Vsebine in besedila na spletni strani upravljavca je prepovedano kopirati ali kako drugače uporabljati izven potreb sodelovanja med upravljavcem in uporabnikom, razen če ni na spletni strani drugače navedeno. Vsakršen poseg v avtorsko pravico se šteje za kršitev pravic intelektualne lastnine in je lahko predmet sprožitve ustreznih pravnih postopkov s strani upravljavca.
Vse slike, video posnetki in druga avdiovizualna dela, ki so objavljena na spletni strani so avtorsko delo, ki je v lasti in/ali posesti upravljavca in jih je prepovedano kopirati ali kako drugače uporabljati izven potreb sodelovanja med upravljavcem in uporabnikom, razen če ni na spletni strani drugače navedeno. Vsakršen poseg v avtorsko pravico se šteje za kršitev pravic intelektualne lastnine in je lahko predmet sprožitve ustreznih pravnih postopkov s strani upravljavca.
The Controller is the one who manages the personal data and determines the purposes and means for the processing of personal data. Insofar as these terms and conditions specify several controllers, it means that they jointly determine the purposes and methods of processing your personal data (joint controllers).
The Controller of the users’ personal data is:
Name of the legal entity: GO TO, trgovina in storitve, d.o.o.
Address of the legal entity: Brezovce 6
Postcode and place: 1236 Trzin, Slovenija
VAT number: SI 64342786, taxpayer
Registration number: 5460905000
Contact e-mail: info@goto.si
Contact telephone number: +386 (0)1 51 90 853
Data on the entry in the register or any other public records: 14.02.1991
Contact person and contact for providing information related to user’s personal data: Franci Turk, info@goto.si
The Processor of personal data is the one who processes personal data on behalf of the Controller. The Processor may process only personal data only for the purposes determined in documented instructions by the Controller. Our Processors process users’ personal data in accordance with the applicable legislation, based on an existing contractual relationship which regulates all areas of processing.
The Privacy Policy is intended for users or customers via the Controller’s or Provider's website or websites: www.goto.si
Slovenian and European legislations are used for the evaluation of this Privacy policy.
This Privacy policy is prepared according to the Personal Data Protection Act (ZVOP-2, Official Gazette of the RS, no. 163/22 and amend.), the Regulation (EU) 2016/679 of the European Parliament and the Council from 27/04/2016 regarding the protection of individuals in personal information processing and the free flow of such information and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), the Electronic Communications Act (ZEKom-2, Official Gazette of the RS, no. 133/22 and amend.), and other Slovenian and European legislation regulating these fields.
The Controller and their Processors respect the general principles related to the processing of the users’ personal data:
1. We process users’ personal data in a legal, fair, and transparent manner.
2. We collect personal data for purposes which are determined in advance, explicit, and legal, and we do not further process the data for other purposes, except for the purposes of scientific or historical research or statistics under certain conditions.
3. We process personal data in the smallest extent possible and for the purposes of processing.
4. We make sure that the processed personal data are accurate and regularly updated, whereby we rectify or erase the inaccurate data.
5. We only keep personal data for as long as it is necessary for the purposes of processing.
6. We ensure adequate protection of personal data, which includes the prevention of unauthorised or unlawful processing and unintentional loss, destruction, or damage of data, by implementing adequate technical and organisational measures.
The processing of personal data refers to any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
The controller may process personal data only if there is an appropriate legal basis for the processing. The controller processes users’ personal data exclusively for purposes that are clearly defined and compliant with applicable legislation. For each purpose of processing, the controller ensures transparency and informs users about:
1. the content of the processing purpose,
2. the type of personal data being processed,
3. the legal basis for processing, and
4. the retention periods.
If the controller processes personal data for new purposes that are not compatible with the existing legal basis or are not based on explicit consent:
1. the controller provides all necessary information to the user in advance, and
2. obtains new explicit consent if processing is based on such consent.
The controller ensures that all purposes of processing comply with the principles of data minimization, security, and privacy and that personal data is processed solely to the extent necessary to achieve the specified purpose.
The controller provides users with a clear and visible notice regarding the use of cookies upon visiting the website. This notice is available via a dedicated link in a prominent location on the website, where users can find all necessary information, including options for managing cookie preferences. The controller ensures users have a clear option to modify their consent later through a visible notice or link on the website. Users are also able to customize or reject cookies during their first visit and are informed about the consequences of rejecting cookies, such as potential limitations in functionality or user experience (e.g., restricted operation of certain features).
The controller may use cookies without the user's explicit consent if they are strictly necessary, required for the transmission of communications over an electronic communications network, or cookies essential for providing an information society service explicitly requested by the user (e.g., login to a user account, product purchase).
