PERSONAL DATA PROTECTION POLICY
1) About Personal Data Protection Policy
The purpose of the Personal Data Protection Policy (hereinafter: Policy) is to inform Subscribers, Users, and other persons (hereinafter: Individuals) of the purposes and basis of personal data processing by the company: FINE, Publishing, Ltd., Majaronova ulica 12, 1000 Ljubljana, Slovenia which manages the website “cookwithcards.com” (hereinafter: the company) and the rights of Individuals in this area.
At the same time, this Policy additionally explains the consent for data processing.
This Policy is in accordance with Regulation (EU) 2016/679 of the European Parliament and of the European Council of April 27. 2016 on the protection of individuals in the processing of personal data and on the free flow of such data and on the repeal of Directive 95/46/EC (hereinafter the General Data Protection Regulation or GDPR), the following information is covered:
• contact information of the company and the contact of the authorized person for data protection,
• purposes, bases and types of processing of various types of personal data of Individuals, including profiling of personal data of Individuals,
• transmission of data to third parties and to third countries,
• retention time of individual types of personal data,
• the rights of Individuals in relation to the processing of personal data,
• the right to file a complaint in relation to the processing of personal data.
Where applicable, the provisions relating to Individuals also apply to issues of secrecy and confidentiality of communications of users who are legal entities.
2) Administrator and authorized person for data protection
The administrator of the personal data of individuals, which are processed in accordance with the Personal Data Protection Policy, is FINE, Publishing, Ltd., Majaronova ulica 12, 1000 Ljubljana, Slovenia.
For information on data processing, you can contact the email address info@cookwithcards.com.
3) Processing purposes and basis for data processing
Processing on the basis of a contract:
The company processes the personal data of individuals for the purposes of informing about new products and content on the website (subscribing to news, special benefits, and content articles), direct marketing purposes (online sales of products and services), segmentation purposes (subscribing to friendly and individually created emails and ads on Meta).
In the context of exercising rights and fulfilling contractual obligations, the company processes the personal data of Individuals for the following purposes:
- Email address, full name, and address (for notification purposes, sending email newsletters, advertising on Meta)
- Billing address, shipping address, email address, and phone number (to fulfill the obligations under the sales contract – creating and sending invoices)
- Company data (to fulfill obligations under the sales contract – creating and sending invoices)
Processing based on the legitimate interest pursued by the company:
The Company may also process data on the basis of a legitimate interest pursued by the Company or a third party, except when such interests are overridden by the interests or fundamental rights and freedoms of the individual to whom the personal data relates, which require the protection of personal data, in particular when the data refer to the child. When it comes to the further use of data collected about the Individual, the company makes an assessment in accordance with the General Data Protection Regulation. Such continued use of data in a pseudonymized or aggregated form, for example, constitutes the legal use of data for marketing and other business or technical analyzes by the company. As an additional measure for some forms of further traffic data, the deletion of certain data may also be used.
The individual can object to the processing in accordance with point 6/iv of the Policy.
On the basis of a legitimate interest, the company may contact individuals for the purpose of improving the services and for determining their satisfaction with the services or the user experience, even in cases where this is not absolutely necessary for the performance of the contract. Due to weighing this interest with the interests of the Individual, the Company does not re-contact those Individuals who objected to this.
In accordance with the legitimate interest, the Company may process personal data to the extent necessary and proportionate to ensure uninterrupted operation, system and information security, i.e. the ability of the information system to prevent, at a certain level of confidence, accidental events or illegal or malicious acts that threaten the accessibility, authenticity, integrity, and confidentiality of stored or transmitted personal data and the security of related services offered or accessible via networks and systems. This includes, for example, preventing unauthorized access to electronic communications networks, the spread of malicious code, denial-of-service attacks, and damage to computer and electronic communications systems.
The company has a legitimate interest in anonymizing or aggregating the data until the legal retention period expires and further using it for analysis and research for the needs of marketing, network planning, and the like.
Other legitimate interests may include preventing abuse, asserting claims, or defending against claims in administrative and judicial proceedings.
