Gamequiz

Privacy Policy

Controller

Mavrica d.o.o.

Website

www.knjizna-polica.si

Introduction

This document sets out the personal data protection policy under the General Data Protection Regulation (GDPR) for Mavrica d.o.o. (hereinafter: the "Controller").

The Controller manages a family of online services (hereinafter: the "Services") intended for advertising, promotion, marketing, and sales via www.knjizna-polica.si. For the purpose of its core operations, the Controller processes and stores the personal data of users of the Services (hereinafter: the "Individual").

The Individual uses the Services offered by the Controller for their own benefit, voluntarily and at their own responsibility. In the same way, the Individual also shares their personal data with the Controller, since the Controller requires certain information in order to provide the highest possible quality of Services. By providing personal data, the Individual may also personalize their experience when using the Services.

The Controller is committed to lawful and fair handling of personal, sensitive, and commercially sensitive data, which is necessary for the successful operation and quality provision of the Services.

We are committed to respecting the following principles relating to the processing of personal data:

·         Lawfulness, fairness, and transparency

·         Purpose limitation

·         Data minimization

·         Accuracy

·         Storage limitation

·         Integrity and confidentiality

·         Accountability

Introduction (continued)

In order to provide quality services and fulfill legal obligations, the Controller must collect the Individual’s personal data, store it, and process it appropriately and in accordance with the principles governing personal data processing.

To comply with the law, the Controller must ensure at least one legitimate legal basis for processing personal data (collection, use, management, or disclosure). In some circumstances, the Individual’s consent is not required.

This Privacy Policy is designed to explain and ensure compliance with the law. Where there is any possibility of ambiguity, the document aims to provide a detailed and understandable explanation to reduce risk and thereby protect the Individual.

The GDPR requires a clear, understandable, and transparent explanation of how the personal data of an Individual is processed. This document provides that explanation and demonstrates compliance with the law.

Definitions

·         Data Controller means a natural or legal person, public authority, agency, or other body that processes and stores personal data.

·         Personal Data means any information relating to an identified or identifiable natural person (hereinafter: the "Individual"). An identifiable person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

·         Pseudonymization means the processing of personal data in such a way that the data can no longer be attributed to a specific Individual without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures.

·         Filing System means any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.

·         Processor means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Controller.

·         Consent of the Individual means any freely given, specific, informed, and unambiguous indication of the Individual’s wishes by which they signify agreement to the processing of personal data concerning them by a statement or clear affirmative action.

·         Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

·         Representative means a natural or legal person established in the European Union who is designated in writing by the Controller or Processor to represent the Controller or Processor with regard to its obligations.

Policy Review

This Privacy Policy will be reviewed and revised regularly to ensure legal compliance.

Principles Relating to the Processing of Personal Data

·         Have lawful grounds for collecting and using personal data

·         Not use data in ways that have unjustified adverse effects on the Individual

·         Be transparent about how the data will be used and provide appropriate, clear explanations when collecting personal data

·         Use personal data only for the purposes for which it was obtained

·         Ensure that nothing unlawful is done with the personal data

Is collected for specified, explicit, and legitimate purposes

·         Be clear about the reasons for collecting personal data and what it intends to do with it

·         Comply with the principles relating to personal data processing

·         Obtain renewed consent if the Controller wishes to process personal data for purposes incompatible with the original purpose

Is adequate, relevant, and limited to what is necessary

·         The Controller stores personal data that is sufficient for the intended processing

·         The Controller does not retain data that is unnecessary for processing

Is accurate and, where necessary, kept up to date

·         Take appropriate steps to ensure the accuracy of personal data

·         Ensure the source of personal data is clear

·         Carefully assess any challenge to the accuracy of the data

·         Consider whether updating the information is necessary

Is kept no longer than necessary

·         Review retention periods for personal data

·         Consider the purpose or purposes for which the data is stored and the relevant retention period

·         Securely delete personal data that is no longer needed

·         Update, archive, and securely erase personal data that is no longer current

