Pawital Privacy Policy

1. General provisions, controller and data protection officer

1.1. General

This privacy policy (hereinafter referred to as the "Policy") contains all information about the collection, storage and processing of personal data of users and customers of the online shop at www.pawital.com (hereinafter referred to as the "Online Shop").

1.2. Operator

The controller of the personal data is the company Pawital, trgovina za male živali, d.o.o., Bleiweisova cesta 30, 4000 Kranj, Slovenia, registered number: 9388982000, VAT identification number: SI81074964, info@pawital.com (hereinafter referred to as the controller). The controller also manages the online shop.

1.3. Data Protection Officer

The Data Protection Officer (DPO) is JK Group d.o.o., Stegne 27, 1000 Ljubljana, Slovenia, who can be contacted at dpo@jkgroup.si (solely for communications related to personal data).

1.4. Cookies

You can read all about the use of cookies in the online shop in the Cookie Policy.

2. Definitions

Personal data is any information or combination of information from which an individual can be uniquely identified.

Processing of personal data is any activity relating to personal data.

The controller is the person who determines the purposes and means of the processing of personal data.

A processor is a person who processes personal data or carries out individual data processing operations under the authority of the controller.

The data subject is the natural person whose data is being processed.

3. What personal data is collected and processed

The controller shall only collect personal data that is adequate, relevant and necessary to achieve the purposes for which it is processed.

The controller collects and processes the following types of personal data:

• identification data of customers in the online shop (name and surname, residential address, email address, etc.);
• information about purchases made in the online shop, invoices issued, complaints, etc. (date of purchase, products purchased, prices, discounts, amount of purchase, method of payment, delivery address, invoice number and date, complaints, etc.);
• contact details and details of the user's or customer's communication with the controller (email address, telephone number, date, time and content of the communication, etc.);
• data on the use of the online shop (dates and times of visits to the online shop, pages or URLs visited, time spent on each page, number of pages visited, total time spent in the online shop, settings in the online shop) and data on the messages received from the controller (email, SMS, social media messages), ...;
• personal data relating to prize draws and similar promotions (date of the prize draw or promotion, data entered or otherwise provided by the user or customer);;
• other information voluntarily provided by the customer or user to the controller when making a request for certain services;
• data collected through cookies and similar technologies, which you can read more about here.

4. Purposes of the processing of personal data

The Controller collects and processes personal data of individuals for the following purposes:

