Based on the Personal Data Protection Act (Official Gazette of the RS, No. 163/22, hereinafter: ZVOP-2) and REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter: GDPR), the director of MR SPIRITS d.o.o. (hereinafter: the company, enterprise, or personal data controller) adopts the following
GENERAL PROVISIONS
Article 1
This Personal Data Protection Policy (hereinafter: the Policy) governs the processing and protection of personal data.
This Policy sets out:
organizational, technical, and logical-technical procedures and measures to secure personal data within the company with the aim to ensure:
lawful, fair, and transparent processing of personal data relating to the individual to whom the personal data pertains (lawfulness, fairness, and transparency);
personal data is collected only for specific, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes (purpose limitation);
by default, only personal data necessary for each specific processing purpose is processed. This obligation applies to the quantity of personal data collected, the scope of their processing, the storage period, and accessibility (data minimization and storage limitation);
processed personal data is accurate and kept up to date (accuracy);
security of personal data is ensured, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage through appropriate technical or organizational measures (integrity and confidentiality);
respect and protection of the rights and freedoms of individuals to whom personal data relates;
the company can demonstrate compliance with personal data protection legislation;
prevention of accidental or intentional unauthorized destruction, alteration, or loss of data, as well as unauthorized access, processing, use, or disclosure of personal data.
premises where documentation containing personal data is stored;
employees authorized and responsible for handling personal data contained in the company’s personal data records and documentation.
This Policy applies to employees and all persons performing work for the company or on behalf of the company based on contracts other than employment contracts, including students and apprentices, who process and use personal data in their work and must be familiar with ZVOP-2, relevant legislation regulating their field of work, GDPR, and the contents of this Policy.
In matters not regulated by this Policy, the provisions of ZVOP-2 and GDPR shall apply directly.
Article 2
The terms used in this Policy have the following meanings:
Personal data: any information relating to an identified or identifiable natural person. According to ZVOP-2 and GDPR, personal data about an individual includes, in particular:
identification data (e.g., name, surname, gender, date and place of birth, personal identification number, residence),
data concerning racial or ethnic origin,
data concerning family relationships,
data concerning residential and living conditions,
employment data,
data on social and economic status,
education and acquired knowledge,
image (and voice) data from video surveillance,
data on the use of communication devices;
biometric data,
data on leisure activities,
data concerning the health status of the individual,
data about ideological and religious beliefs;
data about the individual in internal affairs,
data on habits of the individual.
Individual: a identified or identifiable natural person to whom personal data relates; a natural person is identifiable if they can be identified, directly or indirectly, especially by reference to an identification number or one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity, where identification does not involve disproportionate costs or time.
Personal data record or database: any structured set of data containing at least one personal data item, accessible according to criteria allowing use or combination of the data, regardless of whether the set is centralized, decentralized, or dispersed on a functional or geographical basis.
Structured set of data: a set of data organized so that it defines or enables identification of an individual.
Processing of personal data: any operation or set of operations performed on personal data, especially collection, recording, organization, storage, adaptation, alteration, retrieval, use, disclosure by transmission, dissemination, or making available, alignment or combination, blocking, anonymization, deletion, or destruction of personal data. Processing can be manual or automated.
Automated processing: processing personal data by means of information technology.
Data controller: a natural or legal person or other body public or private that alone or jointly determines the purposes and means of processing personal data, or a person designated by law who also determines the purposes and means of processing.
Blocking: marking personal data to restrict or prevent further processing.
Pseudonymization: processing personal data so that the data can no longer be attributed to a specific individual without additional information, provided such information is kept separately and protected by technical and organizational measures.
Contract processor: a natural or legal person who processes personal data on behalf of the controller.
Personal data user: a natural or legal person or other public or private sector body to whom personal data are disclosed.
Data carrier: any means on which data are recorded or stored (documents, records, materials, files, computer equipment including magnetic, optical, or other computer media, photocopies, audio or visual materials, microfilms, data transmission devices, etc.).
External person: a company partner or any other person not employed by the company.
Employee: any person employed by the company, including persons working under contracts between the company and their employer providing labor services, and persons working for the company under civil law contracts (including students and apprentices).
Other terms not defined in this article have the meaning given in GDPR and ZVOP-2 unless explicitly otherwise regulated by this Policy.
