Privacy Policy

Security and data protection

The purpose of this privacy policy is to inform individuals, customers, service users, colleagues, employees and other persons (hereinafter referred to as ‘the data subject’) who interact with ADRIAL d.o.o., Poslovna cona Žeje pri Komendi, Pod kostanji 6, 1218 Komenda, Slovenia (hereinafter referred to as ‘the company’) about the purposes and legal basis as well as the rights of persons in connection with the processing of personal data by our company.

We process personal data in accordance with European legislation, applicable Slovenian legislation on the protection of personal data (Personal Data Protection Act) and sectoral legislation that provides us with a legal basis for the processing of personal data.

All changes to this document will be published on our website. By using this website, you confirm that you have read and understood the entire content of this privacy policy .

Data controller:

ADRIAL d.o.o

Poslovna cona Žeje pri Komendi

Pod kostanji 6

1218 Komenda

Slovenia

Website: www.crulle.com

Email: info@crulle.com

Purposes and legal basis for the processing of personal data

The company collects and processes your personal data on the following legal bases:

  • the processing is necessary to comply with a legal obligation to which the controller is subject;
  • the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • the processing is necessary for the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data;
  • the data subject has given consent to the processing of their personal data for one or more specific purposes ;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Purchase of goods and services via the online shop

The company processes personal data in the context of online transactions within the framework of an online shop. Registration is required to make a purchase. Once a user has registered and created an account, they enter into a contract with the company for the provision of services for registered users. When registering a user account, the following types of personal data are processed:

  • >First name, last name, delivery addresses, email address, IP address, telephone number, information about products ordered/purchased, information about favourite products, payment details, information about discounts received or other information provided by the user in their profile.

    • The user profile also stores purchase parameters to facilitate the person's next purchase, e.g. a diopter or a specific product that the person wishes to purchase at regular intervals.

    When registering a user account, personal data is stored in the user's profile . In addition to the above purposes, they are also processed for the automatic processing of orders, displaying purchase history, evaluating offers, improving the services and offers of the online shop, increasing customer satisfaction, investigating user habits and creating special offers and benefits reserved for registered users .

    The legal basis for data processing is the contract. The retention period is until the purpose of the contract has been fulfilled or until 6 years after the termination of the contract, except in cases where a legal dispute arises between the person and the company in connection with the contract. In this case, the company will retain the data for 10 years from the final decision of the court, arbitration tribunal or judicial settlement or, if there is no dispute, for 6 years from the date of the amicable settlement of the dispute.

    For the purpose of notifying persons by email

    The company may, in the exercise of its legitimate activities, inform customers, clients and service users about its services, events, training courses, offers and other content by sending them an email to their email address. The data subject may at any time request that such communications and the processing of personal data be discontinued and that the receipt of such communications be unsubscribed by using the automatic unsubscribe link contained in each newsletter or by sending an email with the subject line ‘UNSUBSCRIBE’ to info@crulle.com.

    The legal basis for data processing is legitimate interest and consent.

    The data will be processed until the recipient revokes their consent to receive communications, until the purpose for which the data was collected no longer applies or until the purpose of processing is fulfilled. Revoking consent does not affect the lawfulness of processing based on consent before its revocation.

    Participation in competitions

    In the case of competitions or online promotions, the company may publish the names of the winners on its website. The legal basis for the processing of personal data is a contract. The retention period is until the winner has been notified. In the case of competitions or online promotions, the company may publish the names of the winners on its website. The legal basis for the processing of personal data is a contract. The retention period is until the purpose of the contract has been fulfilled or until 6 years after the end of the contract, unless there is a dispute between the company and the data subject in connection with the contract. In this case, the company will retain the data for 10 years from the final decision of a court, arbitration tribunal or judicial settlement or, if there is no dispute, for 6 years from the date of the amicable settlement of the dispute.

    To prevent misuse

    We process personal data on the basis of a legitimate interest if this is absolutely necessary to prevent misuse. On the basis of a legitimate interest, we process personal data after the termination of the contractual relationship during the period in which legal claims arising from the contract can be asserted.