In all other cases, the controller provides a notice with the user's consent and informs the user of available options for managing cookie settings. The notice includes the following information:
1. The types and names of cookies (e.g., analytical, advertising, functional).
2. The purpose of each cookie (e.g., traffic monitoring, enabling a shopping cart, ad targeting).
3. The storage duration of each cookie (e.g., session cookies, persistent cookies).
Contractual basis for processing of personal data of users means that the processing is necessary for:
1. fulfilling the contract whose contracting party is the user to whom the personal data relate; or
2. implementing measures at the request of such user before concluding the contract.
The Controller provides the user with information on the processing of their personal data in this Privacy Policy and, when needed, with notifications on their website.
The Controller does not require an explicit consent for contractual processing of the user’s personal data.
If the user fails to provide all the personal data that the Controller needs to fulfil the contractual obligation, the Controller is unable to complete the user’s order. The Controller undertakes to only collect and process personal data from the user in the scope needed to fulfil the contract.
The controller processes users' personal data based on a legitimate legal basis when processing is necessary for the fulfillment of legal obligations applicable to the controller. Personal data is processed exclusively for the purpose of fulfilling legal obligations and is not subject to further processing for other purposes that are inconsistent with the law.
In the Republic of Slovenia, legal obligations for the processing of certain personal data are primarily defined in:
1. The Value Added Tax Act (ZDDV-1), which prescribes the obligation to issue and retain invoices;
2. The Rules on the Implementation of the Value Added Tax Act, which further regulate the content and retention of invoices;
3. The Tax Procedure Act (ZDavP-2), which governs obligations regarding the maintenance of records for tax purposes, stipulating that the controller must retain data from issued invoices (including users' personal data on the invoices) for at least 10 years after the end of the fiscal year to which the invoice pertains;
4. The Companies Act (ZGD-1), which specifies requirements for business books and reporting;
5. The Slovenian Accounting Standards (SRS), which regulate obligations for maintaining accounting records;
6. The Accounting Act (ZR), which outlines rules on the retention of business documents and records.
The controller does not require the user's explicit consent for the processing of personal data based on legal grounds.
Explicit consent serves as the legal basis for processing personal data when the controller does not have a legitimate or contractual legal basis or legitimate interest for processing.
User consent is valid when it meets the following criteria:
1. it is voluntary, specific, informed, and an unambiguous declaration of intent, whereby the user agrees to the processing of their personal data for a specific purpose;
2. it is provided through clear confirmation, such as clicking a checkbox (not pre-checked), signing, verbal confirmation, or another appropriate method;
3. it is always separate from other terms or provisions, where technically feasible.
The controller ensures appropriate user information prior to obtaining consent through the following methods:
1. Purpose description: A legal notice preceding the confirmation checkbox specifies the purpose of consent (e.g., “I would like to subscribe to the newsletter to receive additional information, advice, promotions, and other useful news.”).
2. Right to withdraw consent: Clearly stated in the legal notice preceding the checkbox, while additional rights are elaborated in these privacy terms (e.g., “You can unsubscribe from the newsletter at any time.”).
3. Direct link to privacy terms: The legal notice preceding the checkbox provides a direct link to these privacy terms (e.g., “I have read and agree to these Privacy Terms.”).
The controller maintains a record of given consents, including information on when and how consent was provided, to ensure proof of its validity in case of verification.
The controller may process users' personal data if it is necessary for legitimate interests pursued by the controller. Such processing is restricted to the scope required to achieve these legitimate interests while respecting the rights and interests of users.
In determining legitimate interests, the controller conducts a balancing test to verify whether:
1. he processing serves a legitimate purpose, such as service improvement, abuse prevention, legal claims enforcement, or direct marketing;
2. the personal data is processed in the minimum extent necessary to achieve the purpose;
3. the rights, freedoms, and interests of the user do not override the controller’s legitimate interests.
Examples of legitimate interests pursued by the controller include, but are not limited to:
1. enforcing legal claims;
2. improving user experience through behavior analysis to optimize the website, provided that the data is anonymized or processed with minimal impact on users;
3. direct marketing by sending tailored offers for similar products or services to existing customers, ensuring users can always opt out of such communications and that the data is not used for incompatible purposes.
The Controller may process personal data of users if the processing is necessary for:
1. performing tasks in the public interest, or
2. exercising public authority given to the Controller.
The Controller can process personal data if the processing is necessary for the protection of vital interests of the user or other natural person.
Types of users’ personal data processed for the purposes determined in advance include:
The Controller processes personal data of users for the following purposes and, at the same time, defines the legal basis for the processing of these data and determines whether the user’s explicit consent is necessary or not:
The user may request from the controller:
1. access to personal data,
2. rectification of personal data,
3. erasure of personal data (right to be forgotten),
4. restriction of the processing of personal data,
5. objection to the processing of personal data,
6. data portability.
