Notice to individuals under Article 14 of the General Data Protection Regulation (GDPR) regarding the processing of personal data of visitors/End Customer on websites that have been created with the Shopamine Service
THE PROCESSOR OF YOUR PERSONAL DATA IN CONNECTION WITH THE “SHOPAMINE” ONLINE SERVICE IS:
APPOTEKA, razvoj spletnih aplikacij, d.o.o.
company reg. no.: 3497623000
Kamniška 41-1000 Ljubljana-Slovenia
acting as the owner and supplier of the Shopamine Service (hereinafter: “we”, “us”, “our”, “Provider”, “Appoteka d.o.o.” or “Processor”). An authorized person for the protection of personal data has been appointed and is available at email@example.com
This document sets out how we (Appoteka d.o.o.) process the personal data of "End Customers", i.e. online shoppers and other website visitors that visit and use (i.e. purchase products on/otherwise interact with) websites and online stores that have been created using the Shopamine Service. It also includes information on what data we process and what legal basis we use for doing so, how we process such data and to what end, who we share the data with, how long we keep it and what rights you may have as an individual.
Appoteka d.o.o. is a web application development company that provides users with its own cloud-based web service for creating, hosting and modifying online websites and ecommerce stores - Shopamine (www.shopamine.com) as well as the associated hardware and software needed to run the service (hereinafter: “Shopamine service”, “Shopamine” or “Service”).
For this purpose, Appoteka d.o.o. receives, collects and processes a certain information, which includes personal data as defined by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “General Data Protection Regulation” or the “GDPR”).
The nature of the business model of Appoteka d.o.o. and its cooperation with Shopamine users, namely businesses and sole traders who have set up a user account and use the Service to produce, upload and maintain their own website or ecommerce store through the Service (hereinafter: “Merchants”, “Data Controllers” or “controllers”) means, that Appoteka d.o.o. acts as the processor of certain End Customer personal data and an individual controller in relation to certain user or other personal data, as shall be defined in more detail below.
When am I considered to be an "End Customers" and what rights do I have in relation to the Shopamine service Provider - Appoteka d.o.o.?
This document describes the processing of personal data of individuals visiting (or interacting in a way that personal data is entered/exchanged) or potentially making purchases on/through websites that have been created and are being hosted, maintained and supported on the Shopamine platform, or that individual Merchants have entered into the Service themselves (hereinafter: “data subjects”, “individuals” or “End Customers”) and regarding which Appoteka d.o.o. is thereby acting as a data processor.
The document, which can be accessed via this link, describes the processing of personal data of registered users of the Shopamine service (merchants) or visitors to the www.shopamine.com website and our other business partners, in respect of which Appoteka d.o.o. acts as controller.
You can also contact us at firstname.lastname@example.org and (should you provide sufficient information or evidence, as the case may be) we shall help you with identifying which Merchant is acting as the data controller in relation to your data.
Who are the Shopamine platform users (i.e. "Merchants") and where can I get more information on how they process my data?
The data of an individual Merchant (i.e. controller), as well as other information on the processing of personal data in connection with the Service, must always be available to you at the time you entrust your personal data to a specific Merchant (i.e. when you make a purchase on store developed on the Shopamine platform). According to the GDPR, the transmission of this information as well as the responsibility for the processing thus performed is the responsibility of the individual Merchant (i.e. store/website owner).
If an individual End Customer contacts Appoteka d.o.o. directly with a personal data related request (e.g. a request for access to data, rectification, erasure, right to be forgotten, etc.), Appoteka d.o.o. shall immediately forward the request to the relevant Merchant who is acting as the controller of the data in question.
Appoteka d.o.o. shall, after receiving the instructions of the relevant Merchant, correct, delete, forward, rectify or otherwise process the data in order to comply with/reject the request of the End Customer.
Appoteka d.o.o. shall not be liable for any disputes, penalties or costs in connection with proceedings before the competent institutions or state authorities, nor for any other inconvenience caused to the Merchant or the End Customer as a result of the Merchant's failure to comply with the provisions of the General Data Protection Regulation, other legislation, or the provisions of the relevant contract on the processing of personal data, and the General Terms and Conditions of Use of Shopamine.
For a full description of the rights that individuals have under the GDPR, see the relevant part of this document below.
Unless otherwise stated, the terms in this data processing notice (e.g. personal data, processing, controller, processor, etc.) have the same meaning as the terms used in the GDPR. This data processing notice may be updated from time to time in order to better reflect changes in data protection or for other operational and legal reasons.
If we change this notice significantly, we will publish the news on our website or send a notification within the Service, or we shall inform Merchants (or perhaps even End Customers, should this be legally required) via e-mail.
To find information on data processing activities that Appoteka d.o.o. carries out as an individual data controller, please see our Data processing notice under article 13 of the GDPR here.