    For the performance of the contract

    If the data subject enters into a contract with a company, this forms the legal basis for the processing of personal data. Personal data may therefore be processed for the conclusion and performance of a contract, e.g. for the sale of goods and services, participation in various programmes, etc. If the data subject does not provide their personal data, the company cannot conclude the contract and cannot provide the service or deliver the goods or other products in accordance with the contract, as it does not have the data necessary to fulfil the contract. On this basis, we only and exclusively process the personal data that is necessary for the conclusion and proper fulfilment of the contractual obligations. The legal basis for data processing is the contract.

    The retention period is until the purpose of the contract has been fulfilled or until 6 years after the termination of the contract, unless there is a dispute between the person and the company in connection with the contract. In this case, the company will store the data for 10 years from the final decision of a court, arbitration tribunal or judicial settlement or, if there is no dispute, for 6 years from the date of the amicable settlement of the dispute.

    Legitimate interest

    The company may also process personal data on the basis of a legitimate interest pursued by the company. The latter is not permitted if these interests outweigh the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data. If a legitimate interest exists, the company will carry out an assessment in accordance with the legal provisions. The processing of personal data of natural persons for direct marketing purposes is considered to be in the legitimate interest. The company may also process personal data of natural persons obtained from publicly available sources or in the course of the legitimate exercise of its activities for the purpose of offering goods, services, work, information about services, events, etc. For these purposes, the company may use postal mail, telephone calls, email and other means of telecommunication. For the purposes of direct marketing, the company may process the following personal data of natural persons : first and last name of the person, address of permanent or temporary residence, telephone number and email address. For the purposes of direct marketing, the company may process the aforementioned personal data even without the express consent of the data subject. The data subject may at any time request that such communications and the processing of personal data be discontinued and may unsubscribe from receiving such communications by using the unsubscribe link in the communication received or by sending a request by email or post to the company's address.

    The legal basis for data processing is legitimate interest. The data will be processed until the recipient revokes their consent to receive communications or until the purpose of the processing has been fulfilled. The revocation does not affect the lawfulness of the processing based on the consent prior to the revocation.

    Processing based on consent or acquiescence

    If the company does not have a legal basis based on a law, contractual obligation, legitimate interest or the protection of the life of the data subject, it may ask the data subject for their consent or agreement. In this way, the company may also process certain personal data of the data subject for the following purposes if they have given their consent:

    • ¬ Your home address and email address (for information and communication purposes);
    • ¬ Photos, videos and other content relating to a person (e.g. publication of images of persons on the company's website): to document activities and inform the public about the company's work and events;
    • ¬other purposes to which the data subject consents.

    If the data subject has consented to the processing of personal data and at any time no longer wishes to do so, they may request the termination of the processing of personal data by sending a request to that effect by email or post to the company's address. In exceptional cases, the company may refuse a request for erasure on the grounds set out in the General Regulations : Exercise of the right to freedom of expression and information, fulfilment of a legal obligation to process data, reasons of public interest in the area of public health, archiving purposes in the public interest, scientific or historical research or statistical purposes, exercise or defence of legal claims.

    The legal basis for the processing of the data is consent. The data will be processed until consent is withdrawn or revoked or until the purpose of the processing has been fulfilled. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent until withdrawal. Upon receipt of a withdrawal or a request for deletion, the data will be deleted within a maximum of 15 days. The company may also delete the data before revocation if the purpose of the processing of personal data has been achieved or if this is required by law .

    Processing is necessary for the protection of vital interests of the data subject

    The company may process the personal data of the data subject to the extent necessary to protect their vital interests. In urgent cases, the company may access the personal data of the data subject, verify its existence in its database and examine the medical history of the data subject, the medications and products prescribed to them or contact the data subject or their family members without the data subject's consent. This applies only if it is necessary to protect the vital interests of the data subject. interests of the data subject.

    Storage and deletion of data

    The company only stores personal data for as long as it is necessary to fulfil the purpose for which it was collected and processed. If the company processes data on the basis of laws, it will store it for the period required by law. In this case , some data will be retained for the duration of the cooperation with the company, while other data must be stored permanently. Personal data that the company processes on the basis of a contractual relationship with a person will be retained by the company for the period necessary to fulfil the contract and for a period of six years after its termination, unless a legal dispute arises between the person and the company in connection with the contract. In this case, the company will retain the data for 10 years from the final decision of a court, a termination, unless a legal dispute arises between the person and the company in connection with the contract. In this case, the company will retain the data for 10 years from the final decision of a court, arbitration tribunal or judicial settlement or, if there was no dispute, for 5 years from the date of the amicable settlement of the dispute. Personal data processed by the company on the basis of personal consent or a legitimate interest of the data subject will be retained by the company until the consent is revoked or the data subject requests the deletion of the data . Upon receipt of a withdrawal or request for deletion, the data will be deleted immediately . The company may also delete the data prior to withdrawal if the purpose of processing personal data has been achieved or if this is required by law. In the event of a person asserts their rights, the company shall retain the personal data of that person until a final decision has been made in the case and, after the final decision, in accordance with that decision.