2. RECORD OF PROCESSING ACTIVITIES
Article 3
In accordance with Article 30 of the GDPR, the company maintains a Record of Processing Activities, which is kept for all personal data records for which the company is the data controller or processor. Its purpose is to provide a complete overview of the flow of personal data.
The Record of Processing Activities contains the following information: the name of each personal data record; the name or the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer; the purposes of the processing; the legal basis; a description of the categories of data subjects to whom the personal data relate, and the types of personal data; the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations; information on transfers of personal data to a third country or international organization, including identification of that third country or international organization; the envisaged retention periods; a general description of the technical and organizational security measures.
The Record of Processing Activities is regularly updated according to changes in the data concerning each personal data record contained in the Record. The responsible person for each personal data record has the duty to update the Record of Processing Activities with every change concerning the data of the respective personal data record. All employees who process personal data from any personal data record must be familiar with the respective record in the Record of Processing Activities, and access must be granted to supervisory authorities upon request.
Due to the absence of grounds under Articles 35 and 37 GDPR, the company does not prepare Data Protection Impact Assessments for other records. The company has appointed a Data Protection Officer, who is ______________.
(Definitions of Individual Personal Data Records)
Personal data in the company are structured and processed electronically in the following records:
Personnel records (kadrovska evidenca)
Records of labor costs
Records of working time utilization
Records on forms of resolving collective labor disputes at the employer
Records in the field of occupational health and safety
Records of business partners
Records of video surveillance data (records of entry and exit from premises)
Personal data in the ____ records are also processed in physical form in personal files.
Article 5
The company, potentially with the help of contractual data processors, collects and processes only those personal data for which there is a valid legal basis under GDPR or other applicable personal data protection legislation. Collection and processing can only take place for specific and lawful purposes and must not be incompatible with those purposes unless otherwise allowed by law.
If personal data are processed for a new purpose incompatible with the original, this must be verified for compatibility and documented in writing.
If no valid legal basis exists, personal data processing must stop immediately, access disabled, and the company director or direct superior informed to decide on further actions.
Accidentally collected personal data that are obviously unnecessary for the processing must be deleted without delay, irreversibly destroyed, or returned to the individual, controller, or processor who sent them.
Individuals must be informed about the collection and processing of their personal data per Articles 12, 13, and 14 of GDPR. The person responsible for notifications is ___________. ___________ must (for each personal data record) define and keep a written list of persons authorized to process or access those records (“authorized persons for data processing”). This list must be provided to the company director. Authorized persons must be familiar with ZVOP-2, GDPR, and this Policy and must sign a special data protection declaration.
Article 6
According to Article 15 GDPR, the individual has the right to obtain confirmation from the company about whether their personal data are being processed, access their data, and receive the information specified in Article 15(1) GDPR. They can request a copy of the data; the company may charge reasonable fees for additional copies after informing the individual in advance.
Individuals may withdraw their consent for data processing at any time, which does not affect the lawfulness of processing before withdrawal.
Individuals have all rights granted by GDPR and ZVOP-2 where legally applicable, including correction, deletion (right to be forgotten), restriction of processing, etc.
If data are processed for direct marketing, individuals may object at any time to such processing, including profiling related to direct marketing, and if they object, the data must no longer be processed for these purposes.
The data controller concludes that data processing does not pose a high risk to individuals’ rights and freedoms; therefore, a Data Protection Impact Assessment (DPIA) is not required.
Before any new processing, especially involving new technologies or changes to the nature, scope, circumstances, and purposes of processing or when risk changes, the data controller commits to reassessing risks and determining whether a DPIA is necessary.
4. PERSONAL DATA PROTECTION
Article 7
The protection of personal data includes all measures, both organizational and technical, aimed at preventing intentional or accidental unauthorized acquisition, access, alteration, loss, or destruction of data, information, and documents classified as personal data of natural persons.
The company ensures the protection of personal data through legal, organizational, and technical procedures and measures by:
securing premises and equipment where personal data is collected and processed,
securing system and application software used for processing personal data,
ensuring the safe transmission and transfer of personal data, including via telecommunications means and networks,
ensuring effective methods for blocking, destroying, and deleting personal data.