1. Review of databases and types of personal data, categories of data subjects, data retention timescales and purposes/types of processing, that the Provider performs in the name of each individual Merchant for the provision of the Service
In accordance with the GDPR, personal data means any information relating to an identified or identifiable natural person (i.e. data subject), whereby an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Provider processes the following personal data in accordance with the purposes and instructions that have been set out in each personal data processing agreement (hereinafter: “DPA”), which had been concluded with the relevant Merchant when he set up his Shopamine user account:
PERSONAL DATA AND LEGAL BASIS
TYPES OF DATA
CATEGORIES OF DATA SUBJECTS
DATA RETENTION PERIOD
PURPOSES OF PERSONAL DATA PROCESSING AND
TYPES OF PROCESSING*
Merchant website visitor & End Customer Data
Legal basis: Contractual (i.e. the Master Service agreement and the Data Processing Agreement)
Basic information on End Customers and website visitors: Account registration or other forms: (name and surname);
Store checkout data: End Customers's contact information (e-mail address, telephone number);
Other store checkout data: Information about the End Customers' purchases and invoices issued (date and place of purchase, purchased items, prices of purchased items, total purchase amount, payment / delivery method, delivery address / billing address, order number and date, coupons used, order status);
Website analytics data: Data on the use of the Merchant's website / online store by visitors / End Customers (IP address, browser used and language version, dates and times of visits to the online store of the Merchant, pages or URLs visited, time spent on each page, number of pages visited, total time spent visiting the website, settings set on the website);
Data linked to online identifiers of Merchant website visitors / End Customers: The list of basic cookies that come with the Shopamine service is available at:
Individuals that visit websites/make purchases on ecommerce stores that the relevant Merchant (who is acting as the data controller) has made with the Shopamine service.
Until the expiry of the period of storage or fulfillment of the purpose of processing individual personal data, whereby the Merchant may delete the data himself via the user interface or requests deletion from the Provider.
*The Provider may keep the data for another 15 days after deletion / termination of the main user account of the Merchant or our termination of the contract with the Merchant (in order to be able to destroy the stored data from all data carriers and its own servers as well as the servers of its service providers during this period).
The Provider can store and otherwise process the data only for the purpose of performing tasks that are directly related to the operation of the basic functionalities of the Service:
- Necessary for offering the core features of the Service (i.e done automatically when data is entered into the Service): collection, recording, organization, structuring, cloud storage, storage (back-up), deletion, making available, segmentation, transmission.
- Manual (by the Appoteka d.o.o. or its Subprocessors on the basis of a request by the relevant Merchant): storage (back-up),
adaptation, alteration, retrieval, deletion, making available, segmentation, transmission.
- Situational (i.e. executing Data Subject rights in accordance with the instructions of the Merchant, etc.): disclosure by transmission, dissemination or otherwise making available, restriction, erasure, destruction, storage (back-up).
- Feature based (i.e. when the relevant Merchant requests that certain features use the data (whereby the Merchant is responsible for obtaining consent or having other valid legal grounds): combination, profiling, segmentation, storage (back-up), making available, transmission.
1.2 The legal basis for the processing of personal data - compliance with the provisions of the Master Service Agreement and the Data Processing Agreement
We process the personal data of End Customers on the basis of a concluded Master Service Agreement and Data Processing Agreement, which is concluded with each Merchant (controller) when he sets up a valid Shopamine user account.
Providing you with an individual legal basis for the entry and processing of your data by each individual Merchant in the context of the Merchant's use of Service is the obligation of the individual Merchant (i.e. the relevant Merchant needs to provide you with information on what legal grounds he is processing your data). The Provider always operates solely and exclusively in accordance with the instructions given by the relevant Merchant as the processor of End Customer personal data.
1.3. The legal basis for the processing of your data may also be set out in legislation
The Provider may occasionally process personal data for the purposes of complying with legal and other lawful requirements, especially those governing personal data processing. For example, when a court, inspector or other holder of public authority orders the Provider to provide him with access to the back-end of the Service, whereby the inspector may also have access to databases.
1.4. Based on the legitimate interests of the Provider
Certain personal data may be processed for the purpose of securing the legitimate interests of the Provider, e.g.: this is the case, for example, when the processing of your data would be necessary, in the context of criminal or civil proceedings (e.g. when the database would have to be presented as evidence in criminal or civil proceedings, otherwise the Provider would suffer a penalty or material and irreparable damages) as well as fraud detection and prevention, whereby in such cases we will always process only those data that are strictly necessary to pursue these legitimate business objectives and shall (if this is lawful in the given case) act in accordance with the instructions of the relevant Merchant that is acting as the data controller in relation to such data.
The Provider may process personal data of individuals even in cases where processing is necessary to protect the vital interests of the individual (e.g. viewing the address information of an individual that had bought life threatening goods on a Merchant's ecommerce store and sending a notification to the individual/Merchant), whereby such processing shall be performed in cooperation with the relevant Merchant that is acting as the data controller in relation to such data, if lawful and possible at the time.
