Protection of personal data

1. General

KMG KLEMEN MAČEK s.p., registration no .: 7153244000 (hereinafter only as "we") is the controller of personal data of users and undertakes to protect the confidentiality of personal data and privacy of users of the website We will use the collected personal data exclusively for the provision of the services we offer. We respect the confidentiality of personal information and the privacy of users of our website, so we will do everything possible to protect them from any violations and abuses. The personal data of users is one of the areas to which we pay extreme care and attention, as we are aware of the sensitive nature of this area.

The provision of the user's personal data is in certain cases necessary in order to be able to fulfill our obligations to the user. The collected personal data are permanently protected in accordance with the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07) (ZVOP-1), the Electronic Communications Act (Official Gazette of the Republic of Slovenia, No. 109/12, 110/13, 40 / 14 - ZIN-B, 54/14 - US decisions, 81/15 and 40/17) and the General Data Protection Regulation (GDPR).

2. Authorized person for personal data protection

If you have any questions regarding our privacy policy or the way we treat your personal data, you can contact our authorized person (business owner) without hesitation via e-mail

3. Purposes of processing and bases for data processing

If you use our services, we collect various types of your information, such as your username and password, your contact information and other settings. We follow what items you view in our online store, through which device and which of our offers sent via e-mail, you were interested. Based on this, we create additional information so that we can provide you with offers of your choice and so that we can further improve our online store and services in the future.

If you make a purchase with us or create an invoice with us, we also process your name and surname, your orders and the data that you set up in your account or submit in the order form:

  • identification data, which mainly include name and surname, username and password and VAT ID, if you are a legal entity;
  • contact details, which include personal information that may be used to contact you, in particular your e-mail address, telephone number, delivery address, account address and your social media profiles;
  • your settings, which includes information about your account, especially saved delivery addresses, profiles, news subscriptions, loyalty program memberships, shopping lists, search items ("I'm interested", "follow the price"), your ratings and comments about items and services ;
  • information about your orders, comprising in particular information on ordered items and method of payment, including bank account number, and information on complaints;
  • information about your online habits, this is information about the items and services you are looking for, the links you click on, how to search and navigate our website and information about the devices from which you access the web, such as IP address and associated location, device ID , its technical parameters, such as operating system, version, screen resolution, selected browser and version thereof, and data obtained from cookies and similar device identification technologies;
  • information about your behavior in connection with reading messages, which we send you, in particular the time required to open the message and information about the devices from which you access the Internet, such as IP address and associated location, device ID, its technical parameters such as operating system, version, screen resolution, the selected browser and its version;
  • derived data, which include personal information obtained from your settings, information about items you buy from us, information about your online habits and behavior in connection with reading the messages we send you; these are mainly data on gender, age, financial situation, consumer habits and attitudes towards various items and services;

We also collect personal data through cookies for the purposes of providing better functionality and user experience, security, smooth operation of the website and counting users on the website. You can read more information about cookies and which cookies we use at connection.

KMG is not responsible for the correctness, completeness and up-to-dateness of the data entered by users.

3.1. Processing on the basis of a legitimate interest:

We also process information about your behavior on the websites on the basis of our legitimate interest (ie without your consent), in order to prepare customized offers and customized ads that we display online.

If you make a purchase with us, we store your identification and contact information and information about your orders based on our legitimate interest (without your consent) for the purposes of protecting legal claims and our internal records and controls. 

3.2. Processing on the basis of consent for the processing of personal data: 

Data processing may be based on the consent given to us by the user. Consent may, for example, relate to the communication of offers and services, the preparation of offers tailored to individual user habits or the provision of value-added services. The notification is made through the channels selected by the user in the consent. Email notification involves forwarding an email address to an external processor in order to display company advertising messages while browsing the web.

The data subject may at any time withdraw or change his / her consent in the same way as the consent was given or in another way as defined, reserving the right to identify the user. Withdrawal or change of consent refers only to data processed on the basis of consent. The last given consent of the user we receive is valid. The possibility of revoking the consent does not constitute a right of withdrawal in the user's business relationship with us.