In addition to these six fundamental rights, the user also has the following rights:
7. the right not to be subject to solely automated processing, including profiling;
8. the right to withdraw consent for the processing of their personal data;
9. the right to lodge a complaint with the supervisory authority.
The controller will respond without undue delay, and no later than one month after receiving the request.
If the request is complex or the controller has received multiple requests, the response time may be extended by an additional two months. The controller will inform the user of the extension and the reasons for the delay within one month of receiving the request.
If the controller does not take action on the user’s request, they will inform the user of the reasons for not taking action and the possibility to lodge a complaint with the relevant supervisory authority or seek judicial remedy.
The users may address their requests directly to the controller through the contact details provided in these privacy terms. The controller ensures that the users's rights will be exercised free of charge, unless the requests are clearly unfounded or excessive, particularly due to their repetitive nature. In such cases, the controller may charge a reasonable fee or refuse to act.
The user has the right to receive confirmation from the Controller on whether or not personal data related to them are being processed.
The Controller shall provide the information on:
1. the purposes of processing;
2. the categories of personal data that they process;
3. the processors to whom personal data were transferred for processing or disclosed;
4. the anticipated time of retention of personal data;
5. the user rights to erasure and rectification of data, and to restriction of processing or objection to processing;
6. the right to lodge a complaint with a supervisory body;
7. the sources from which the Controller received the data, provided that they were not submitted for processing by the user; and
8. the existence of automated decision-making, including profiling.
To exercise this right, the user may use this non-binding form: Exercising rights - form
The user may request from the Controller to without undue delay:
1. rectify inaccurate data concerning the user which are processed by the Controller (or their processors) or
2. complete incomplete personal data.
To exercise this right, the user may use this non-binding form: Exercising rights - form
The user may request from the Controller to erase the user’s personal data without undue delay if at least one of the following conditions is met:
1. The personal data is no longer required for the purpose for which they were collected or otherwise processed.
2. The user withdraws the consent given to the Controller for the processing, whereby there is no other legal basis for the processing.
3. The user objects to the processing of their personal data for the purposes of public interest or for legitimate interests of the Controller or for the purposes of direct marketing and/or profiling.
4. The personal data have been unlawfully processed.
5. The personal data must be erased to comply with a legal obligation imposed to the Controller by the legislation.
6. The personal data was collected in connection with offering information society services to a person younger than 15.
To exercise this right, the user may use this non-binding form: Exercising rights - form
The user may request from the Controller the restriction of processing in one of the following cases:
1. The accuracy of the personal data is contested by the user, for a period enabling the Controller to verify the accuracy of the personal data.
2. The processing of the user’s personal data is unlawful, and the user opposes the erasure of the personal data and requests the restriction of their processing or use instead.
3. The controller no longer needs the personal data for the purposes of the processing for which they had a legal basis or the explicit consent of the user, but they are required for the establishment, exercise, or defence of legal claims.
4. The user has submitted an objection (right to object) pending the verification whether the legitimate grounds of the Controller override those of the user to whom the personal data relate.
When the user is exercising this right, the Controller may only save their data and only process them if:
1. the user provided (subsequent) explicit consent;
2. required for the establishment, exercise, or defence of legal claims;
3. required for the protection of rights of other users (natural or legal persons); and
4. required for an important public interest of the European Union or the Republic of Slovenia.
To exercise this right, the user may use this non-binding form: Exercising rights - form
The user has the right to receive from the Controller the personal data concerning them which are being processed by the Controller. The Controller must provide the user these data in:
1. a structured format;
2. commonly used format;
3. machine-readable format, which allows the user to read the information without any problems.
The user also has the right to transmit the obtained data to another controller without hindrance from us, the Controller, if:
1. the data was processed based on an explicit consent and
2. the processing is carried out by automated means.
The user has the right to have their data transmitted from one controller to another, where technically feasible.
To exercise this right, the user may use this non-binding form: Exercising rights - form
The user may at any time object to the processing of personal data concerning them, when the Controller processes their personal data:
1. in public interest or
2. for legitimate interests of the Controller, including profiling of this user.
The Controller shall not cease to process the user’s personal data at the request of the user if:
1. they can prove the existence of necessary legitimate reasons for processing which overrule the interests, rights, and freedoms of the user; or
2. the data are required for the establishment, exercise, or defence of legal claims.
The Controller shall always grant the user’s request when the user objects to the processing of their personal data for the purposes of direct marketing, including profiling to the extent that it is related to direct marketing. The Controller is obliged to stop the processing of such personal data for the purposes of direct marketing.