Every employee who processes personal data from any of the company’s individual personal data records is authorized to process personal data for that specific record and thus becomes an authorized person for personal data processing. Authorized persons must process personal data in accordance with the provisions of ZVOP-2 and GDPR. Upon termination of employment or the termination of the legal basis granting access to personal data, revocation of authorization for data processing, or any other reason for the termination of the legal relationship, the obligation to protect personal data to which the authorized person had access or which were disclosed to them during processing does not cease.
Article 8
(Electronic Messages)
Electronic messages containing personal data must include the following message in both Slovenian and English:
SAMO NASLOVNIKU! / ONLY FOR THE INTENDED RECIPIENT!
NOTICE: This e-mail contains information that may be confidential. It is intended solely for the recipient. If this message was sent to you due to an error in addressing or transmission, please notify the sender immediately. If you are not the intended recipient, please delete it immediately (SHIFT+DEL). You are not permitted to use, disclose, distribute, copy, or print the contents of this message.
DISCLAIMER: This e-mail contains proprietary information which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the sender by immediately replying to this mail. If you are not the intended recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail. In this case, please permanently delete this e-mail from your computer (SHIFT+DEL).
Article 9
To ensure greater security of its property and personnel, and to protect classified data and trade secrets, the company may carry out video surveillance in accordance with the provisions of ZVOP-2, which regulate the conditions for conducting video surveillance.
The director of the company adopts a decision on the introduction of video surveillance, which must explain the reasons for its implementation.
The company publishes a notice about the implementation of video surveillance. The notice must be displayed clearly and visibly in a manner that allows individuals to be informed about the surveillance and to choose not to enter the monitored area.
The notice/sticker must include the following information:
Information from the first paragraph of Article 13 of the GDPR;
A written or unambiguous graphic depiction that video surveillance is being conducted;
The purposes of processing, identification of the controller of the video surveillance system, telephone number or email address or website for exercising data subject rights;
Information about specific processing impacts, particularly further processing;
Contact details of the Data Protection Officer (telephone number or email address);
Unusual further processing such as transfers to third countries, live monitoring, or sound intervention in the case of live monitoring.
The notice must be posted permanently while surveillance is in place. Information required under the first paragraph of Article 13 of the GDPR and points 4 to 6 above may also be published on the company’s website. In that case, the physical notice must include the website link where the information can be accessed.
The video surveillance system data set may include:
A recording of the individual (image),
Location data,
Date and time of the recording,
Exceptionally, if strictly necessary, also sound.
The video surveillance system must be secured as per Articles 24 and 32 of the GDPR.
Video recordings are automatically deleted on a rolling basis, no later than every 30 days, unless an incident has occurred, in which case they are retained until the conclusion of the related proceedings.
Video surveillance is not permitted in elevators, restrooms, changing rooms, hotel rooms, or other similar areas where a person can reasonably expect a higher level of privacy.
The video surveillance controller must ensure a traceable log for each viewing or use of the footage, showing which footage was processed, when and how it was used or to whom it was disclosed, who performed the processing, when, for what purpose, and based on what legal grounds. This log must be maintained for two years after the end of the year in which the data was created, in accordance with Article 22 of ZVOP-2.
Article 10
(Video surveillance of access to official business premises)
The company may conduct video surveillance of access to official business premises if necessary for the safety of people or property, for controlling entry and exit, or if the nature of the work presents a risk to employees.
Video surveillance must not record residential building areas that are not business premises, nor entrances to residential units.
All employees working in the monitored area must be informed in writing about the implementation of video surveillance and the content of the notice referred to in the previous article.
The personal data set under this article may, in addition to the data listed in the sixth paragraph of the previous article, include the date and time of entry and exit from the business premises, the recorded individual’s name, permanent or temporary residence, employment, personal ID number and type, and reason for entry, if such personal data is collected together with the video surveillance footage.
Article 11
(Video surveillance within the workplace)
Video surveillance within the workplace may only be conducted if strictly necessary for the safety of people or property or for the protection of classified data or trade secrets, and such purposes cannot be achieved by less intrusive means.
Surveillance may be conducted only in those parts and to the extent necessary to protect the interests mentioned above.
Recording of regular workstations is prohibited unless it is strictly necessary according to the first paragraph of this article.