    In exceptional cases, the company may refuse a request for deletion for the following reasons: exercise of the right to freedom of expression and information, fulfilment of a legal obligation to process, reasons of public interest in the area of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, exercise or defence of legal claims. After the expiry of the retention period, the company must effectively and permanently delete or anonymise personal data so that it can no longer be associated with a specific person.

    Users of personal data, data production and automated decision-making

    Data users include data processors whom we commission to carry out certain personal data processing operations on our behalf. We mainly work with infrastructure operators, information system operators, providers of email and SMS services and software, cloud service providers, social network providers, providers of accounting services, providers of advertising tools and call centre providers for the processing and recording of calls.

    We also work with suppliers who are essential for the provision of services and act as independent market participants, e.g. suppliers of payment, transport and delivery systems.

    The data subject has the right to request further information about which (external) users have received their personal data and what data has been provided. The list of data processors and other independent data controllers is updated regularly . Click HERE to view them.

    Information about affiliated companies:

    1. VALLIS MG, Pod kostanji 6, Business Zone Žeje pri Komenda, 1218 Komenda (company ID 6180353000),
    2. Alensa sro, Českomoravská 2408/1a, 190 00 Prague 9 - Libeň, company ID: 27179681,
    3. Alensa Medical sro, Českomoravská 2408/1a, 190 00 Prague 9 - Libeň, ID: 04486919,
    4. Adrialece d.o.o., Brune Francetića 3A, 51000, Rijeka, Croatia (ID: 040457979).

    Information about the transfer of personal data to a third country

    We do not export personal data to third countries (countries outside the EU and Iceland, Norway and Liechtenstein) and international organisations, with the exception of the use of social networks where data may be exported to the United States; in this case, the relationship with the data controllers in the US is subject to the standard contractual clauses adopted by the European Commission and/or the binding corporate rules approved by the EU.

    We do not use automated decision-making or profiling.

    Cookies

    Our website works with the help of cookies, which are important for the provision of online services and serve to store information about the status of a particular website, compile statistics about users and website traffic, etc. The website uses essential cookies that are loaded immediately , but for all other cookies we require your consent, which you can change at any time. The cookies stored by the browser can be deleted by the user.

    The list of current cookies is available on our website: .

    Data protection and data security

    The company takes care of information and infrastructure security (local and application system software). Our computer systems are protected by antivirus software and firewalls, among other things . We have taken appropriate organisational and technical security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, and other forms of unlawful and unauthorised processing. When transferring certain types of personal data, we do so in encrypted and password-protected form.

    It is the responsibility of the data subject to ensure that their personal data is provided securely and that the data provided is accurate and reliable.

    Rights of the data subject in relation to the processing of their personal data

    The data subject has the right to request information about personal data concerning them, its correction or deletion or the restriction of its processing, as well as the right to object to processing and the right to data portability. The data subject's request will be processed in accordance with the provisions of the General Regulation.

    You can exercise all of the above rights and ask any questions by sending us a request. We will respond to your request immediately, at the latest one month after receiving it. This period may be extended by up to two additional months, taking into account the complexity and number of requests. You will be informed of this, stating the reasons for the delay. The exercise of your rights is free of charge, but we may charge you a reasonable fee if the request is manifestly unfounded or excessive, in particular if it is repetitive. In such cases, we may also refuse the request. In this case, we will inform you of the reasons for the refusal and of your right to lodge a complaint with the supervisory authority. If we have doubts about your identity, we may ask you for further information necessary to establish your identity .

    You can exercise your right to lodge a complaint with the Information Commissioner of the Republic of Slovenia, Dunajska 22, 1000 Ljubljana (email: gp.ip@ip-rs.si, website: www.ip-rs.si)

    Or you can contact the competent data protection authority in your country.

    The privacy policy is valid from 1/1/2019. Last changes 18/06/2024.