• Shopping cart content
    • Shopping cart is empty.

Privacy policy

Store » Privacy policy

Notice to individuals under Article 13 of the General Data Protection Regulation (GDPR) regarding the processing of personal data


THE CONTROLLER OF YOUR PERSONAL DATA

FINIS MUNDI, prireditvena agencija in založništvo, d.o.o.
Ravbarjeva ulica 5

1000 Ljubljana

Registration number: 2259010000

Tax number: SI 58231277
E-mail address: store@siddharta.net
phone: +386 (0)31 706 695
(hereinafter referred to as the company).

The Company is the owner and provider of the website https://store.siddharta.net (hereinafter referred to as the "Website").

The Company has not yet appointed a Data Protection Officer. You may contact us at any time at store@siddharta.net regarding the processing and protection of your personal data.

1. Overview of the legal basis and purposes of the processing of personal data and what data we process:

1.1. On the basis of negotiating or concluding a contract with you:

We process personal data for the purposes of performing contracts (e.g. distance contracts for the supply of goods) to which the company and the visitor to our website who makes a purchase on the website (the customer) are parties, whereby:

- at the time of conclusion of the contract (distance purchase), for the purposes of the performance of the contract (sale of the product via our website's online shop, its delivery and notification regarding the order), we may process the basic data of the purchaser (name and surname), his contact details (email address and telephone number), as well as the details of the purchase in question for the purposes of invoicing and delivery of the goods (date and place of purchase, products purchased, prices of the products purchased, total amount of the purchase, payment/delivery method, address, city, country, postal code for delivery/invoicing, order number and date, coupons used, order status), and other data (archive of communication between the visitor and the company, proof of consent to the General Terms of Use, etc.).

A contractual legal basis for processing personal data also exists when we communicate with you before entering into a contractual relationship (distance purchase):

- in the context of negotiation and interaction prior to purchase (e.g. when you contact us via email or contact form prior to purchase regarding a product), in which case we may process your contact details (first name, last name, email address) and any other data you provide to us for this purpose.

In the cases described above, we do not need your explicit consent to process your personal data, as the lawful basis for the processing is already based on your intention to enter into a distance contract with us for the purchase of our products, or on the fact that you are negotiating or communicating with us about this.

In the cases described above, you provide us with personal data as part of a contractual obligation or as part of the negotiation of a contract (e.g. the conclusion of a contract - i.e. the execution of a remote purchase or the sending of an enquiry, etc.), and we consequently do not need your explicit consent for the processing of your personal data described above.

If, in certain cases of processing of personal data based on a contractual relationship with you, you do not provide the data, this will in principle not have consequences for you. However, such a situation may make it difficult or even impossible for us to cooperate with you (e.g. a company may not be able to conclude a contract for the supply of goods at a distance if you do not provide it with the data for the invoicing and tax clearance of the invoice), in which case you will be informed beforehand or subsequently.

1.2. By law or regulation:

We also process personal data for the purposes of compliance with laws and regulations, in particular those governing tax and accounting (e.g. records of invoices issued and received, etc.), e.g.:

- when an inspector or other holder of public authority orders the company to entrust personal data of a specific customer/visitor to the company in accordance with the law (e.g. in the context of carrying out inspections under the provisions of the Consumer Protection Act (CPPA) and the Inspection Act (IAA),

- where a company processes personal data of a customer to whom it has issued an invoice, the company processes the invoice and the customer's data (e.g. personal name, contact details, etc.) on the basis of the Value Added Tax Act (VAT Act-1) (see section 3.2.), etc.

1.3. On the basis of your explicit consent:

We may also process your personal data on the basis of your explicit consent. The explicit consent of a website visitor or a shopper is deemed to be a voluntary declaration of will by which he or she consents to the processing of certain personal data for a specific purpose, e.g.:

- marketing communication with persons who are not yet our customers* (insofar as we have obtained your explicit consent for this purpose in our office, on a website form, etc.), where we process the data of the person who has given consent, i.e. his/her contact details (first name, last name, email address) for the purpose of sending personalised advertising messages or "newsletters",

*You can cancel this type of communication at any time by following the link contained in the e-mail or by contacting us at store@siddharta.net.

In principle, your cooperation with us and the use of our services is not conditional on your consent to the processing of personal data, insofar as this is not logically connected with the service itself or required for its performance (see section 1.1. of this chapter).


