At Express One Sl d.o.o., we recognize the right to privacy as a fundamental human right. Therefore, we respect our clients' privacy and responsibly, diligently, and carefully process their data in accordance with all applicable Slovenian laws and our thereof compliant internal procedures.
II. CONTROLLER AND ACCOUNTABILITY
When you, as our client (i.e., also data subject), use our services, the required personal data is processed by Express One Sl d.o.o., who (i.e., us) acts as a controller and determines the purposes and means of personal data processing. Therefore, as a controller, we hold full responsibility for the compliance of personal data processing.
Express One SI d.o.o., Pod lipami 21
Registration number: 9101691000
Email address: email@example.com
Ill. WHAT INFORMATION WE COLLECT, HOW AND WHY?
We collect and process personal data that you, as our client, provide while using our services either at our business premises or our website www.expressone.si.
We also collect personal data by recording phone calls and by video surveillance system established at our business premises. Before recording a phone call, we always notify the data subject participating in a call about it. Similarly, we notify data subjects about the video surveillance system with clearly visible signs set up before entering at the premises, which are subject to video surveillance. We may also collect personal data via polls and promotion offers and activities..
In addition, we may sometimes collect your personal data indirectly — from third parties, usually when these third parties are acting as senders and provide your information as delivery contact information for their mail or package.
Personal data we collect includes:
- Your first and last name, e-mail address, phone number, home address, personal identification number, and passport (or another personal document number necessary for shipment delivery). Your phone number may be used to inquire about your feedback about the quality of our service and to ask you to rate our service online. It is at your discretion whether you provide feedback or not;
- Bank account number when used to pay for our services;
- Employer's contact information when chosen as the address for our shipping service;
- Household information, including household members, if so expressly requested by the client regarding delivery at personal addresses (including package delivery to household members);
- Voice recordings may be collected during your phone conversation with our customer services. In case of such a recording, you will always be priorly notified about it. Voice recordings are collected to improve our services, which is our legitimate interest;
- Credit cards data (card's type, number, expiration date, security code, and the name on the card), if a credit card is used for payment of our services;
- Information you may provide based on your marketing preferences or during the term of your participation in polls and promotional offers & activities;
- Video recordings of you, if you were present on our premises that are subject to the video surveillance system for protecting people and property, which is our legitimate interest;
- Personal data acquired via cookies collected during your visit to our website, which are subject to a separate Cookie notice available at www.expressone.si.
If you don't provide the information required for a specific purpose (e.g., delivery address), this may affect providing the service you order or even result in denying the service.
IV. LEGAL BASES USED FOR PROCESSING PERSONAL DATA
We collect and process your personal data based on one of the following legal bases or a combination thereof:
- Article 6(1)(a) of the General Data Protection Regulation: Data subject has given consent to the processing of their personal data for one or more specific purposes;
- Article 6(1)(b) of the General Data Protection Regulation: Processing is necessary for the performance of the contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- Article 6(1)(c) of the General Data Protection Regulation: Processing is necessary for compliance with a legal obligation to which we as a controller are subject; and
- Article 6(1)(f) of the General Data Protection Regulation: Processing is necessary for the purpose of the legitimate interests pursued by us as the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require personal protection of personal data, in particular where the data subject is a child.
When do we process personal data under given consent?
We ask for your consent to process your information for specific purposes and you have the right to withdraw your consent at any time. When we process your personal data based on your consent, you will always be informed about it prior to giving the consent. An example when we process your personal data based on your consent is when you opt-in for use of nonfunctional cookies. Please see our Cookie Notice for more information in this regard.
When do we process personal data based on an agreement or negotiations thereof?
We process some data in order to provide a service you've asked for under a contract. For example, when you order a shipment, we will require various personal data such as contact information of the sender and the addressee, payment information, etc.
This is a legal basis that is most commonly relevant regarding our personal data processing activities. In accordance with the data minimisation principle, we process only personal data that is relevant and strictly necessary for providing our service. Typical such personal data are sender and addressee's contact detail and payment detail.
When are we complying with legal obligations?
We'll process your personal data when we have a legal obligation to do so, for example, if we're responding to legal process or an enforceable governmental request. As another example, legal obligations sometimes require us to retain certain information for purposes like financial record-keeping, such as information about a payment you've made to Express One Sl d,o.o. for tax or accounting purposes.
When are we pursuing legitimate interest?
