing.
The controller only collects the data that is relevant and necessary for the fulfilment of the purposes for which the data is processed.
The legal basis for data processing
The provider collects and processes your personal data based on the following legal grounds:
- Contract-based processing
- Processing based on the individual’s consent
- Processing on the basis of legitimate interest
Information is collected when it is necessary for entering into, executing and fulfilling contractual obligations. In this case, providing personal information is voluntary.
If you choose to not provide the company with the necessary personal data, you cannot enter into a contract with them, nor can the company provide the services or supply of products, as the company lacks the information necessary to fulfil the contract.
Processing based on the individual’s consent
Data is processed only with your explicit consent. When processing is subject to consent, we will first make sure that you have all the necessary information needed for making a decision. You can withdraw your consent at any time. If you withdraw consent, the company may not be able to provide you with their services or products.
Processing on the grounds of legitimate interest
The provider can process data on the grounds of legitimate interest for which the provider is striving, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. When using legitimate interest, the provider always makes a judgement in accordance with the General regulation on data processing.
When processing data on the grounds of legitimate interest, the user has the right to object to the data processing. You can read more about your rights below.
The purpose of data processing
The company collects and processes data for the following purposes:
Purpose of data processing
Communication via SMS
Sensilab, on a contractual legal basis, sends SMS messages to all members of the SMS club who have accepted the general terms and conditions. Based on a legitimate interest in preparing a relevant offer, we perform segmentation based on:
Personalised SMS communication with special discounts, offers and content based on individual profiles
Based on your consent, Sensilab also performs personalised communication via SMS.
We want to present you with the best possible offers and content tailored to your needs, which is why we use your profile as the basis for personalised communication.
We may use the following information for this purpose:
During this process we do not use any type of automated or semi-automated profiling, we only collect suitable user sets for individual messages. We never focus on individual user's data, we only conduct aggregate processing of large groups.
If you do not want to be included, you can object by e-mailing email@example.com or by filling out the following form www.slimjoy.com/dpo. This does not mean that the company will stop sending you SMSes unless you also unsubscribe from the SMS Club.
Unsubscribing from the SMS Club does not prevent the sending of general notifications, provided there is a legal basis for such sending. More about what constitutes a legal basis and about sending options can be found in the SMS Club General Terms and Conditions.
Legal claims, rights protection and dispute resolution
Data collection for the stated reason occurs in accordance with the law.
We collect your information in order to fulfil our legal obligations, e.g. saving invoices for tax purposes. We process your data only to the extent necessary to comply with legislation.
Processing of personal data not for the purposes of SMS Club
This policy includes the processing of personal information that occurs when an individual joins the SMS Club. The provider also wishes to draw attention to the separate processing of personal data, which applies only to existing Sensilab customers.
Pursuant to the applicable legislation (the Law on Electronic Communications), the provider has the opportunity to contact his customers, including via SMS, to inform them about similar products and services.
This means that the individual (if he or she has already made a purchase with the provider) will still receive SMSes despite signing out of the SMS club, however, these will not include the special benefits that only SMS club members receive.
You can read more about this form of personal data processing here.
Storing personal data
The provider will store your personal data only for the time necessary to realise the purpose for which the personal data was collected and further processed.
The personal data that are being processed on a legal basis the provider stores for the time period defined by law.
The personal data that are being processed based on a contract with the individual, the provider stores for the duration of the contract and 5 years after its expiration, unless there has been a dispute about the contract between the user and the provider. In this case, the provider stores data for 5 years after the finality of the court or arbitrary ruling or settlement or, if there was no judicial dispute, 5 years from the day of an amicable settlement. The provider stores the data that are processed based on personal consent, until the revocation of such consent from the user. The provider deletes these data before objection only when the purpose of storing data had already been fulfilled.
After the end of the period of personal data being stored, the controller effectively and permanently erases or anonymises the personal data so that they cannot be linked to an individual.
Detailed overview of the deadlines for data storing are listed in the table below:
Purpose of data processing
Time period of data being stored
Communication via SMS
For the duration of SMS Club membership
Personalised communication via SMS with special discounts, offers and content based on user profiles
Until revoked or for the duration of the membership
Contractual processing of personal data
Contractual processors that the controller transmits personal data are:
- an accounting service, law firms and other providers of legal counsel;
- providers of data processing and analytics;
- maintenance of IT systems, e-mail marketing services (e.g. MailChimp);
- providers of payment systems (e.g. Ayden, PayPal, PayU, Klarna, Sofort, Multibanco, dotPay and others);
- providers of systems for managing customer relations (e.g. Microsoft);
- providers of solutions for online advertising (e.g. Google, Facebook)
The provider will not forward your personal information to unauthorised parties.
Contractual processors can only process personal data within the framework of the controller’s instructions and must not use it to pursue any interests of their own.
The controller and recipients of personal data do not transmit personal data to third countries (outside of member countries of the European economic area – members of EU and Iceland, Norway and Liechtenstein) and to international organisations, except the USA - all contractual processors in the USA are in the Privacy Shield programme.
Freedom of choice
You are in control of any information you give out about yourself. If you decide you do not wish to share your data, we may not be able to provide you with certain services.