For this purpose, the Controller shall, at places where they ask the user to consent to processing of their data for the purposes of direct marketing, provide the user with a clear and separate information on the possibility that the user may at any time withdraw their consent and object to the processing of their data for these purposes.
To exercise this right, the user may use this non-binding form: Exercising rights - form
The user has the right not to be subject to a decision based solely on automated processing of their data, including profiling, which produces legal effects concerning them or similarly significantly affects them.
The user cannot exercise the right to prevent the automated processing of their data, including profiling, if the decision (automated processing) is:
1. necessary for the conclusion or performance of a contract between the user and the controller (e.g., online shopping cart),
2. permitted by the law of the European Union or the Republic of Slovenia and provides appropriate safeguards for the rights and freedoms, as well as the legitimate interests of the user (e.g., data processing by the Tax Authority of Slovenia),
3. based on the explicit consent of the user (e.g., for direct marketing through automated systems for sending marketing messages).
Where explicit consent is required, the controller provides appropriate notifications to the user and a confirmation box for the explicit consent.
The user has the right to withdraw their consent for the processing of personal data at any time, if the processing is based on consent. The withdrawal of consent does not affect the lawfulness of processing that was carried out before the withdrawal. The withdrawal of consent will stop the further processing of personal data for the purpose for which consent was given.
The user can withdraw:
1. general consent for processing, or
2. consent for processing for direct marketing purposes.
The general consent can be withdrawn with a simple request, e.g., via email, contact form, phone, or any other clearly provided channel offered by the controller. The controller must process the withdrawal immediately or at the latest within one month of receiving the request.
Consent for processing for direct marketing purposes can be withdrawn by the user at any time by requesting that their data no longer be used for direct marketing (regardless of the legal basis). The controller must ensure that each form of direct marketing (e.g., email, SMS, calls) provides the user with an easy and free way to exercise the right to withdraw consent. Each marketing communication must clearly include an option to opt-out, such as an "Unsubscribe" link or other suitable option that allows the user to quickly and easily opt-out.
The controller enables the withdrawal of consent for direct marketing without cost to the user and in the same easy way as the consent was given. The controller must retain proof of the withdrawal and ensure that the data is no longer used for unauthorized purposes. The controller must stop processing personal data for direct marketing purposes no later than 15 days after receiving the user's request. The controller must notify the user of the withdrawal in writing or through another agreed-upon method within 5 days of processing the withdrawal.
The user has the right to file a complaint with the competent supervisory authority if they believe that the processing of their personal data violates the General Data Protection Regulation (GDPR) or the legislation of the Republic of Slovenia (ZVOP-2).
In the Republic of Slovenia, the competent authority for personal data protection is:
Information Commissioner of the Republic of Slovenia
Dunajska cesta 22, 1000 Ljubljana
Email: gp.ip@ip-rs.si
Website: www.ip-rs.si
The user may file a complaint if the controller:
1. has not adequately responded to a request for the exercise of rights,
2. has violated regulations regarding the protection of personal data,
3. has not taken appropriate protective measures when processing data.
The controller informs the user that they also have the right to file a lawsuit with the Administrative Court if they believe that the decision of the Information Commissioner is not appropriate.
1. The Privacy Policy applies to all those who use the website and provide the Controller with personal data so that the Controller can manage and further process them.
2. The Privacy Policy is binding for the Controller, the Processors, and the users in the area of submitting, managing, and processing the user’s personal data as well as in enforcing the rights of the users and the obligations of the Controller and the Processors.
3. Privacy Policy is an integral part of any processing of personal data in accordance with the priorly determined purposes, bases for processing, the user’s consent, and the categories of personal user to future processing.
4. The user is informed in advanced with this Privacy Policy, which is available at the Controller’s website and at all the forms and actions where the user may submit their personal data to processing.
1. The Controller shall regularly update the Privacy Policy according to the changes in the legislation.
2. The Controller shall inform the users on any changes regularly and timely, in a written form with an electronic message.
3. The Controller shall provide an archive of changes to the Privacy Policy which will be made available to every user upon their prior written request submitted at the Controller’s contact e-mail address.
The Controller and the user shall strive to solve any potential disagreements and disputes peacefully and by mutual agreement. If mutual agreement is not possible, disputes shall be resolved by the competent court of the Controller’s headquarters in the Republic of Slovenia. However, a user residing in a member state of the European Union may decide to resolve the dispute also before the courts of his country of residence. Before that, the parties may also decide to use alternative dispute resolution methods, such as mediation or arbitration, in accordance with applicable law.
The privacy policy applies to all users, regardless of their country of access or residence, and covers all types of personal data processing, irrespective of the geographical location of the user or the controller.
The legal conditions apply from: 26.02.2023 14:28