PRIVACY AND DATA PROTECTION NOTICE
1. About the Company
The company VEROPOULOS DOO BEOGRAD, based at Milutina Milankovića 86a, Beograd, Republic of Serbia, registration no. 17330012, e-mail address email@example.com („Company“) is the controller of the personal data of the loyalty program Vero klub and determines the purposes and means of the processing of personal data with aim of realization of a loyalty program Vero klub entirely in accordance with the Law on personal data protection (Official Gazette of RS, no. 87/2018)(“Law”), other pieces of legislation and by-laws and current standards in field of personal data protection.
In collecting and processing personal data, the Company comply with the laws and acts in a fair and transparent manner, and personal data are collected and processed for specified, permitted purposes, whereby only necessary data is processing for the purpose for which it was collected and processed and stored only as necessary for the purpose of processing and in accordance with the law. The Company take steps to keep personal accurate and ensures correction of personal data and erasure of inaccurate personal data. In its operations, the Company ensures the security of personal data from loss, destruction, damage, as well as from unauthorized or unlawful processing.
2. Data that the Company collects through the loyalty program Vero klub, purpose and legal grounds
The Company collects and processes following personal data of natural persons for achievement of goals of the loyalty program Vero klub. For the membership in the loyalty program Vero klub: Full name, gender, date of birth, residing address, phone number, e-mail address. For the purpose of providing better services by the Company and developing the loyalty program Vero klub: marital status, number and gender of children and their date of birth, household members number, data on pets, possessing of a car, vegetarianism, needs for gluten free products, interests in sugar free products, membership data (used benefits, membership starting date), communication channels data (Viber, sms, social networks Facebook and Instagram, websites www.supervero.rs and www.veroklub.rs, mobile application Super Vero, (paying transactions history, Vero klub interactions and history).
By joining the loyalty program Vero klub and accepting the terms and conditions of the loyalty program Vero klub the Company and a member of the loyalty program Vero klub enter into a contractual relationship. In order to conclude such contract and fulfil its obligations under it, the Company processes personal data. In performing promotional activities through various communication channels (telephone, post, direct e-mail, website chat, social networks) the Company processes personal data based on a consent, for the purpose of informing members of the loyalty program Vero klub on special offers, activities and benefits which may be of the interest of a member of the loyalty program Vero klub. A given consent may be withdrawn at any time by sending an e-mail to firstname.lastname@example.org or by signing-in to their online Vero klub Account at www.veroklub.rs and select or deselect communications channels as well as to withdraw the given consent. Any such changes to direct marketing preferences will be realized within 30 days from the day requested, due to technical reasons. In case the member has opted-out from all communications channels we won’t be able to communicate to this member regarding its Vero klub card or Super Vero points status and expiration. In addition such an opt-out choice shall not affect the ability of the Company to communicate to any member any non-commercial or direct marketing communication such as the changes in these present terms and conditions.
The Vero klub member has a right to access, correct and update its personal data. In order to fully satisfies needs of a member of the Vero klub and to achieve goals of the loyalty program, a member of the Vero klub should promptly notify the Company of:
- any change of its registered home address, by sending an email to email@example.com , or online Vero klub Account at www.veroklub.rs .
- any change of the registered mobile phone number, either online in its Vero klub account or by using the special form in the Company’s stores.
Given that the mobile phone number may be used also as a username in the Vero klub online account (xxxxxx), and generally as an identification data when using the Vero klub Card, each Vero klub member should be aware of the fact that Company shall not bear any liability against the Vero klub member if it was not informed by the member for any such changes.
The Company may process personal data based on legitimate interest of the Company and for achieving goals of the loyalty program Vero klub, only in situations where the Company’s legitimate interests overrides the interests of a member of the loyalty program Vero klub or fundamental rights and freedoms of a member of the loyalty program Vero klub. Personal data processing based on the Company’s legitimate interests conducts in order to provide members of the loyalty program Vero klub with better services of the Company, support to members of the loyalty program Vero klub, development of new products and services.
3. Processors and other Recipients of Data
The conduct of data processing involves processors and recipient of personal data. In such regards the processors and other recipients are:
- The competent employees of the Company;
- The tax, auditing, judicial, regulatory etc. authorities in case of a relevant audit;
- The company with the trade name “BEWISE SA”, which provides CRM services to the Company and which has undertaken, among other things, the registration, updating and maintenance of the Vero klub database as a data processor on behalf of the Company, and according to the specific written instructions given or/and any other company which may render to the Company similar data processing services in the future;
- Third parties that render to the Call centre and data analytics services. All these third parties receive the Vero klub data under strict organizational and technical measures and procedures and are bind with confidentiality and data protection agreements.
4. Rights in accordance with provisions of the Law
The Law contains numerous rights that pertain to personal data and data subject and the Company shall assist each and every person in accordance with the Law to exercise rights under the Law by contacting the Company.