We mostly process your information for our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. This means that we process your information for things like:
- Providing, maintaining, and improving our services to meet the needs of our clients;
- Developing new products and features that are useful for our clients;
- Understanding how people use our services to ensure and improve the performance of our services;
- Customizing our services to provide you with a better user experience;
- Detecting, preventing, or otherwise addressing fraud, abuse, security, or technical issues with our services; Protecting against harm to the rights, property or safety of Express One Sl d.o.o., our clients, or the public as required or permitted by law, including disclosing information to government authorities; Performing research that improves our services for our clients; and
- Enforcing legal claims, including investigation of potential violations of applicable contracts and General Terms and Conditions.
V. DATA SHARING
Where necessary for the purposes of international shipping services, we may share your personal data with our business partners. In addition, we may share your personal data with transportation services necessary to accept and deliver mails and packages and providers of other ancillary services. Furthermore, your personal data may be shared with our business partners, who maintain our website, provide marketing services, and furnish and maintain video surveillance system.
All our partners are subject to strict scrutiny before we engage our collaboration, especially in terms of data privacy standards and safety measures they exercise while processing personal data. With all our business partners who act as processor of personal data with process and control, we have concluded data processing agreements that meet all legal requirements.
When required, we may share your personal data with law enforcement bodies and other governmental bodies that are eligible to such disclosure assuming such sharing is authorized by the law, usually due to being necessary to prevent, discover and prosecute criminal offences. We ensure to only disclose personal data to governmental authorities when and where we processing of personal data is strictly limited to staff required to provide the service.
VI. INTERNATIONAL TRANSFERS
Transfer of personal data to any country outside the European Economic Area is only possible under strict terms and conditions enforced to protect your personal data. We may transfer your personal data to third countries if that is required to provide our service.
When doing so, we always take adequate organisational and technical measures to ensure protection of your personal data. All our business and web applications and partners use adequate measures to prevent unauthorized access or use of all information, including your personal data. To protect and safekeep your personal data, we use due business organisation measures and procedures, including safeguards to physically protect personal data stored in our servers (e.g., fire safety equipment etc.). Personal data is not transferred unless an appropriate safeguard in terms of Chapter V of the General Data Protection Regulation is in place (e.g., adequacy decision, standard contractual clauses, etc.).
VIl. RETENTION AND ERASURE OF PERSONAL DATA
Your personal data is kept in a form which permits your identification for no longer than is necessary for the purposes for which the personal data are processed. In accordance with the purpose limitation and data minimisation principles, we collect and process personal data for the specified purpose only and only personal data that is relevant and necessary for the purpose. To determine if personal data may be processed further, we use a compatibility test to look for link between purposes, nature of the data, method of collection, consequences of secondary uses and safeguards. We pay extra care to ensure that all personal data is accurate and up-to-date.
In accordance with the above, we delete the voice and video recordings collected by the recording of phone calls or surfaces under video surveillance after 60 days from the day they are collected. Personal data that is processed on the basis of consent are deleted when and in the moment data subjects withdraws their consent. Irrespective of the before mentioned, where certain personal data is necessary for protection of Express One Sl d.o.o. rights, such personal data may be stored until the end of litigation started in pursue of the right such personal data relate to or until the expiration of the statute of limitation period, if the litigation was not started by then. In Slovenia, general statute of limitation is 5 years (exceptions may apply). In case of video surveillance and voice recordings, the latter applies in a way that such recordings are sealed and divided from the others and transferred to a different personal data filing system. The latter must be performed before the expiration of 60 days, otherwise the recording will be deleted together with the other recordings. Moreover, all personal data included in documents that are subject to shipping process or are otherwise relevant for the tax authority are usually subject to a longer retention period of 10 years.
Please note that where necessary under mandatory laws, we may store your personal data under different time limits (e.g., when necessary for legitimate business or legal purposes, such as security, fraud and abuse prevention, or financial recordkeeping). Namely, some accountancy information may even be subject to permanent storage; however, clients' personal data are normally not part of accountancy documentation.
After the expiry of designated retention period, we either permanently delete your data or we anonymise it (i.e., process of taking away information necessary for the information to be relating to an identified or identifiable natural person). When deleting your personal data, we take special care to ensure your personal data is safely and completely removed from our servers or retained only in anonymized form. We try to ensure that our services protect information from accidental or malicious deletion. Because of this, there may be delays between when we delete something and when copies are deleted from our active and backup systems.
As with any deletion process, things like routine maintenance, unexpected outages, or bugs may cause delays in the processes and timeframes defined herein.
Please note that in accordance with the data minimisation principle, we only store personal data that is relevant and necessary for the purpose. This means that when specific personal data becomes unnecessary for pursuing a particular purpose, we strive to delete it immediately after. This also means, for instance, when retaining personal data for litigation and pursuing legal claims, we only keep personal data that we deem essential for successful dispute resolution.