Live monitoring may only be carried out by explicitly authorized personnel of the controller and under the conditions set out in paragraphs one and two of this article.
Employees must be notified in writing in advance of the start of surveillance under this article.
Article 12
Access to protected premises is allowed only during regular working hours; outside working hours, only with permission from the organizational unit manager or the director. Persons not employed in protected areas may enter only in the presence of an employee working there or in emergencies (e.g., fire, water leakage, urgent maintenance) in the presence of a security guard.
Employees in protected areas must diligently monitor the premises and lock them during any absence. Personal data carriers must not be exposed to the risk of unauthorized access or removal. Personal data stored outside protected areas must be kept in a locked fireproof cabinet. Computers containing personal data must be physically or digitally locked whenever the responsible employee is absent.
Computer equipment protection is further governed by the Information Security Policy.
Article 13
Personal data may only be kept in data records as long as necessary to achieve the purpose for which they were collected.
Once the need for data retention ends, the data must be deleted, destroyed, anonymized, or otherwise processed to prevent the identification of the individual (e.g., by restricting access, blocking, or archiving).
The Record of Processing Activities defines the retention periods for each personal data record.
Article 14
Company employees must not take personal data carriers out of the company.
Only the director may exceptionally permit the removal of data carriers. In such cases, the purpose and reason must be recorded in the logbook of personal data carrier removals, including the date and signature upon return.
Article 15
The employee responsible for receiving and recording mail opens and inspects all incoming mail and packages unless otherwise specified in paragraph two of this article.
They must not open:
Shipments addressed to another authority or organization and delivered by mistake;
Shipments marked as personal data or labeled “do not open,” or those related to competitions or tenders;
Shipments addressed to an employee with instructions to be delivered personally;
Shipments where the employee’s name is listed before the company’s name.
Article 16
Personal data may only be transmitted via information, telecommunications, or other means if measures are in place to prevent unauthorized access, destruction, or disclosure.
When transmitted electronically or via telecom channels, personal data must be specially secured using cryptographic methods or electronic signatures to ensure they are unreadable during transmission.
Article 17
When transmitting personal data by post, the envelope must prevent visibility of contents under normal light or illumination. It must also prevent opening and reading without visible tampering.
Data may only be shared with users listed in the Record of Processing Activities. If shared with a recipient not under contract, a complete and legitimate request must be submitted, and the data transmission must be logged in the Record of Extraordinary Data Transfers.
Article 18
Personal data may be disclosed only to individuals who submit a written request citing the legal provision authorizing the access or accompanied by a data subject’s written consent.
Each transfer must be recorded in the personal data processing log, showing:
Which personal data was transferred;
The full name/company name and address of the recipient;
The date of transfer;
The legal basis for the transfer.
The original document must be retained, and only copies may be shared.
Article 19
(Contractual data processing)
For each external legal or natural person performing tasks related to personal data (data processor), a written agreement must be concluded in line with Article 28 of the GDPR. This contract must include conditions and measures to ensure data protection and security.
Before signing, the company’s legal representative must verify that the processor complies with data protection laws, including disclosure of all subprocessors with their names and locations.
Contractual processors may process personal data only within the scope of the authorizations they receive, and they may not process or otherwise use the data for any other purpose, to which they are contractually bound. The contractual processor must implement at least the same level of personal data protection as prescribed by this Policy.
In addition to other requirements, the company must ensure, through contracts concluded with contractual processors, the right to carry out an inspection or audit regarding personal data protection at least once per year. An inspection or audit must also be conducted in case of any suspicion or indication that the contractual processor is breaching the contract or failing to provide an adequate level of personal data protection.
Article 20
Employees or persons whose personal data is recorded in the company’s personal data records, as well as their legal representatives or proxies, have the right to access the personal data kept about them or their representatives, and to transcribe or copy such data.
Access and transcription of personal data from the records must be granted within 15 days from the date the company receives a written request.
Costs related to the request and access as referred to in this article are covered in accordance with Article 6 of this Policy.
Article 21
Records of employees’ personal data (e.g., employee records) are stored in locked and fireproof cabinets in the director’s office. Payroll data for the current period is stored in locked and fireproof cabinets in the accounting office, and for other periods in separate fireproof cabinets in the archive. Other personal data records maintained by the company are stored for the current period in locked cabinets in the director’s office, and for other periods in the archive.