Is processed in accordance with the rights of the Individual

·         The right to access a copy of the data held about them

·         The right to object to processing where it may cause harm

·         The right to object to processing for direct marketing purposes

·         The right not to be subject to decisions based solely on automated processing

·         The right, in certain circumstances, to rectification, erasure, or restriction of inaccurate or invalid data

·         The right to compensation for damage caused by non-compliance with data protection rules

Is kept secure

·         Develop and maintain security measures sufficient to protect personal data from damage caused by security incidents

·         Clearly define responsible roles within the company for data security

·         Ensure adequate technical and physical security for stored personal data

·         Be prepared to respond in the event of a breach or misuse of a personal data database

Transfers outside the EEA

Personal data is not transferred to a third country outside the EEA unless that country ensures an adequate level of protection of the rights and freedoms of Individuals in relation to the processing of personal data.

Compliance with Data Processing Principles

·         Monitors and supervises the conditions for fair data collection and processing

·         Meets legal requirements for clearly specifying the ways in which personal data is processed

·         Collects and processes personal data only to the extent necessary

·         Ensures the quality of processed data

·         Ensures the exercise of Individuals’ rights in relation to personal data processing

·         Implements appropriate technical and organizational security measures

·         Processes personal data fairly, regardless of age, religion, race, gender, sexual orientation, or disability

·         Establishes clear procedures for responding to data-related requests

Collection of Personal Data

The Controller ensures that personal data is collected in accordance with this Privacy Policy. This applies to personal data collected in person, by telephone, or electronically through forms.

Whenever personal data is collected, the Controller will, where possible, provide clear and understandable information to the Individual about which personal data is being collected, the purposes for which it will be used, the consequences of refusing to provide or allow processing of the data, and with whom such data may be shared.

The above ensures that the Individual has sufficient information to provide consent.

There are situations in which the collection of personal data is implicit, for example when communicating with support by phone or email, where personal data is necessary in order to process the request itself.

Storage of Personal Data

Personal data and records relating to Individuals are stored securely and may only be accessed by authorized persons (employees or contractual partners).

Personal data will be stored only for as long as necessary for the relevant processing purposes. Data no longer required for further processing will be deleted in accordance with the law.

Access to Data About the Individual

·         Every Individual has the right to obtain information about the personal data held about them by the Controller.

·         The Controller will take measures to ensure such data remains up to date, including asking the Individual about changes where appropriate.

·         All employees and contractual partners of the Controller are required to ensure that the Individual’s personal data is factual and not subjective.

·         A person responsible for personal data protection is appointed to oversee compliance with this Privacy Policy.

·         Anyone processing personal data understands their responsibility to follow good data protection practice and receives appropriate training and supervision.

·         Suspected or actual misuse must be reported in accordance with personal data breach reporting procedures.

·         All inquiries relating to personal data processing are handled as quickly as possible.

·         Processing procedures are regularly reviewed and updated to remain compliant with the law.

Obtaining Consent

·         Processing is necessary for the performance of a contract with the Individual, or in order to take steps before entering into a contract.

·         Processing is necessary for compliance with a legal obligation.

·         Processing is necessary to protect the vital interests of the Individual or another person.

·         Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

·         Processing is necessary for the purposes of the legitimate interests pursued by the Controller, unless such interests are overridden by the rights and interests of the Individual.

·         The Individual has given consent.

Valid Consent

·         Freely given: the Individual has a genuine choice and control over how their data is processed.

·         Specific and informed: the Individual understands all purposes of processing; where there are multiple purposes, consent must be given for each.

·         Unambiguous: the Individual understands what they are agreeing to.

·         Given by a clear affirmative action: such as a signature, oral confirmation, or electronic selection between options.

Obtaining, Storing, and Managing Consent

Consent must be clear and distinguishable from other matters, and written in an intelligible form using clear and plain language.

It must be clear who gave consent, when consent was given, how consent was given, what the consent was given for, and when consent was withdrawn.

If the Individual is still interacting with the Controller in a way for which consent has already been given, such consent is considered to remain valid. If the Individual is no longer interacting with the Controller, renewed consent may be required upon renewed interaction, depending on the time elapsed since the last interaction.