In case of suspicion of abuse, the Company may process data on Individuals to an appropriate and proportionate extent for the purpose of identification and prevention of possible fraud or abuse and may, if appropriate, forward this data to certain other persons, e.g. business partners, the police, the state prosecutor’s office or other competent authorities. For the purpose of preventing future abuses or frauds, data on the history of identified abuses are processed.
The company reserves the right to process data on the fulfillment of contractual obligations of Individuals (data on bill payments) to ensure a higher quality of its services.
Processing based on consent to the processing of personal data:
Data processing may be based on the consent given by the Individual to the Company. Consent may, for example, refer to information about offers and services, the preparation of offers adapted to individual user habits or the provision of value-added services. Notification is carried out through the channels chosen by the Individual in their consent. Email notification involves providing an email address to an external processor for the purpose of displaying the company’s advertising messages while browsing the web.
The data subject may withdraw or change their consent at any time in the same way as the consent was given or in another way as defined by the company, whereby the company reserves the right to identify the customer. Withdrawal or change of consent only applies to data processed on the basis of consent. The last consent given by the Individual and received by the company is valid. The possibility of revocation of consent does not constitute a right of withdrawal in the business relationship of the Individual with the company.
Consent can be given by one of the parents, a foster parent, or a guardian for a minor child who, according to the current legislation, cannot give consent on their own. Such consent will be valid until one of the parents, foster or guardian, or the child himself, when he acquires this right in accordance with the applicable legislation, revokes or changes it.
4) Transmission of data to third parties and transmission of data to third countries (countries that are not members of the European Union or the European Economic Area)
The company may, if this is consistent with the purpose for which personal data is processed under EU law and Slovenian regulations, transmit personal data about Individuals:
(i) to persons who perform individual processing tasks for the company, such as preparing and sending invoices or data analytics, shipping, and handling of packages, maintenance, and development of services, when these tasks include the processing of personal data to the extent necessary;
(ii) to persons who perform sales and marketing services for the company, including field sales and marketing, or cooperate with the company in the field of marketing and sales of its own services or services of third parties, to the extent necessary for such tasks as part of the purposes and grounds defined in this Policy.
If the company is connected or taken over by another company, personal data is transferred to the transferee in accordance with the law. By using our services, you consent to further processing of your personal data by the acquirer.
5) Personal data retention period
Sales data and related contact data of Individuals may be kept for the purpose of fulfilling contractual obligations until full payment for the service, or at the latest until the expiration limits in relation to an individual claim, which can range from one to five years by law. Invoices are kept for 10 years after the end of the year to which the invoice refers in accordance with the law governing value-added tax.
If traffic data is processed based on the consent of the Individual for the purpose of marketing services, selling goods, or providing value-added services, this data may be processed to the extent necessary for as long as it is necessary for such marketing or services.
6) The rights of individuals in relation to the processing of personal data
The company ensures that individuals exercise their rights without undue delay and in any case within one month of receiving the request. The company may extend the deadline for exercising the rights of the Individual by a maximum of two additional months, taking into account the complexity and number of requests. If the company extends the deadline, it shall notify the Individual of any such extension within one month of receiving the request, together with the reasons for the delay.
The company accepts requests regarding the rights of the Individual to the email address info@cookwithcards.com or by mail to the address FINE, Publishing, Ltd., Majaronova ulica 12, 1000 Ljubljana, Slovenia.
Where an Individual makes a request by electronic means, the information shall be provided by electronic means whenever possible, unless otherwise requested by the Individual.
When there is a legitimate doubt regarding the identity of an Individual who submits a request regarding one of his rights, the company may request the provision of additional information necessary to confirm the identity of the individual to whom the personal data relates.
If the Individual’s requests are clearly unfounded or excessive, in particular, because they are repeated, the Company may:
- charge a reasonable fee, taking into account the administrative costs of providing the information or message or taking the requested action, or
- refuse to act on the request.
The company allows individuals the following rights in relation to the processing of personal data:
(i) the right to access data,
(ii) the right to rectification,
(iii) right to erasure (“right to be forgotten”),
(iv) the right to restrict processing,
(v) the right to data portability,
(vi) the right to object to processing.
7) Validity of the Policy
This Policy is published on the website cookwithcards.com and comes into effect on February 1st 2023.