A member of Vero klub may exercise its rights: submitting a request in writing at the address Milutina Milankovića 86a, 11000 Beograd, Republic of Serbia, by e-mail firstname.lastname@example.org or through telephone line 0800 112 111. The Company shall respond as soon as possible, no later than 30 days as of receipt of the request. If the request is complex or there are numerous requests, the Company may need additional time to respond to the request. Such period may not be longer than 90 days of receipt of the request and in that case you will be separately notified.
If a member of the Vero klub considers that some of the enlisted rights is denied or considers that any manner of personal data processing is not in line with the law, it may file a complaint to the Commissioner for Information of Public Importance and Personal Data Protection in accordance with the Law.
4.1 Right to Access
Members of the loyalty program Vero klub whose personal data the Company collected and processing have the right to request from the Company information on whether or not his personal data is being processed, access to such personal data, as well as the following information:
- 1) On the purpose of the processing;
- 2) On the types of personal data which is being processed;
- 3) On the recipients or types of recipients to whom the personal data have been or will be disclosed, in particular on the recipients in other countries or international organizations;
- 4) On the envisaged period for which the personal data will be stored, or, where that is not possible, on the criteria used to determine that period;
- 5) On the existence of the right to request from the Company rectification or erasure of his personal data, the right to restrict the processing and the right to object to such processing;
- 6) On the right to file a complaint with the Commissioner for or information of public importance and personal data protection (“Commissioner”);
- 7) Available information on the source of personal data, where the personal data has not been collected from the person to who the data relates to;
- 8) On the existence of automated decision-making, including profiling referred to in Article 38, paragraphs 1 and 4 of this Law and, at least in those cases, meaningful information about the logic involved, as well as on the significance and the expected consequences of such processing for the person to who the data relates to.
If personal data is transferred to another state or international organization, the person exercise this Right to Access shall have the right to be informed of the appropriate safeguard measures relating to the transfer, in compliance with Article 65 of this Law.
4.2 Right to Rectification
Member of the loyalty program Vero klub whose personal data the Company collected, and processing has the right to request from the Company to rectify its inaccurate personal data without undue delay. Depending on the purpose of the processing, the person to who the data relates to shall have the right to have his incomplete personal data supplemented, including by means of providing a supplementary statement.
The Company shall notify all the recipients to which personal data has been disclosed on each rectification unless where that is impossible or requires disproportionate use of time and resources.
The Company shall notify the persons who exercise this Right to Rectification at their request, of all the recipients of their personal data.
4.3 Right to Erasure
Member of the loyalty program Vero klub whose personal data the Company collected, and processing has the right to request from the Company to erase the personal data.
The Company shall erase such personal data without undue delay in the following cases:
- 1) The personal data is no longer necessary for realization of purpose for which it was collected or otherwise processed;
- 2) The person who exercise this Right to Erasure has withdrawn the consent based on which processing has been carried out, in compliance with Article 12, paragraph 1, item 1) or Article 17, paragraph 2, item 1) of this Law, and where there is no other legal ground for processing;
- 3) The person to who exercise this Right to Erasure to has filed a complaint to processing in compliance with:
- а) Article 37, paragraph 1 of this Law, and there is no other legal ground for processing which is overriding the legitimate interest, right or freedom of the person to who the data relates to,
- b) Article 37, paragraph 2 of the Law;
- 4) The personal data has been unlawfully processed;
- 5) The personal data must be erased with the aim of discharging of the legal obligations of the Company;
- 6) The personal data has been collected in relation to the use of information society services referred to in Article 16, paragraph 1 of the Law.
If the Company has made the personal data public, and its obligation to erase personal data in compliance with the Right to Erasure, the Company shall take all the reasonable measures, including technical measures, taking into account available technologies and the potentials to bear the costs of their use, with the aim of informing other controllers which are processing such personal data that the person who exercise this Right to Erasure has submitted the request to erase all the copies of such data and references, i.e. electronic links to this data.
The Company shall notify all the recipients to which personal data has been disclosed on each erasure unless where that is impossible or requires disproportionate use of time and resources.
The Company shall notify the persons who exercise this Right to Erasure at their request, of all the recipients of their personal data.
4.4 Right to Restriction of Processing
Member of the loyalty program Vero klub whose personal data the Company collected, and processing has the right to request from the Company to restrict processing of his personal data where one of the following cases applies:
- 1) The accuracy of the personal data is contested by the person who exercise this Right to Restriction, for a period enabling the Company to verify the accuracy of the personal data;
- 2) The processing is unlawful and the person to who exercise this Right to Restriction opposes the erasure of the personal data and requests the restriction of its use instead;
- 3) The Company no longer needs the personal data for the realization of purposes of the processing, but the person exercises this Right to Restriction requested it for the purpose of submission, exercise or defence of a legal claim
- 4) The person exercises this Right to Restriction has submitted an objection to processing pursuant to Article 37, paragraph 1 of this Law, and the assessment whether the legal grounds for processing by the handler override the interests of that person is ongoing.