Access to archived data is limited to the responsible person for each personal data record. Other employees may access the data only with prior approval from the responsible person, and only if needed for the performance of their duties.
Personal data in electronic form is stored on a server within the computer system. Access to the system is only possible via individual computer units and with the user’s personal password.
Article 22
Employee personal data records are established upon the conclusion of the employment relationship or updated with each change reported by the employee. The personal data in employee records is created or updated by the director.
Records of personal data for volunteers, trainees, and contractual partners are created upon the conclusion of a contract.
Article 23
Personal data may only be kept in a record for as long as necessary to achieve the purpose for which it was collected and maintained. After the retention period expires or the purpose is fulfilled, the personal data must be deleted, destroyed, blocked, anonymized, or pseudonymized—unless otherwise stipulated by law for certain categories of personal data. The retention period for personal data is defined for each record in the Record of Processing Activities.
After the need or retention period for keeping personal data has ended, the data or its carriers must be deleted or destroyed.
Article 24
Deletion of personal data on computer media must be carried out in a manner, following a procedure and using a method that prevents restoration of the deleted data.
Personal data stored on traditional media (documents, files, registers, lists) is deleted by destroying the media. The media is physically destroyed (burned, shredded) on the company’s premises or under the supervision of an authorized person responsible for the destruction of confidential documentation.
Article 25
With the diligence and care specified by this Policy for the destruction of personal data maintained in records or on individual data carriers, any auxiliary documentation or computer outputs/templates containing personal data must also be deleted or destroyed accordingly.
Article 26
Employees must report any detected breach of personal data protection to the appropriate person responsible for the personal data record. If the breach is likely to pose a risk to the rights and freedoms of individuals, the responsible person must notify the Information Commissioner without undue delay, within 72 hours of discovering the breach, as well as the affected individuals.
The controller must record every personal data breach in the security incidents register, including the facts related to the breach, its effects, and the corrective measures taken.
All security incidents must be recorded chronologically in the register, regardless of the level and type of risk to the rights and freedoms of individuals. The controller especially records breaches of confidentiality (e.g., unauthorized disclosure of data), breaches concerning access to data, and breaches of data integrity (e.g., unauthorized alteration of data).
Article 27
The persons authorized to implement procedures and measures for personal data protection are appointed by the director.
Article 28
Before starting work in a position where personal data or data carriers are collected, processed, modified, stored, transmitted, or used, the employee must sign a declaration obliging them to protect personal data as a professional secret and informing them of the consequences of a breach. The signed declaration must show that the signer has been informed about the provisions of the ZVOP-2, GDPR, and the contents of this Policy. The obligation to protect personal data does not cease with the termination of employment or cooperation with the company (students, contractors, etc.).
Article 29
All employees are required to comply with the provisions set out in this Policy and to implement the security measures and procedures described herein.
Article 30
All employees must implement measures to prevent misuse of personal data and must handle any personal data they encounter during their work with due care and responsibility, in accordance with the procedures established in this Policy.
Article 31
Employees are subject to disciplinary liability for violations of this Policy, while other persons are liable for damages based on their contractual obligations.
In case of misuse or suspicion of misuse of personal data contained in the company’s records by persons who are not company employees, the competent authorities for prosecution must be informed.
Article 32
Employees working in positions involving the collection, processing, modification, storage, transmission, or use of personal data or data carriers must sign the declaration from Annex 1 of this Policy within 60 days of its adoption. Signatories of the declaration are also bound by all future amendments to this Policy without needing to sign a new declaration upon each amendment.
Article 33
In the event of a conflict between any provision of this Policy and current or future laws, collective agreements binding on the company, or other regulations, the validity of this Policy as a whole remains unaffected. The relevant provisions of the applicable law, collective agreement, or regulations shall apply directly in place of the conflicting provision.
Privacy Policy
The purpose of this Privacy Policy is to inform users and customers (hereinafter also: individuals) of the website www.ginibee.eu and the online store on this website (hereinafter: the website), who may, during each visit and/or purchase, provide certain data that can allow indirect or direct identification of an individual (personal data). Therefore, we wish to explain how we will process, store, and protect these data and also what rights you have regarding personal data.