The purpose of	Explanatory note
The conclusion and performance of obligations and the exercise of the controller's rights arising from a contract concluded with an individual, including the settlement of disputes.	This includes delivery, complaints, warranty claims, communication, etc. The provision of data is mandatory if the data subject wishes to enter into a contract with the controller (to buy a product in an online shop). The legal basis for processing is a (pre-)contractual relationship; for certain data that the controller needs for the purpose of dispute resolution, the legal basis may also be the legitimate interest of the controller.
Using your account/profile in the online shop.	The Controller allows the individual to access information about past purchases and to edit his/her personal data, such as the delivery address, through the user account/profile in the online shop. They can also give or withdraw consent to the processing of personal data within their account/profile. The controller processes personal data on the basis of its legitimate interest, and the part relating to the giving and withdrawal of consent on the basis of compliance with a legal obligation. The provision of personal data is voluntary; the controller also allows customers without a user account/profile to make purchases in the online shop.
Compliance with the tax obligations of the controller.	Issue and storage of issued invoices.
Communication between the operator and individuals regarding the sale of products and responding to individual enquiries.	Processing is carried out on the basis of a legitimate interest and, in certain cases, on the basis of a (pre-)contractual relationship between the controller and the data subject.
Internal analysis of sales, repeat purchases, aggregate customer behaviour, advertising optimisation and business optimisation, based on online shopper data.	Monitoring how many customers are repurchasing, how quickly and at what value; monitoring general statistics: average purchase value, average number of products per purchase, etc. (data are collected in aggregate, not at individual level); Monitoring responses to emails and various advertising messages and optimising advertising campaigns. The legal basis for processing the data is the legitimate interest of the controller.
Processing of data on undelivered distance orders (cash on delivery) to prevent fraud.	By processing this personal data, the controller identifies which customers frequently order cash on delivery products and then do not take delivery of these products, thereby causing damage to the controller which it is in the controller's legitimate interest to prevent or minimise. The operator prevents such customers from making cash on delivery, but they are still able to order products with immediate payment.
Directly informing customers by email, SMS or other messages.	Pursuant to the Act on Electronic Communications of the Republic of Slovenia (ZEKom-2) and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the field of electronic communications (Directive on privacy and electronic communications), the Controller informs existing purchasers of products about its similar products that have already been purchased by purchasers. The Customer may at any time request the termination of such communication and processing of personal data (right to object) by clicking on the unsubscribe link in the messages received or by sending a written request to dpo@jkgroup.si. The legal basis for the processing of personal data is the legitimate interest of the controller, which is confirmed by law.
Directly informing individuals about special offers and other content by email, SMS or other messages.	The controller informs the data subject about its products and other content on the basis of consent. The data subject may at any time request the cessation of such communication and processing of personal data by withdrawing consent, either by clicking on the unsubscribe link in the communications received or by sending a written request to dpo@jkgroup.si.
Basic personalised communication with individuals (no profiling).	In the context of basic personalised communication (via email, SMS and other notifications), the controller sends relevant offers, discounts and other content that the controller considers may be of interest to the individual and that the individual is likely to respond to, based on past interactions with the individual. The controller uses the following personal data: Gender, age; details of previous purchases from the online shop; information about past views of specific products or content in the online shop. The Controller does not use automatic profiling, but simply selects the appropriate recipient sets for each message sent. It never monitors or controls the behaviour of individuals, but processes data in aggregate, in groups. On the basis of this processing of personal data, a particular group of recipients may receive a message with a different content from another group of recipients. The data subject may at any time request the cessation of such communication and processing of personal data by clicking on the unsubscribe link in the messages received or by sending a written request to dpo@jkgroup.si.
Communicating with the individual about the pending purchase.	For users who have started but not completed a purchase, the Controller sends emails, SMS or other messages with the aim of attempting to complete the purchase or providing assistance and information in this respect. The legal basis for the processing of personal data is the legitimate interest of the controller. The data subject may at any time request the cessation of such communication and processing of personal data by clicking on the unsubscribe link in the messages received or by sending a written request to dpo@jkgroup.si.
Communication with an individual based on their use of an online shop or viewing products.	The Controller periodically sends emails, SMS or other messages to individuals who have viewed the same product in the online shop a certain number of times during a certain period of time, in relation to the product viewed, with the intention of triggering a purchase of that product. The legal basis for the processing of personal data is the legitimate interest of the controller (if the individual is an existing purchaser of products in the online shop) or the consent of the individual (if the individual, who is not an existing purchaser of products in the online shop, has consented to receive marketing communications). If the individual is neither a purchaser nor has not consented to receive marketing communications, the controller shall not send such communications to the individual.
Communicate with personalised offers and content based on your profile.	On the basis of the consent of the data subject, the controller carries out personalised communication, which is carried out through different communication channels (online shop, websites, emails, phone calls, browser notifications, information in the online shop, social networks, etc.). The legal basis for the processing of personal data is the consent of the data subject. The following types of personal data may be used by the controller for the purpose stated: gender, age, address of residence; details of previous purchases from the online shop; answers to questionnaires; online shop behaviour (viewing individual products or content, adding products to your shopping basket, etc.); how the individual responds to the communication (opening messages, clicking on links, making purchases). The user profile created can then be used to determine what content and offers the individual receives from the controller and how much of it. The data subject may at any time request the cessation of such communication and processing of personal data by clicking on the unsubscribe link in the communications received or by sending a written request to dpo@jkgroup.si.
Using Facebook Custom Audiences	Facebook Custom Audiences are groups of individuals who already have a certain relationship or connection with the operator or online shop (e.g. existing customers or visitors to the online shop, or individuals who have viewed the operator's or online shop's content on Facebook or Instagram). The processing of personal data is carried out as follows: List of users based on the data provided: the controller sends the email address or telephone number of the individual to Facebook; Facebook compares the email address or phone number with its user database to determine whether the individual with that email address or phone number is also a Facebook user; if this is not the case, Facebook does not perform any activities with such an email address or number; if the user is a Facebook user, Facebook adds the individual to a list of personalised audiences, which allows the controller to serve personalised ads to that group of users on Facebook and Instagram, according to parameters defined by the controller. Visitors to the online shop (using Meta Pixel): if the individual has consented to the use of cookies and similar technologies, Facebook can check whether the individual is a Facebook user when visiting an online shop; if this is not the case, Facebook will not take any action in relation to such an individual; if it is a Facebook user, Facebook adds that individual to a list of personalised audiences, which allows the controller to show personalised ads to that group of users on Facebook and Instagram, according to parameters defined by the controller (e.g. the controller can choose to show ads to all visitors to the online shop, only to visitors who visited the online shop during a certain period, only to visitors who viewed a certain content or product, etc.). A list of users based on interactions with Facebook or Instagram: the controller defines the parameters on the basis of which Facebook lists the individual according to the individual's actions on Facebook or Instragram. These actions can be: Viewing, liking, following or interacting with the controller's (Fb or Ig) page, including sending messages; liking or commenting on an ad on Fb or Ig; or clicking on a button in an ad that triggers an action; saving a specific post on Fb or Ig. Based on Facebook Custom Audiences, the operator can show more targeted (targeted) and personalised ads and additional discounts to individuals on Facebook or Instragram. The legal basis is consent (for communication with personalised offers and content based on the user's profile). The data subject may, at any time, request the cessation of such processing of personal data by writing to dpo@jkgroup.si.
Using Google Remarketing	The use of Google Remarketing enables the controller to serve Google ads for its products to an individual based on the products that the individual views in the online store, other websites and apps (including YouTube). Google uses cookies to "remember" your device (computer, phone, tablet), your visit to an online shop and the products you have viewed. When an individual visits a website or uses an app that is part of Google's Display Network, Google may show them an ad for the product they have viewed. For the use of Google Remarketing, the name, email address and telephone number of the individual are processed and sent to Google, but in an anonymous form. Therefore, the controller cannot establish that the individual has made a purchase in an online shop after clicking on a specific Google ad. The legal basis for the processing of data is the consent of the data subject. The data subject may, at any time, request the cessation of such processing of personal data by writing to dpo@jkgroup.si.