The Company shall, in the event of exercise of this Right to Restriction, process such data only based on consent of the person who exercises this Right to Restriction, except where it is a case of its storage or for the purpose of submission, exercise or defence of a legal claim or for the protection of the rights of other natural i.e. legal persons or for reasons of realization of important public interests.
The Company shall notify all the recipients to which personal data has been disclosed on each restriction unless where that is impossible or requires disproportionate use of time and resources.
The Company shall notify the persons who exercise this Right to Restriction at their request, of all the recipients of their personal data.
4.5 Right to Portability
Member of the loyalty program Vero klub whose personal data the Company collected, and processing has the right, in accordance with the Law, to receive the personal data concerning him or her, which he or she has previously provided to the Company, in a structured, commonly used and machine- readable format and have the right to transmit such data to another controller without hindrance from the Company to which the personal data has been provided, where the following conditions have been aggregately fulfilled:
- 1) The processing is based on consent pursuant to Article 12, paragraph 1, item 1) or Article 17, paragraph 2, item 1) of the Law or based on a contract, in compliance with Article 12, paragraph 1, item 2) of this Law;
- 2) The processing is carried out by automated means.
The Right to Portability shall additionally include the right of the person to have his or her personal data transferred directly to another controller by the Company, where technically feasible.
4.6 Right to Object
If a member of the loyalty program Vero klub whose personal data the Company collected, and processing, considers that it is justified in relation to a particular situation in which they find themselves (e.g. life threatening situation), such person shall have the right to, at any time, submit to the Company an objection to processing of their personal data which is carried out in compliance with Article 12, paragraph 1, items 5) and 6) of the Law, including profiling based on those provisions. The Company shall discontinue the processing of data relating to the person submitting the objection, unless the Company demonstrates the existence of statutory reasons for the processing which override the interests, rights and freedoms of the person to who submitted the objection or are in connection to submission, exercise or defence of a legal claim.
Member of the loyalty program Vero klub whose personal data the Company collected has a right to, at any time, submit an objection to processing of his/her personal data which is processed for direct marketing purposes, which includes profiling, to the extent that it is related to such direct marketing and in such situation the Company shall no longer process personal data for such purposes.
4.7 Right to be notified in the event of personal data breach
If there is a breach of personal data that the Company collected and processing the Company shall, if the personal data breach may result in a high risk to the rights and freedoms of natural persons, notify the person to whom the data relates to about the breach without undue delay, whereby such notification shall include at least the name and contact details of the person in charge of personal data protection or information on any other possible method of obtaining information on the breach, a description of the possible consequences of the breach, a description of the measures taken by the handler or whose undertaking has been proposed relating to the breach, including measures taken to mitigate the adverse effects.
4.8 Right to file a complaint
Member of the loyalty program Vero klub whose personal data the Company collected, and processing has the right to file a complaint to the Commissioner in accordance with the Law.
- 4.1 Right to Access
5. Transfers of personal data to third countries or international organisations
The Company does not transfer personal data collected which are processed/processing to other countries and international organizations.
6. Period for which personal data will be stored
Personal data of members of the loyalty program Vero klub are stored for the time of membership in the loyalty program Vero klub and then after will be erased. The membership in the loyalty program Vero klub may cease to exist in accordance with the terms and conditions of the loyalty program Vero klub. After the termination of the membership in the loyalty program Vero klub the purpose of the personal data processing ceases to exist, and personal data will be erased.
Nevertheless, some essential personal data related to the Vero klub card usage and the transactions of the Vero klub member, as well as the requests regarding its data processing may be retained for a certain period to ensure compliance with the regulatory framework and against any legal claims by the Vero klub members or third parties.
In relation to any question, exercise of rights in accordance with the Law the Company may be contacted in writing at the address Milutina Milankovića 86a, 11000 Beograd, Republic of Serbia, by e-mail email@example.com or through telephone line 0800 112 111.
More information on privacy and personal data protection, and your rights you may obtain at info desk of the Company’s store or by contacting our Data Protection Officer.
8. Technical and Organisational Measures
The Company, its processors and any third party receive or access the data have taken proportionate and adequate technical and organizational measures to ensure a level of security appropriate to the risk of the personal data against any incidental or illicit damage or loss, alteration, illegal disclosure or access to them and, in general, against any unlawful processing of personal data (including remote access) as well as for ensuring the recovery of the availability of the data and access to them.
In any case, the Company has bound its processors and any third party-data recipients with an adequate confidentiality and data protection agreement prior to access any Vero klub member data.