We process, store, and protect all personal data in accordance with applicable legislation defining personal data protection, especially in accordance with the current law regulating personal data protection, the law regulating electronic communications, and the EU General Data Protection Regulation (GDPR).
Please read our Privacy Policy carefully so you understand how we protect your privacy.
By providing your personal data and visiting the website, you declare that you have read our Privacy Policy and understand the methods and legal bases of processing personal data. If you do not agree with the processing methods, please do not provide us with your personal data and do not use our website.
Data Controller
The data controller of your personal data is:
MR SPIRITS d.o.o.
Smolenja vas 10A
Tax Number: SI60428155
Company Registration Number: 8253609000
Phone: +386 40 547 565
Email: info@mrspirits.eu
The controller has not appointed a data protection officer as we do not process personal data on such a scale that would require this obligation. Since your privacy is very important to us, you can always contact us with any questions regarding the processing of your personal data via the above phone number or email.
How We Obtain Your Personal Data
We process and collect personal data if you provide it yourself or if it is obtained through your visit to the website when:
you use or visit our website, data is obtained via cookies,
you subscribe to e-newsletters,
you contact us through various channels (including social media),
you conclude a contract with us or we carry out measures before concluding a contract.
Types of Personal Data, Purposes of Processing, and Legal Basis
All personal data you provide will be treated confidentially and used solely for the purposes for which we obtained them. If there is a need for further processing of your data for another purpose, we will contact you in advance and request your consent.
How we obtain your personal data and which personal data we process
When visiting our website
We obtain the following data: these are technical data that we automatically collect when you use our website, including device data or other log data. We collect data such as web requests, data sent in response to such requests, browser type, browser language, IP address, timestamp of the request, and other anonymous statistical data including usage of our website. This information alone cannot be used to identify or contact you. We may automatically combine collected data with other non-personal data. In that case, the combined data will be treated as personal data according to this Privacy Policy. We obtain this data by using cookies and other technologies (more about cookies and technologies used below).
The legal basis for processing personal data from the previous paragraph is our legitimate interest (Article 6(1)(f) GDPR) or your consent (Article 6(1)(a) GDPR).
Until you entrust us with personal data (such as name, surname, email, etc.), all data we automatically collect while you use the website are anonymous, and we cannot identify or determine the identity of an individual.
When registering a user, concluding and performing a contract, or taking actions prior to contract conclusion (preparing an offer), establishing contact with our sales department:
For business purposes, responding to inquiries, processing and executing your order of products/services, subscribing to newsletters, we collect the following personal data:
• name and surname, address and place of residence,
• email,
• phone number,
• user account data if you create one (username (email) and encrypted password), and all data you enter into the user account,
• purchase data, delivery method and address, payment method, including payment data,
• data related to claims, statutory warranties and guarantees,
• any other data you voluntarily enter in forms on the website or provide to us by email or phone.
We obtain data if you explicitly provide it, where the legal basis is your consent (Article 6(1)(a) GDPR), if we have a contract or perform pre-contractual measures at your request (Article 6(1)(b) GDPR), based on law (Article 6(1)(c) GDPR), or if our legitimate interest applies (Article 6(1)(f) GDPR).
Providing personal data is not a condition for using our services, but without providing certain personal data, we cannot perform some services, including shipping ordered goods. If you believe someone has provided your personal data to us without your consent, please notify us at info@mrspirits.eu. All your personal data will be stored only as long as necessary to fulfill the purpose for which they were collected or for the period prescribed by law.
Legal Bases and Purposes of Personal Data Processing
We process personal data based on the consent of the data subjects, such as for the following purposes:
• subscribing to newsletters.
We may process your personal data based on a contract, such as for:
• ordering goods, concluding and performing a contract,
• notifying customers about successful orders and other important order-related information,
• resolving claims, statutory warranties, and guarantees.
Where circumstances require, we may process your personal data based on our legitimate interest, unless overridden by your rights and freedoms, for example:
• website optimization,
• answering your questions sent via various channels (including social media),
• ensuring IT system security,
• improving goods provision by contacting you for satisfaction feedback,
• preventing abuse and/or fraud.