Consent may be given by one of the parents, guardian or custodian of a minor child who, in accordance with applicable law, cannot give consent himself. Such consent will be valid until one of the parents, foster parent or guardian or the child himself, when he acquires, revokes or changes this right in accordance with applicable law.

3.3. Transmission of data to third parties and transmission of data to third countries (countries not members of the European Union or the European Economic Area)

If this is in accordance with the purpose for which personal data are processed in accordance with EU law and Slovenian regulations, we may also provide personal data to our processors, who process them in accordance with our instructions.

  • persons who perform individual processing tasks for the company, such as: preparation and sending of invoices or data analytics, maintenance and development of services, when these tasks include the processing of personal data to the extent necessary;
  • persons who provide sales and marketing services for the company, including sales and marketing in the field, or cooperate with the company in the field of marketing and sales of its own services or the services of third parties, to the extent necessary for such purposes and purposes, defined in this Policy.
  • KMG will only entrust the delivery service with the necessary data for the delivery of products purchased in the online store (data on the recipient and delivery address). KMG will contact the user via e-mail if this is necessary to make a purchase in the online store, and via the contact telephone number only if it is in the process of registration or. online shopping problems occurred.

Companies to which we provide personal data for the purpose of sending invoices, accounting services, providing payment services and delivery of ordered goods:

  • PRONET, Kranj, doo, Ljubljanska cesta 24B, Kranj, 4000 Kranj, Slovenia;
  • TEHNOLOGIKA doo, Sneberska cesta 101A, Ljubljana, 1260 LJUBLJANA-POLJE;
  • STRIPE, Inc., 510 Townsend Street, San Francisco, California, USA;
  • MailChimp, The Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, Georgia 30308, USA.

Companies to which we provide personal data for the purpose of advertising, analytics, marketing and creating personalized offers:

  • Google Ireland Limited (registration number: 368047), headquartered in Gordon House, Barrow Street, Dublin 4, Ireland;
  • Facebook Ireland Limited, headquartered 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, D02 X525, Ireland;
  • MailChimp, The Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, Georgia 30308, USA.

If the company is connected or. taken over by another company, personal data is transferred to the transferee in accordance with the law. By using our services, you consent to the further processing of your personal data by the recipient.

3.4. Term of retention of personal data

Accounting data and related contact data on individuals may be kept for the purpose of fulfilling contractual obligations until the full payment of the service or until the expiration of the statute of limitations in relation to an individual claim, which may amount to one to five years. Invoices are kept for 10 years after the end of the year to which the invoice relates in accordance with the law governing value added tax. Where turnover data are processed with the consent of the individual for the marketing of services, sale of goods or provision of value added services, such data may be processed to the extent necessary for such marketing or services. All other data obtained for information and direct marketing purposes shall be kept until revoked.

During the management of personal data, the individual has the opportunity to view and update the data in the database upon request.

4. Rights of individuals with regard to the processing of personal data

We guarantee users the exercise of their rights without undue delay and in any case within one month of receiving the request. The exercise of an individual's rights may be extended by a maximum of two additional months, taking into account the complexity and number of requirements. If we extend the deadline, we shall notify the user of any such extension within one month of receiving the request, together with the reasons for the delay. We accept requests regarding the rights of the individual to the e-mail address

Where the data subject submits the request by electronic means, the information shall, where possible, be provided by electronic means, unless the data subject requests otherwise. Where there is a legitimate doubt as to the identity of the Individual who submits a request in respect of any of his rights, the company may request the provision of additional information necessary to confirm the identity of the data subject.

If the data subject's requests are manifestly unfounded or excessive, in particular because they are repeated, a reasonable fee may be charged, taking into account the administrative costs of providing information or communication or implementing the requested action, or refusing to act on the request

We grant individuals the following rights in relation to the processing of personal data:

  • the right of access to data,
  • the right to rectification,
  • the right to erasure ("right to be forgotten"),
  • the right to limit processing,
  • the right to data portability.