The provider is strongly committed to ensuring personal data security. Your data is, at all times, protected from loss, destruction, falsification, manipulation and unauthorised access and unauthorised disclosure.
In order to protect personal data, we take organisational and technical measure, such as:
- Employee education
- Supervision of employees and regular reviews of individual employees
- Careful selections and overview of contractors
- A backup of electronically stored data
- Regular maintenance and updating of technical equipment
- Adopting appropriate internal policies and instructions for the protection of personal data
Consent of a minor in relation to the services of the information society
Minors under 16 years of age should not transmit any personal data to websites without the permission (consent or approval) of a parent or a legal guardian. The provider will never knowingly collect personal information from minors (under 16 years of age) or in any way use or disclose them to an unauthorised third party without their parent’s or legal guardian’s permission. The above does not affect the general law of contract of member states, like regulations about validity, drawing up or effects of the contract regarding minors.
Bearing in mind the available technology, the provider will show reasonable efforts to verify that a parent of a legal guardian gave or approved consent.
Rights of the individual regarding data processing
As an individual, you have the following rights regarding fair and transparent processing, based on regulation:
The right to withdraw consent: if you have, as an individual, consented to the processing of personal data (for one or more purposes), you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Consent can be withdrawn through a written statement that is sent to the provider to one of the contacts at the provider’s website www.slimjoy.com/contact-us
Withdrawal of consent for personal data processing has no negative consequences or sanctions for the individual. However, it is possible that the controller may not be able to offer one or more of its services after the withdrawal of consent if those services cannot be performed without personal data (e.g. the benefit club or customised communication).
The right to access personal data: as an individual, you have the right to obtain from confirmation from the provider (processor of personal data) as to whether or not your personal data are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing, the categories of personal data concerned, its users, the period for which the personal data will be stored, or the criteria used to determine that period, the right to request rectification or erasure of personal data or restriction of or objection to processing of personal data, the right to lodge a complaint with a supervisory authority, the source of the data if the data were not collected from you, the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you, in accordance to Article 15 of GDPR.
The right to rectify personal data: as an individual, you have the right to obtain from the provider without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement;
The right to deletion of personal data (“the right to be forgotten”): you have the right to obtain from the provider without undue delay the deletion of your personal data when one of the below reason exists:
(a) the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed,
(b) you have withdrawn your consent, and there is no legal basis for further processing,
(c) you have objected to the processing of your personal data, and there are no overriding legitimate grounds for the processing,
(d) your personal data have been unlawfully processed,
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the provider is subject,
(f) the personal data has been collected in relation to the offer of an information society.
As an individual under certain circumstances, as defined in Article 17, paragraph 3, you do not have the right to data deletion;
The right to restriction of processing: as an individual, you have the right to obtain from the provider restriction of processing where one of the following applies:
(a) you contest the accuracy of the personal data for a period enabling the provider to verify the accuracy of the personal data,
(b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead,
(c) the provider no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims,
(d) you have objected to processing pending the verification whether the legitimate grounds of the provider override yours;
The right to data portability: you have the right to receive the personal data concerning you, which you have provided to the provider, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the provider to which the personal data have been provided, where:
(a) the processing is based on consent or on a contract; and
(b) the processing is carried out by automated means. In exercising your right to data portability, you have the right to have your personal data transmitted directly from one controller (provider) to another, where technically feasible;
The right to object to data processing: as an individual, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the provider (Article 6 (1), point (e) of GDPR), processing is necessary for the purposes of the legitimate interests pursued by the provider or by a third party (Article 6 (1) point (f) of GDPR), including profiling based on the data; the provider shall no longer process your personal data unless the provider demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing; where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Where data are processed for scientific or historical research purposes or statistical purposes, you have the right, on grounds relating to your particular situation, to object to the processing of your data, unless it is necessary for the performance of a task carried out in the public interest;
The right to lodge a complaint with a supervisory authority: without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes data protection regulations.
Without prejudice to any other administrative or non-judicial remedy, you have the right to an effective judicial remedy, against a legally binding decision of a supervisory authority concerning it, as well as where the supervisory authority which is competent does not handle a complaint or does not inform you within three months on the progress or outcome of the complaint lodged. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
The individual may address all her or his requests regarding personal data in written form to the provider, through one of the contacts at the website www.slimjoy.com/contact-us
In order to ensure reliable identification in case of a user exercising his or her rights regarding personal data, the provider may request additional data from the user and shall not refuse to act on the request of the individual, unless the provider demonstrates that it is not in a position to identify the user.
The provider must, by user’s request to exercise his or her rights in regards to data processing, provide information without undue delay and in any event within one month of receipt of the request.
Notifying the supervisory authority of personal data breach
In the case of a personal data breach, the provider is obligated to notify the supervisory authority without undue delay, unless the provider is able to demonstrate that the data breach is unlikely to result in a risk to the rights and freedoms of individuals. When there is a suspicion of a criminal offence, the provider is obligated to notify the police and/or prosecutor.
In the case of a breach that is likely to result in a high risk to the rights and freedoms of natural persons, the provider is obligated to notify the individual immediately or, if that’ is not possible, without undue delay. The notification should be in clear and comprehensible language.
Publishing of changes
Updated: 15th of June, 2020