5. Legal bases for the processing of personal data

The Controller collects and processes your personal data on the following legal bases:

• the consent of the individual (user or customer);
• a contractual or pre-contractual relationship with an individual (customer or user);
• compliance with a legal obligation to which the controller or a third party is subject;
• where there is a legitimate interest in doing so which overrides the interests of the data subject (user or customer).

5.1. Processing on the basis of consent (consent)

The controller shall process personal data where there is explicit consent from the data subject. In this case, the controller shall ensure in advance that the data subject has all the information he or she needs to decide whether or not to give consent. Consent may be withdrawn at any time without penalty... It is possible that, if consent is withdrawn, the controller will not be able to provide certain services to the individual who has withdrawn consent.

5.2. Processing on the basis of a (pre-)contract

The controller shall process personal data where this is necessary for the conclusion, performance and observance of the contractual obligations between the controller and the data subject. The provision of personal data in this case is voluntary. If the data subject does not provide the personal data, the data subject cannot conclude the contract, nor can the controller deliver the products from the online shop to the data subject.

5.3 Processing for compliance with a legal obligation of the controller

The controller also processes personal data where required to do so by law (e.g. mandatory issuance and retention of invoices; transmission of data to courts and law enforcement authorities in certain cases). 

5.4. Processing based on the legitimate interest of the controller

The controller shall also process personal data on the basis of a legitimate interest pursued by the controller, except where such interest is overridden by the interests or fundamental rights and freedoms of the data subject. In case of reliance on legitimate interest, the controller shall always carry out a legitimate interest test beforehand.

In the case of processing based on legitimate interest, the data subject has the right to object to the processing.

6. Period of processing (storage) of personal data

The controller shall process and store personal data only for as long as is necessary to fulfil the purpose for which the personal data were collected.

Personal data processed by the controller for the purposes of compliance with a legal obligation shall be kept by the controller for the period specified by law.

Personal data processed by the controller as a result of a (pre)contractual relationship with the data subject shall be kept by the controller for the period necessary for the performance of the contract and for a period of 5 years after termination of the contract, except in cases where there is a dispute between the data subject and the controller in relation to the contract, in which case the controller shall keep the data for a period of 5 years after the final judgment or arbitral award or settlement or, in the absence of a court dispute, for a period of 5 years from the date of amicable settlement of the dispute.

Personal data processed by the controller on the basis of the personal consent of the data subject shall be kept by the controller permanently, until the revocation of that consent by the data subject.

After the retention period has expired, the controller shall erase or anonymise the personal data in an effective and permanent manner so that they can no longer be associated with a specific individual.