The Company guarantees the individual the right to withdraw his or her explicit consent at any time in a simple way, i.e. by contacting us at store@siddharta.net at any time in this respect (see section 5.1.).

The withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of the consent up to the moment of withdrawal.

In the event that you do not consent to the processing of your personal data, or you give your consent partially, or you withdraw your consent (partially), we will, as far as possible, only cooperate with you to the extent of the consent given or in the ways permitted by applicable law.

Consent is voluntary and if you decide not to give it or subsequently withdraw it, this shall in no way prejudice your other rights arising from your business relationship with the company or constitute an additional cost or aggravation for you.

1.4. On the basis of the legitimate interests of the company

We may process certain personal data for the purposes of safeguarding our legitimate interests, e.g.:
- for example, where the processing of your data would be necessary to protect our business against potential fraud, or necessary in light of inspection procedures or civil or other proceedings, we will only process the data that is strictly necessary for the pursuit of these legitimate business purposes.

The company may also process personal data of an individual in cases where the processing is necessary to protect the vital interests of the individual or of another natural person (e.g. accessing the address of an individual who is in imminent and serious danger in relation to a product purchased).

2. How long do we keep or process your personal data?

The period of retention of personal data depends on the basis and purpose of the processing of each category of personal data. Personal data is kept for as long as necessary to fulfil the purpose for which it was collected or as long as a regulation requires us to keep it, e.g.:

- we keep personal data of customers on invoices for 10 years, as this obligation is imposed on the company by the Law on Value Added Tax (ZDDV-1),

- for example, on the basis of a contract, the data is processed for the duration of the contract, or for six years after the termination of the contract (if the processing is necessary, for example, because there is a dispute between the individual and the company, etc.),

- on the basis of your explicit consent to marketing communications or our legitimate interest to advertise to persons who are already our customers, we keep the data until the person withdraws his/her consent.

Personal data is deleted, destroyed, blocked or anonymised after the purpose of the processing has been fulfilled.

3. Who processes your personal data within and outside the company (personal data users)?

3.1. Certain employees of the company

Your personal data is processed by specific employees of the company. Employees of the company process only the personal data they need for their work, and may also share personal data with each other to the extent permitted by their job description and the company's internal rules. All employees are committed to confidentiality and to respecting the protection of personal data.

3.2. National authorities

In certain cases prescribed by applicable law, the company is also obliged to disclose or report your personal data to the competent state authorities as well as to the authorities responsible, for example, for financial, tax or other control (e.g. the Labour Inspectorate, the Financial Administration of the Republic of Slovenia, the courts, the Office of the Information Commissioner of the Republic of Slovenia, the Market Inspectorate of the Republic of Slovenia, etc.). In certain cases, the company is also obliged to disclose the data to third parties if the company is obliged to disclose or report such data to third parties under the law or under the third parties' legal entitlement to disclose or report the information to third parties.

3.3. Contractual processing of personal data

In addition to the Company's employees, the users of personal data are also employees of the Company's contract processors, who may process personal data as confidential only on behalf of the Company and within the limits of the external processing contract that the Company has with each such processor. Contract processors may only process personal data within the scope of the instructions of the company as the controller of the personal data and may not use the data to pursue any of their own interests.
The contractual processors with which the company cooperates are:
  • persons who cooperate with us on the basis of other subcontracts or author's contracts (legal consultancy, advertising, etc.),
  • the hosting provider (see section 3.4.),
  • an accounting service,
  • delivery and forwarding services,
  • IT systems maintenance.

The company will not pass on your personal data to unauthorised third parties.

To obtain a detailed list of all of the Company's contractual sub-processors, you may contact us at store@siddharta.net.

3.4. Hosting Provider

The hosting of our website and the storage of the data you provide to us via the website (e.g. in connection with communication via the contact form on the site, when placing an order, etc.) is provided as a contractual processor by a provider with servers in Germany.

3.5. Transfer of personal data to third countries and international organisations

The company does not export personal data to third countries (i.e. outside the European Union, Iceland, Norway and Liechtenstein) and international organisations.

4. Cookies

Cookies are small text files that most modern websites store on the devices of visitors, i.e. people who use their devices to access a particular website on the internet.

We also use cookie technology on our website, which is indicated by a cookie pop-up when you first visit the website.