Rights of the Individual

The Controller provides information about the Individual’s rights in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in writing or electronically.

Requests relating to the Individual’s rights will be handled without undue delay and within one month of receipt, or up to two additional months where necessary, taking into account the complexity and number of requests.

If the request is submitted electronically, the response will, where possible, also be provided electronically.

The Individual has the right to lodge a complaint with a supervisory authority and the right to an effective judicial remedy.

The Individual has the right to be informed of the following when personal data is collected directly from them:

·         The identity and contact details of the Controller and its representative, if any

·         The contact details of the data protection officer, if any

·         The purposes of processing and the legal basis for processing

·         The legitimate interests pursued by the Controller or a third party

·         The recipients or categories of recipients of the personal data, if any

·         Information about any intended transfers of personal data to a third country

The Individual also has the right to be informed of:

·         The retention period for personal data, or the criteria used to determine it

·         The existence of the right to request access, rectification, erasure, restriction, objection, and data portability

·         Where processing is based on consent, the right to withdraw consent at any time

·         The right to lodge a complaint with a supervisory authority

·         Whether providing personal data is a statutory or contractual requirement, or necessary for entering into a contract, and the possible consequences of failure to provide such data

·         The existence of automated decision-making, including profiling, and meaningful information about the logic involved, significance, and consequences

The Individual has the right to obtain confirmation as to whether their personal data is being processed and, if so, access to the following:

·         The purposes of processing

·         The categories of personal data concerned

·         The recipients or categories of recipients, especially in third countries

·         The envisaged retention period, or the criteria used to determine it

·         The right to request rectification, erasure, restriction, or to object to processing

·         The right to lodge a complaint with a supervisory authority

·         Where the data was not collected from the Individual, any available information as to its source

·         Information about automated decision-making, including profiling, and meaningful information about the logic involved, significance, and consequences

Right to Erasure (“Right to be Forgotten”)

·         The data is no longer necessary for the purposes for which it was collected or otherwise processed

·         The Individual withdraws consent and there is no other legal basis for processing

·         The Individual objects to processing and there are no overriding legitimate grounds

·         The data has been processed unlawfully

·         The data must be erased to comply with a legal obligation under EU or Member State law

Right to Restriction of Processing

·         The Individual contests the accuracy of the data, for a period enabling verification

·         The processing is unlawful and the Individual opposes erasure and requests restriction instead

·         The Controller no longer needs the data, but the Individual requires it for legal claims

·         The Individual has objected to processing and verification of overriding legitimate grounds is pending

Right to Data Portability

·         The Individual has the right to receive the personal data they provided to the Controller in a structured, commonly used, machine-readable format and to transmit that data to another controller, where processing is based on consent or a contract and carried out by automated means.

Right to Object

·         The Individual has the right to object at any time to the processing of their personal data. In such a case, the Controller shall stop processing unless it demonstrates compelling legitimate grounds overriding the interests, rights, and freedoms of the Individual, or unless the processing is necessary for legal claims.

Rights in Relation to Automated Decision-Making

·         The Individual has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

·         This does not apply where the decision is necessary for entering into or performing a contract, is authorized by EU or Member State law and safeguards the Individual’s rights and interests, or is based on the Individual’s explicit consent.

Restrictions of Rights

·         national security

·         defense

·         public security

·         the prevention, investigation, detection, or prosecution of criminal offenses or execution of penalties

·         the protection of judicial independence and judicial proceedings

·         the enforcement of civil law claims

Joint Controllers

Where two or more Controllers jointly determine the purposes and means of processing, they are considered Joint Controllers.

Joint Controllers shall transparently determine their respective responsibilities for compliance with the GDPR, in particular regarding the exercise of the Individual’s rights and the provision of information, unless such responsibilities are determined by Union or Member State law.

Regardless of the arrangement, the Individual may exercise their rights in respect of and against each of the Joint Controllers.