7. To whom the personal data are disclosed

The controller engages other persons (hereinafter referred to as "contract processors") to carry out specific tasks in relation to the processing of personal data. Contract processors may process the personal data entrusted to them only on behalf of the controller and within the limits of the controller's authorisation and may not use the personal data entrusted to them for their own purposes.

The contractual processors are:

• providers and maintainers of IT systems
• bulk email providers;
• payment service providers
• providers of customer relationship management (CRM) systems;
• online advertising providers;
• accounting services; law firms and other providers of legal advice;
• data processing and business analytics providers.

The Controller and the Contract Processors do not export personal data to third countries, i.e. outside the Member States of the European Economic Area, with the exception of the USA, but all Contract Processors in the USA are included in the Data Privacy Framework (DPF), which allows transfers of personal data to Contract Processors in the USA.

8. Personal data insurance

The controller shall endeavour to protect personal data at all times against loss, destruction, falsification, manipulation and unauthorised access or disclosure. The controller shall take appropriate organisational and technical measures to ensure the security of the data.

9. Rights of the data subject with regard to the processing of personal data

The controller shall respond to a request by an individual to exercise his or her rights concerning personal data without undue delay and at the latest within one month of receipt of the request.

The data subject has the following rights in relation to the processing of his or her personal data:

Right of access to personal data: The right to obtain confirmation from the controller as to whether personal data relating to him or her are being processed and, if so, access to the personal data and the right to obtain certain information (purposes of processing; types of personal data; users; retention period; existence of a right to rectification or erasure; the right to restrict processing and object to processing; the right to lodge a complaint with a supervisory authority; the source of the data, if the data were not collected from the data subject; the existence of automated decision-making, including profiling, the reasons for it and the meaning and consequences of such processing for the data subject).

Right to rectification of personal data: the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data and the completion of incomplete data concerning the data subject. 

Right to withdraw consent: the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until its withdrawal.

Consent may be withdrawn by written request to dpo@jkgroup.si. Withdrawal of consent does not have any negative consequences or sanctions for the individual.

Right to restriction of processing: the right to request that the controller restrict processing where:

• the data subject contests the accuracy of the data for a period which allows the controller to verify the accuracy of the data;
• the processing is unlawful and the data subject objects to the erasure of the data and requests instead that its use be restricted;
• the controller no longer needs the data for the purposes of the processing, but the data subject needs them for the establishment, exercise and defence of legal claims;
• the data subject has lodged an objection to the processing, pending verification whether the legitimate grounds of the controller override those of the data subject.

Right to erasure of personal data ("right to be forgotten"): the right to request the erasure by the controller, without undue delay, of personal data concerning an individual, where one of the following grounds applies:

• the data are no longer necessary for the purposes for which they were collected or otherwise processed;
• where the data subject withdraws consent and there is no other legal basis for the processing;
• if the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
• the data has been processed unlawfully;
• the data must be erased in order to comply with legal obligations under EU law or the law of the Member State to which the controller is subject;
• data collected in relation to information society services.

Right to data portability: the right of the data subject to receive his or her personal data that he or she has provided to a controller in a structured, commonly used and machine-readable format, and the right to communicate those data to another controller without being subject to any obligation on the part of the first controller to:

• the processing is based on consent or on a contract; and
• is carried out by automated means.

Where technically feasible, the data subject may request that the personal data be transferred directly from one controller to another.

Right to object to processing: the right of the data subject to object at any time, on grounds relating to his or her personal situation, to processing of personal data which is necessary for the legitimate interests pursued by the controller or by a third party, including profiling based on that processing; the controller shall no longer process the personal data unless he or she demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or if the controller needs the data for the establishment, exercise or defence of legal claims.

Where personal data are processed for marketing purposes, the data subject shall have the right to object at any time to processing of data concerning him or her for the purposes of such marketing, including profiling insofar as it is related to such direct marketing; where the data subject objects to processing for direct marketing purposes, the data shall no longer be processed for those purposes.

Right to lodge a complaint with a supervisory authority: the right of an individual to lodge a complaint with a supervisory authority, in particular in the country where he or she resides, where he or she has his or her place of work or where the breach occurred (in Slovenia, the Information Commissioner), if he or she considers that the processing of personal data concerning him or her infringes the rules on the protection of personal data.

The individual also has the right to an effective remedy against a legally binding decision of the supervisory authority, as well as in the event that the supervisory authority fails to consider the individual's complaint or to inform the individual within three months of the state of the case or of the decision on the complaint.

This policy is valid from 7.9.2023