We process personal data based on the law and applicable regulations:
• related to your order for legal purposes (e.g., tax laws, accounting regulations, warranty and defect regulations).
Disclosure of Personal Data to Third Parties (Personal Data Users) and Third Countries
We share your personal data with third parties only as described in this Privacy Policy. Some personal data are transferred to the USA based on standard contractual clauses included in our data processing agreements with providers.
We share personal data with:
• Our service providers, business partners, and contractors who provide services on our behalf or support our business. All these third parties comply with our Privacy Policy and are bound by data processing agreements. We disclose only the minimum personal data necessary (e.g., email notification providers, security service providers).
• Law enforcement authorities when we reasonably believe activities are unlawful or may help investigations. We may disclose personal data if we determine you violate our policy or to protect rights, property, or safety. Only data legally requested for a specific case will be disclosed.
• When required by law, regulations, or official orders to protect safety against death or serious injury, prevent fraud or abuse, or protect ownership rights. We disclose personal data to government officials or third parties based on court orders or binding administrative decisions for specific cases.
We do not disclose collected personal data to other third parties or countries without adequate protection. Your personal data may be transferred to the USA (for web analytics and email notifications), with appropriate contracts in place.
Consent of Minors
We are committed to protecting children’s online privacy and safety. We do not offer goods or services to children under 15, nor do we knowingly collect or request personal data from children under 15.
Any communication we reasonably believe to come from children under 15 will not be stored. We encourage parents or guardians to monitor children’s use of email and online activities.
We use all available technology and strive to verify whether parental consent has been given or approved.
Automated Decision-Making and Profiling
The individual’s personal data is not subject to automated decision-making, nor is it subject to profiling.
We appreciate that you trust us and share your personal data with us. We are committed to protecting it, so we implement appropriate security measures to guard against unauthorized access, unauthorized alteration, disclosure, or destruction of data. These measures include internal reviews of our data collection, storage, and processing practices — both security and physical measures. Access to personal data is limited to our employees, service providers, and representatives who need to know in order to develop or improve our services.
Please understand that our website offers links to other websites which we do not own or operate. Your use of these third-party services is entirely voluntary. We are not responsible for the content or practices of these third parties.
Regarding your personal data that we process, you have the right to:
Withdraw your consent to the processing of your personal data at any time (withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal). If you only want to update your personal data, you can do so, for example, in your account on the website.
Obtain confirmation whether we are processing your personal data.
Access your personal data relating to you, receive a copy of this information, and get information about the purposes of processing, types of personal data, whether personal data is transferred to a third country or international organization, etc.
Without undue delay, have inaccurate personal data relating to you corrected and have the right to complete the personal data.
Request erasure (the right to be forgotten): you can request that we delete your personal data without undue delay in certain cases, for example, when the data is no longer necessary for the purposes for which it was collected or otherwise processed, or when we collected data based on your consent and you withdraw that consent, etc.
Restrict processing in certain cases, such as when you contest the accuracy of the data.
Data portability: you have the right to receive personal data in a structured, commonly used, and machine-readable format and the right to transmit those data to another controller in certain cases.
Object at any time to the processing of your personal data based on our legitimate interest, to direct marketing, and to profiling related to direct marketing.
Declare that decisions based solely on automated processing of personal data, including profiling, which produce legal effects concerning you or similarly significantly affect you, do not apply to you. If the decision (1) is necessary for the conclusion or performance of a contract between you and us or (2) is based on your explicit consent, we will implement appropriate safeguards to protect your rights and freedoms and legitimate interests, including at least the right to human intervention by the controller, to express your point of view, and to challenge the decision.
File a complaint with a supervisory authority independently of the rights listed above if you believe that the processing of your personal data violates the GDPR. Complaints can be filed with the Information Commissioner, Dunajska 22, 1000 Ljubljana, e-mail: gp.ip@ip-rs.si, phone: +386 1 230 97 30, website: www.ip-rs.si.
For any of these rights, you can contact us anytime:
– via e-mail: info@mrspirits.eu.
We will ensure your request is fulfilled immediately but no later than within one (1) month. The requested personal data will be provided in a structured, machine-readable, and commonly used format. The first copy of your personal data in electronic or physical form is free of charge; any additional copies may be charged to cover preparation costs.