Personal Data Breaches

·         In the event of a personal data breach, the Controller shall notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of Individuals.

·         The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.

·         The notification shall include the nature of the breach, the categories and approximate number of Individuals concerned, contact details of the responsible contact person, likely consequences, and the measures taken or proposed to address the breach.

·         The Controller shall document all personal data breaches, including the facts, effects, and remedial action taken.

Communication of a Personal Data Breach to the Individual

·         Where a personal data breach is likely to result in a high risk to the rights and freedoms of Individuals, the Controller shall communicate the breach to the Individual without undue delay in clear and plain language.

·         Such communication is not required where the Controller has implemented appropriate technical and organizational protection measures, the risk is no longer likely to materialize, or communication would involve disproportionate effort.

What Personal Data Do We Collect?

The Controller collects and stores personal data voluntarily provided by the Individual directly to the Controller when the Individual wishes to use the Services. This typically occurs when registering to use the Services.

Other situations in which the Controller may obtain personal data include prize draws, registration for secondary services, or subscription to newsletters.

The personal data we collect may include:

1.       Creating a user profile or using at least one of the Services. Such personal data may be processed for service quality, profile personalization, legal compliance, or entry into a contractual relationship. Examples include first name, last name, email address, address, telephone number, gender, date of birth, primary location, secondary location, and profile photo.

2.       Customer support requests. Where the Individual contacts customer support by email, web form, or telephone, this may include first name, last name, and email address.

3.       Registration via electronic forms or subscription to newsletters. This may include email address, first name, last name, and address.

4.       Participation in prize draws, surveys, job applications, or other activities requiring personal information.

Other categories of data may include:

·         Account-related data, such as coupon codes, purchases, and communication related to purchases (inquiries and reviews).

·         Usage data collected automatically during the use of the Services, such as device type, browser type, location, language preferences, cookies, IP address, login time, purchases, and any errors occurring during the use of the Services.

·         Data obtained from Processors.

How Do We Process Personal Data? Use of primary services and personalization

We process personal data to authenticate and identify the Individual when logging in, to personalize displayed content, and to personalize email communications.

Communication regarding Services

We process personal data for communication related to the Services offered by the Controller and for the provision of the Services themselves. The Controller also processes personal data in relation to purchases and coupons. It is not possible to opt out of this type of processing, as it is necessary for the provision of the Service and linked to the contractual relationship between the Individual and the Controller.

Marketing and promotion of Services

Based on prior consent or use of the Services, the Controller may recommend, suggest, promote, or market new Services or offers. It is possible to opt out of this type of processing.

Customer support

Processing of personal data is necessary to provide customer support. For more accurate analysis and faster resolution of issues or disputes, the Controller may request additional personal or other information.

Security and protection

We process personal data to ensure the security and protection of Individuals, the Controller, and Processors. This includes monitoring logins, service usage, and user activity within the Services to detect threats and misuse.

Fulfillment of lawful interests

Where legally required, the Controller may process personal data without the Individual’s consent, or may consider continued use of the Service as necessary for contract performance. The Controller may also process personal data where it believes it is protecting its legitimate interests or the legitimate interests of other involved natural or legal persons.

Processing based on consent

Where none of the above legal grounds apply and the Individual has consented to processing for a specific purpose, personal data may be processed for that purpose until consent is withdrawn or until otherwise stated by an updated Privacy Policy.

How Do We Share Personal Data with Third Parties?

To ensure the quality and provision of the Services, we may share collected personal data with third parties. In such cases, the Controller has a personal data processing agreement in place with the Processor, unless the processing is necessary for the exercise of legitimate interests.

The Controller does not sell personal data databases. Personal data is processed and disclosed only for the purpose of providing the Services.

If there is no other lawful basis for sharing personal data with third parties, the Controller will obtain the Individual’s consent.

How Do We Store and Protect Personal Data?

Personal data is stored and processed on web servers located in Slovenia and the European Union. The Controller continuously strives to maintain and develop its information systems in accordance with the latest technological security standards in order to protect personal data.