The pop-up also alerts you to the fact that the downloading of our cookies is optional (e.g. saving settings, adjusting the display dimensions to the device, etc.) in terms of the normal functioning of the website:
  • subject to the visitor's explicit consent (click on the "upload optional cookies" button on the first visit to the website); and,
  • under the visitor's full control, since the visitor can restrict or disable the storage of cookies in the browser used and remove the cookies uploaded at any time.
The Company uses only the "sas" cookie, which is a necessary cookie provided by the Company. This cookie enables the Company to operate its online shop normally. The cookie is automatically loaded when visiting the online shop and is stored on the visitor's device for the duration of the session.

5. What are your rights regarding your personal data and how can you exercise them?

You can contact us at any time and without any reservations at store@siddharta.net regarding this general information on the processing of your personal data or regarding the processing of your personal data by our company and our contractual processors.

You can also use the address provided to send your requests and exercise other rights related to personal data and the GDPR.

As a data subject, the GDPR provides you with the following rights:

5.1. Right of access to personal data (Article 15 GDPR)

You have the right to obtain confirmation from the Company, as the controller of your personal data, as to whether personal data concerning you is being processed and, where this is the case, to request access to the personal data concerned, together with the information referred to in Article 15(1) of the GDPR:

Where personal data are transferred to a third country or an international organisation, you, as the data subject, have the right to be informed of the appropriate safeguards in accordance with Article 46 of the GDPR in respect of such transfer.

The Company, as the controller of the personal data, may also provide you with a copy of the personal data being processed. The Company may charge you a reasonable fee, taking into account administrative costs, for additional copies you request.

Where the data subject makes the request by electronic means, and unless the data subject requests otherwise, the information shall be provided in an electronic format that is commonly used.

5.2. Right to rectification of personal data (Article 16 GDPR)

The data subject shall have the right to obtain from the Company, as the controller of the personal data, the rectification of inaccurate personal data concerning him or her without undue delay.

The data subject shall have the right, having regard to the purposes of the processing, to have incomplete personal data completed, including by submitting a supplementary declaration. The data subject may also contact the Company by e-mail at store@siddharta.net.

5.3. Right to erasure of personal data ("right to be forgotten") (Article 17 GDPR)

As a data subject, you have the right to obtain the erasure of personal data concerning you by the Company as the controller of the personal data without undue delay. However, the Company will also erase the personal data without undue delay where one of the following grounds applies:

(a) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
(b) where the processing of the personal data was carried out on the basis of your consent, which you have withdrawn;
(c) where you have objected to the processing of personal data and there are no overriding legitimate grounds for the processing,
(d) where the personal data have been unlawfully processed;
(e) if the personal data must be erased in order to comply with a legal obligation under European Union law or the law of the Republic of Slovenia,
(f) where the personal data was collected in connection with an offer of information society services (which was offered to a person under 15 years of age and to which the person's guardian has not consented).

However, in accordance with Article 17(3) of the GDPR, in certain cases you do not have the right to erasure of personal data processed by the Company (e.g. where the Company processes the data for the establishment, exercise or defence of legal claims).

5.4. Right to withdraw or partially withdraw consent

If you, as an individual, have consented to the processing of your personal data for one or more specific purposes (see section 1.3 of this General Information on the Processing of Personal Data), you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing of the data carried out on the basis of the consent until its withdrawal.

Your consent to the processing of your personal data for the purposes we have described in this information is voluntary. You may restrict or withdraw your consent to data processing at any time by contacting us at store@siddharta.net.

In the event of withdrawal of consent or partial consent, the Company reserves the right, to the extent possible, to cooperate with you only to the extent of the consent given or in the ways permitted by applicable law.

Your consent to the processing of your personal data is always voluntary and if you decide not to give your consent or subsequently withdraw it, this shall in no way affect your other rights arising from your business relationship with the Company or the GDPR. In these cases, you will also not incur any additional costs or expenses.

5.5. Right to restriction of processing (Article 18 GDPR)

As a data subject, you have the right to obtain a restriction of the processing of your personal data by the Company as controller where one of the following applies:

(a) where you, as the data subject, contest the accuracy of the data, for a period which enables the Company to verify the accuracy of the personal data;
(b) where the processing is unlawful and you, as the data subject, object to the erasure of the personal data and instead request the restriction of its use;
(c) where the Company no longer needs the personal data for the purposes of the processing, but you, as the data subject, need the personal data for the establishment, exercise or defence of legal claims;
(d) where you, as the data subject, object to processing and until it is verified whether the legitimate grounds of the Company as controller override your grounds (i.e. the grounds of the data subject).