4.1. Right of access to data 

The data subject shall have the right to obtain confirmation as to whether personal data are being processed in relation to him or her and, where applicable, access to personal data and additional information relating to the processing of personal data, including:

  • purposes of processing;
  • types of personal data;
  • users or categories of users to whom personal data have been or will be disclosed, in particular users in third countries or international organizations;
  • where possible, the intended period of retention of personal data or, if that is not possible, the criteria used to determine that period;
  • the existence of a right to require the controller to correct or delete personal data or to restrict the processing of personal data in relation to the data subject, or the existence of a right of objection to such processing;
  • the right to lodge a complaint with the supervisory authority;
  • where personal data are not collected from the Individual, all available information regarding their source;
  • the existence of automated decision-making, including profiling, and meaningful information on the reasons for it, as well as the importance and foreseeable consequences of such processing for

At the request of the individual, we provide a copy of his personal data being processed. For additional copies of data requested by the data subject, a reasonable fee may be charged, taking into account administrative costs.

4.2. Right of correction 

The data subject has the right to obtain that we correct inaccurate personal data concerning him or her without undue delay. The data subject has the right to supplement incomplete personal data, including the submission of a supplementary statement, taking into account the purposes of the processing.

4.3. Right to be erased ("right to be forgotten")

The data subject has the right to have the personal data relating to him or her deleted without undue delay, and we have an obligation to delete the personal data without undue delay:

  • where personal data are no longer needed for the purposes for which they were collected or otherwise processed;
  • however, when the Individual revokes the consent, which is the basis for data processing, there is no other legal basis for processing;
  • where the Individual objects to the processing on the basis of the legitimate interest of the company, but there are no overriding legitimate reasons for their processing;
  • when the Individual objects to the processing for the purposes of direct marketing;
  • where personal data must be deleted in order to fulfill a legal obligation in accordance with EU law or the Slovenian legal order; in the case of information relating to the provision of information society services incorrectly collected from a child who is unable to provide such information in accordance with applicable law.

In the case of directory or otherwise published data, we shall take reasonable steps, including technical measures, to inform controllers of personal data that the data subject shall request them to delete any links to such personal data or their copies.

4.4. Right to limit processing

The data subject has the right to have the company restrict the processing where:

  • The individual disputes the accuracy of the data, namely for a period that allows the controller to verify the accuracy of personal data;
  • the processing is illegal and the Individual opposes the deletion of personal data and instead requests a restriction on their use;
  • we no longer need personal data for the purposes of processing, but the data subject needs them to assert, enforce or defend legal claims;
  • the individual has lodged an objection to the processing until it is verified that the legal reasons of the controller outweigh the reasons of the Individual to whom the personal data relate.

4.5. The right to data portability 

The data subject has the right to receive personal data concerning him or her held by the company in a structured, commonly used and machine-readable form, and the right to pass this data on to another controller without it has been obstructed by the company to which the personal data have been provided when the processing is based on the consent of the Individual or the contract and the processing is carried out by automated means.

4.6. Right to contract

The data subject has the right to object to the processing of personal data at any time, for reasons related to his or her special situation, if it is based on legitimate interests pursued by a company or a third party. the company ceases to process personal data, unless it proves compelling reasons for processing that outweigh the interests, rights and freedoms of the data subject, or to assert, enforce or defend legal claims.

Where personal data are processed for the purposes of direct marketing, the individual has the right to object at any time to the processing of personal data concerning him for the purposes of such marketing, including profiling, in so far as it relates to such direct marketing. To the extent that direct marketing is based on consent, the right to object may be exercised by revoking the personal consent given.

4.7. The right to lodge a complaint regarding the processing of personal data

An individual may send a possible complaint regarding the processing of personal data to the e-mail address

Also, every data subject has the right to lodge a complaint directly with the Information Commissioner if he / she considers that the processing of personal data concerning him / her violates Slovenian or EU regulations in the field of personal data protection.

If an individual has exercised the right of access to data with the company and after receiving the decision of the company considers that the personal data received is not personal data requested or that he did not receive all required personal data, before filing a complaint to the Information file a reasoned complaint with the company within 15 days. the company must decide on the appeal as a new request within five working days.