We will keep your personal data only as long as necessary to fulfill the purposes for which the data were collected and further processed. The controller processes and retains all personal data processed based on consent until consent is withdrawn. Personal data collected on the basis of legitimate interest are retained for 5 years. Personal data collected based on a completed purchase (contract concluded and/or executed) are retained for 5 years. Personal data related to issued invoices are retained according to legal requirements for 10 years.
Anonymized data may be retained longer in some cases, but always in a form that does not allow tracing back to you or identifying or profiling you.
The retention period may vary depending on applicable sector-specific laws (e.g., tax laws, accounting regulations). If the applicable law requires mandatory retention periods, data will be deleted after the expiration of such legal periods.
We strive to ensure the security of personal data. Your personal data is protected at all times against loss, destruction, forgery, manipulation, unauthorized access, or unauthorized disclosure. We use appropriate levels of protection and have reasonable physical, electronic, and administrative measures in place to safeguard the collected data.
Despite our efforts, a breach of our system may occur. In the event of altered, disclosed, or destroyed personal data, we will notify the affected individual by e-mail.
Our website may contain links to third-party websites. These websites have their own privacy policies, which you should familiarize yourself with, as we assume no responsibility for them.
Our website contains links to social media platforms (social media plugins), including integrated links to Facebook and Instagram, which redirect you to those social networks when clicking on their icons. The processing of personal data collected by these social networks when you click on the plugin and are redirected is carried out by those social networks according to their privacy policies, available at:
Facebook: processing is carried out by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA; privacy policy available at https://www.facebook.com/policy.php.
Instagram: processing is carried out by Instagram LLC, 1601 Willow Rd, Menlo Park, CA 94025, USA; privacy policy at https://help.instagram.com/155833707900388.
Twitter: processing is carried out by Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 IRELAND; privacy policy at https://twitter.com/en/privacy.
LinkedIn: processing is carried out by LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085, USA; privacy policy at https://www.linkedin.com/legal/privacy-policy.
Our website uses cookies. Cookies are small text files that a website stores on devices used to access the internet. Their storage is fully controlled by the individual, who can restrict or disable cookies in their browser. Cookies perform many functions — they allow tracking visits to the website, enable various campaigns and discounts, support login functionality, provide support for social network plugins, and other functions.
Cookies provide a convenient way to keep content fresh and relevant according to visitors’ interests and preferences. Based on statistical data about website visits provided by cookies, we can assess the effectiveness of our website design.
Consent to the installation of cookies is not required for essential cookies. These enable the normal functioning of the website. Without these cookies, the website will not work correctly or at all, so they are installed even if the individual refuses cookie installation.
Which Cookies Do We Use?
Essential Cookies
Name
Duration
Purpose
Analytical Cookies
Name
Duration
Purpose
We use Google Analytics:
We use Google Analytics on our website. Google Analytics is a web analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). The entity responsible for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, Ireland, 1600. Google Analytics uses “cookies” to analyze your use of the website. More information is available at:
https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Google uses this data on behalf of the controller to evaluate your use of the website, compile reports on website activity, and provide additional services related to your use of the website and the internet. The IP address sent by your browser as part of Google Analytics is not combined with other Google data.
Data processing by Google Analytics is based on Article 6(1)(a) GDPR if you consent to the use of Google Analytics.
If you want to change how cookies are used in your browser, including blocking or deleting them, you can do so by adjusting your browser settings. Most browsers allow you to accept or reject all cookies, accept only certain types, or notify you when a website tries to set a cookie. Cookies stored by the browser can be easily deleted. If you change or delete the browser’s cookie file or change or replace the browser or device, you may need to disable cookies again.
The procedure for managing and deleting cookies varies by browser. More information on managing cookies, including instructions for your browser, is available at the following links:
Chrome (Computer, Android, iPad & iPhone)
Mozilla Firefox
Internet Explorer
Microsoft Edge
Safari
Opera
If you completely disable cookies, some parts of our website may not function properly, or you may need to manually set your preferences each time you visit our website.
We reserve the right to update, change, or replace any part of this Privacy Policy at our discretion by posting an update or change on the website without prior notice. Any changes take effect from the day the revised Privacy Policy is publicly posted on our website.
Published: 2 January 2025