Where the processing of personal data has been restricted, such personal data shall, with the exception of their storage, be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for an important public interest of the Union or of the Republic of Slovenia.

Where the Company, as controller, obtains a restriction of processing, it shall inform the data subject before revoking the restriction of processing.

5.6. Right to data portability

As an individual, you have the right to receive personal data relating to you that you have provided to the Company in a structured, commonly used and machine-readable format, and you have the right to have that data transferred to another controller without hindrance from the company to which the personal data have been provided, where:

(a) the processing is based on consent or on a contract; and
(b) the processing is carried out by automated means.

In exercising that right to data portability, you have the right as an individual to have your personal data directly transferred from one controller (e.g. a company) to another, where this is technically feasible.

5.7. Right to object to processing (Article 21 GDPR)

As a data subject, you have the right, on grounds relating to your particular situation, to object to processing of personal data concerning you where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company, or where the processing is necessary for the legitimate interests pursued by the company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child. The above also applies to profiling in such cases of processing.

In the event of your objection, the Company will cease processing the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of you as the data subject or the processing is necessary for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, including profiling, insofar as it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for those purposes.

In the context of the use of information society services, you, as the data subject, may exercise the right to object by automated means using technical specifications.

Where data are processed for scientific or historical research purposes, or for statistical purposes, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

5.8. Right to lodge a complaint with the supervisory authority

If you consider that the processing of personal data by the Company in relation to you infringes data protection law, you have the right, as an individual, to lodge a complaint with a supervisory authority, in particular in the country where you are habitually resident, where you work or where the infringement is alleged to have occurred (in Slovenia, the Information Commissioner), without prejudice to any other (administrative or other) legal remedy available to you (in particular in the country where you are habitually resident, where you work or where the infringement is alleged to have taken place):

- Information Commissioner, Dunajska 22, 1000 Ljubljana, e-mail: gp.ip@ip-rs.com, telephone: 012309730, website: www.ip-rs.com.

6. Protection of your personal data

The Company carefully stores and protects personal data by means of organisational, technical and logical measures.
technical procedures and measures to protect against accidental or intentional unauthorised access, destruction, alteration or loss, as well as unauthorised disclosure or other processing to which you have not explicitly consented.

To this end, the Company has also adopted appropriate internal processes and put in place various measures (e.g. assigning, using and changing passwords, locking premises, offices, and server and workstation locations, regular updating of supporting software and upgrading of security-protected components, physical protection of materials containing personal data in designated areas, training of employees, etc.). The Company also requires the same security commitments from its contractual processors.

7. Automated processing and consent-based profiling

The Company does not process personal data in an automated manner and does not create profiles.

8. Processing of personal data of persons under the age of 16 and of persons with limited or deprived legal capacity

The Company does not accept orders from persons under the age of 16 or persons with limited or no legal capacity. All such persons must leave the Online Shop immediately before navigating the Online Shop, making a purchase or otherwise interacting with the Online Shop.

The purchase process has been designed with the principle of personal data minimisation in mind, which means that the company does not collect visitors' or customers' years of birth or information on their ability to work. As a consequence, the company does not have a way of economically and efficiently verifying whether the purchase and the subsequent processing of the personal data provided are the personal data of a minor or a person who lacks full legal capacity.

Consequently, the company does not knowingly offer the products offered in the online shop of the website to persons under the age of 16 or to persons with limited or no legal capacity and does not knowingly process any personal data relating to them.

If the company itself subsequently discovers that it is processing the personal data of a minor or a person with limited or no legal capacity without the consent of the minor's parent or guardian, it will take the necessary steps to delete all personal data provided.

If the parents or guardians of such a minor or person with reduced or deprived legal capacity become aware that their child or ward is using the Website's online shop, or that he or she has voluntarily provided the Company with his or her personal data, they may notify the Company and request the deletion of the personal data by contacting store@siddharta.net.

9. Who can you contact for further clarification regarding the processing of personal data by the company and your rights?

You can contact us:
- by email: store@siddharta.net
- by regular mail to:
FINIS MUNDI, prireditvena agencija in založništvo, d.o.o.

Ravbarjeva ulica 5

1000 Ljubljana

10. Final provisions

This General Information on the processing of personal data may be updated from time to time in order to better reflect changes in data protection or for other operational and legal reasons.

Should we make any material changes to the content of this General Information on the Processing of Personal Data, we will post an announcement on our website.

This General Information on the processing of personal data is valid and applicable as of 1 August 2021.

FINIS MUNDI d.o.o.