VIll. DATA SUBJECT'S RIGHTS
In this section, we present the rights you have regarding the personal data concerning you that we process and the processing thereof. You may exercise your rights by sending us an email at firstname.lastname@example.org.
In case you need additional information regarding your rights, you can always ask for additional information or explanation via the said email address email@example.com.
- Right to withdraw consent
Where your personal data are being processed based on a given consent, you may always decide to withdraw it by sending a written request to the above email address.
The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. If you chose to withdraw your consent, you may and will not be subject to any detrimental consequences.
- Right to access
You can obtain our confirmation as to whether or not we process personal data concerning you, and where that is the case, obtain a copy of your personal data, as well as other supplementary information listed by Article 15 of the General Data Protection Regulation (e.g., purposes of the processing, retention periods, international transfers, etc.).
Please note that we may deny the right to access if and to the extent of such disclosure adversely affecting the right and freedoms of others.
- Right to rectification
You can rectify any inaccurate or incomplete personal data concerning you. Upon your request for rectification, we will without undue delay rectify any inaccurate personal data concerning you.
- Right to erasure (right to be forgotten)
Upon your request, we will, without undue delay and subject to examination of merits of your request, delete any personal data concerning you, which:
- are no longer required for the purposes they were initially collected or otherwise processed;
- are processed based on a withdrawn consent and there is no other legal bases for their processing;
- were subject to objects to the processing and there are no overriding legitimate grounds for the processing; or
- were unlawfully processed.
- Right to restriction of processing
This right is not absolute and only applies in certain circumstances. When processing is restricted, we remain permitted to store the personal data, but are not allowed to use it.
Upon your request, we will, without undue delay and subject to examination of merits of your request, will restrict processing of personal data concerning you in case:
- you contested accuracy of the personal data (restriction for a period enabling the controller to verify the accuracy of personal data);
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- we no longer need the personal data for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims; or
- you objected to processing based on your right to object (restriction for a period required to verify whether the legitimate grounds of the controller override those of the data subject).
For the time processing is restricted, we don't process the restricted data in any way except to store it, unless it is processed:
- upon your consent;
- for the establishment, exercise or defence of legal claims;
- for the protection of the rights of another person (natural or legal); or
- for reasons of important public interest.
Before lifting the restriction of processing, we will always duly inform you about it.
6. Right to data portability
Upon you request, we may transfer personal data concerning you to another controller, when processing is based on consent or agreement and when it is technically feasible.
7. Right to object
The right to object only applies in certain circumstances. Whether it applies depends on your purposes for processing and your lawful basis for processing. You have the absolute right to object to the processing of your personal data if it is for direct marketing purposes. You can also object if the processing is for our legitimate interest; however, in this case the right to object is not absolute.
You must give specific reasons why you are objecting to the processing of your data, based upon your situation. Upon your request, we will stop processing your personal data, unless we will have compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or the processing is for the establishment, exercise, or defence of legal claims.
IX. EXERCISING DATA PROTECTIONS RIGHTS
We ensure to all our clients and other data subjects a process, in which they can exercise their rights without undue delay and in any event respond within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of requests. We shall inform you of an such extension within one month of receipt of the request, together with the reasons for the delay.
Please note that if we have reasonable doubts concerning the identity of the natural person making the request to exercise their rights, we may request the provision of additional information necessary to confirm the identity of the data subject. Generally, we provide information requested by exercising your rights free of charge; however, please note that we may charge a reasonable fee or refuse to act on the request in case of requests that are manifestly unfounded or excessive, in particular because of their repetitive character.
As already mentioned above, you may exercise your rights by sending us an email on firstname.lastname@example.org.
X. RIGHT TO FILE A COMPLAINT AT THE INFORMATION COMISSIONER
If we fail to provide information or action taken on your request to exercise any of your above listed rights in one month of receipt of the request or deny it, you may file a complaint at the Information Commissioner - the data protection supervisory authority.
You can submit your complaint by using special forms published by the Information Commissioner at its website: https://www.ip-rs.si/obrazci/varstvo-osebnih-podatkov/.
Information Commissioner contact details are:
Phone number: +386/1 23 09 730
XI. DATA PRIVACY AND SECURITY RECOMMENDATIONS
Xlll. ADDITIONAL INFORMATION AND CONTACT DETAILS
For additional information regarding our processing of personal data and suggestions for improvement please contact us at email@example.com or at Express One Sl d.o.o., Pod lipami 21, 1218 Komenda, Slovenia.
Komenda, 1.1. 2023.
Distribution warehouse map
Company headquarters with warehouse for handling goods. Located in an industrial estate, close to major roads and with access to the highway.Contact