Despite high standards and implemented protections, due to the nature of the Internet, the Controller cannot guarantee the prevention of all misuse of personal data after transmission from the Controller’s servers to the Individual, or in the event of a system intrusion beyond the Controller’s control or capacity to prevent.

How Long Do We Retain Personal Data?

The retention period depends on the type of personal data, the Individual’s use of the Services, the method of processing, and legal requirements.

When personal data is no longer necessary for processing, or if the Individual chooses to deactivate their profile, the Controller will delete, pseudonymize, or anonymize such data, except where retention is required for continued service provision or legal obligations.

User profile data

Data collected for a user profile is retained for as long as the user remains active, and for a reasonable period after inactivity in case the user decides to become active again. Activity may include registration, login, purchase, opening an email, or visiting a web page.

Marketing data

Personal data directly related to marketing, such as cookies and ad clicks, may be retained for a reasonable period even after consent is withdrawn if necessary for business processes or service quality.

Data collected through forms, prize draws, and other sources

Personal data collected for purposes not directly related to the primary Services may have different retention periods depending on the purpose of processing. If such data is not otherwise designated for alternative processing purposes, it may be deleted, anonymized, or pseudonymized after the relevant processing period expires.

Access to and Control of Personal Data Collections

An Individual using the Services may access personal data collections through their user profile, where they may also manage, update, and change their personal data and consent settings.

Some personal data cannot be managed directly by the user. In such cases, customer support is available to make changes, where possible, upon request.

Personal data collected through surveys, prize draws, job application forms, or other online or physical forms not linked to a user profile may still be obtained or corrected upon request through customer support.

Deactivation of a User Profile

The Individual may request deactivation of their user profile if they no longer wish to use the Services. Deactivation may be requested through customer support, which will carry it out where possible and where it does not interfere with business processes or the lawful interests of the Controller or related parties.

In the event of profile deactivation, the Controller retains collected personal data for a reasonable period in case the Individual decides to resume use of the Services.

Deletion of Personal Data

The Individual may request the deletion of personal data or restriction of its processing where this does not interfere with the Controller’s business processes and where there is no other lawful reason for continued retention. Certain types of personal data can be deleted directly through the user profile. For other types, the Individual must contact customer support.

Request for Restriction of Processing

The Individual may request restriction of the use of their personal data. For simple types of personal data, the option to restrict processing for a specific purpose may already be available in the user profile or in the footer of an email message. If such an option is not available, customer support may assist.

Data Portability

The Individual may request a set of personal data held by the Controller in a machine-readable electronic format so that it may be transferred to another similar service. The export is not automatic and is not immediate. In the case of repeated unfounded requests or requests reasonably considered abusive, the Controller reserves the right to charge a fee for the export service.

Personal Data Processors

·         Payment processors and payment service providers

·         Providers of technical or other business support services

·         Advertisers

·         Providers of communication services, such as email notifications and chat systems

·         Providers of customer management tools

·         Providers of analytics tools and service troubleshooting tools

·         Providers of services promoted, marketed, or sold by the Controller

Reporting Violations and Misuse

If an Individual suspects misuse or a violation relating to the processing of their personal data, they may report it to the Controller via the email address listed in the Contact section. The Controller will handle such requests without undue delay and within one month of receipt, or up to two additional months where necessary, depending on the complexity and number of requests.

Supervisory Authority

The Controller believes that it collects and stores personal data in accordance with the GDPR and other applicable laws of the Republic of Slovenia and the European Union.

In the event of questions or complaints relating to personal data protection, you may contact the supervisory authority in Slovenia.

Contact

Personal data is processed by Mavrica d.o.o. For all questions relating to personal data and its processing, you may contact us using the details below.

Company

Mavrica d.o.o.

Address

Gallusova 2, 3000 Celje, Slovenia

General privacy email

zal-mavrica@siol.net

Account requests email

zal-mavrica@siolnet (as provided in the source text)

Response time

Within 30 days of receipt; in more complex cases, up to an additional 60 days

Information Commissioner of the Republic of Slovenia

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by