2. How long do we store or process your personal data?
The data retention period for which we keep your personal data depends on the legal basis and purpose of processing and the direct instructions of the controller (the relevant Merchant). Personal data is generally kept for as long as it is necessary to fulfill the purpose for which the data were collected, or as long as the controller or a regulation requires that we must keep them and is deleted after such period expires.
On the basis of the Master Service Agreement and Data Processing Agreement, the data may be stored in the service for another 15 days after the deletion / termination of the main user account of the Merchant or our termination of the contract with the Merchant (in order to be able to destroy the stored data from all data carriers and our own servers as well as the servers of our service providers during this period).
Please note: should you file a “delete my data” (“right to erasure”) request with us (at email@example.com or through our other official communication channels) or file such a request with the relevant Merchant, the Merchant is solely responsible for acting out the deletion request and informing us of his decision/request for help with the deletion.
If your request is filed with use, we shall always respect any “delete my data” requests after obtaining instructions from the relevant Merchant that is acting as the data controller in relation to such data, whereby in some cases (see pont 1.4.) we might have legitimate interest to not fulfill such request.
We advise you to contact the relevant Merchant (e.g. the legal entity using Shopamine as a platform for its webstore) in order to find the actual data retention periods that may apply to your data.
3. Who processes your personal data?
3.1. Certain employees of the Provider
Your personal data is processed by individual employees of Appoteka d.o.o., that is acting as the Provider and data processor. Employees of our company process only those personal data that are required for their work, but they can also share them with each other if their work tasks and the internal rules of our company allow them to do so. All employees are committed to confidentiality and the protection of personal data.
3.2. State authorities
In certain cases, as prescribed by applicable law, the Provider must provide your personal data to the competent state authorities as well as EU/international authorities responsible for financial, tax or other types of lawful supervision. In these types of cases, the Provider may be compelled to provide data to third parties if such an obligation to provide or disclose the data is imposed on the Provider by law or on the basis of a valid legal right of a third party.
3.3. Contractual processing of personal data
In addition to the employees in our organization, employees of our contractual subprocessors may also process personal data as confidential and only within the scope of the contract on external processing of personal data, which has been concluded with such processors. The contractual subprocessors may only process personal data in accordance with the organization's instructions, and may not use the data to pursue any other interest.
The contractual subprocessors with which the Provider cooperates and may share your data with for the provision of the Service, are:
● persons who cooperate with the Provider and provide their relevant services (legal advice, external developers, etc.),
● the data hosting provider (see section 3.4.),
● accounting service providers,
● IT system maintenance providers,
We shall not pass on your personal data to unauthorized third parties.
To obtain a detailed list of all contracted subprocessors you can reach out to us at firstname.lastname@example.org.
3.4. Hosting provider
Hosting our service and storing the data contained therein, is offered by the following contractor as a contractual processor:
BP 438, F-75366 Paris Cedex 08
Paris Trade and Companies Register number: B 433 115 904
Data hosting provider (Merchant website visitor / End Customer data that is required for the provision of the Service)
XENYA inženiring, proizvodnja in trgovina, d.o.o.
Celovška cesta 172, 1000 Ljubljana
Company reg. no.:: 5591872000
Data hosting provider (Merchant website visitor / End Customer data that is required for the provision of the Service)
3.5. Analytics provider
Analytics regarding the use of our service are provided by the following contractor as a contractual processor:
- Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, ZDA (service: Google Analytics https://www.google.com/analytics/terms/dpa/dataprocessingamendment_20130906.htm). Processing location: EEA (data is stored only on servers located within the EEA).
3.6. Transferring personal data to third countries and international organizations and measures to protect transferred data
As a rule, the Provider does not export personal data to third countries (i.e. outside of the European Union, Iceland, Norway and Liechtenstein) and to international organizations. An exception to this is data hosting with US-based providers (despite the fact that the data is hosted on the provider's servers within the EEA), as hosting may lead to data processing that may be treated as a non-EEA data transfer (by the sub-processor or the relevant public authority, whereby in the USA, public authorities, agencies and other entities may gain access to the data in certain extremely rare cases). On the date of preparation of this notice (November 2022), the contract that serves as a basis for the hosting by said provider, has been drawn up to include standard contractual clauses and an official USA Executive order is being put in place to further protect such data.
You can obtain more detailed information on specific data user categories as well as more information on our contractual processors and our data transfers by sending us your request to:
- the email address: email@example.com
4. Processing of special categories of personal data
Due to the nature of the core functionalities of the Service (i.e. the fact that a End Customer may transfer personal data to a Merchant that includes sensitive data like data on his health when ordering medicine through a webstore, that is developed and hosted on Shopamine) special categories of personal data may also be processed in the context of the operation of the service.
In addition to the listed data, special categories of personal data may also include other data that directly or indirectly reveal racial or ethical origin, political opinion, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the purpose of unique identification, and data related to an individual’s sexual life or sexual orientation.
4.1 Additional technical aspects of protecting special categories of personal data
Only a limited number of employees have direct access to databases in the service that contain or may contain special categories of personal data, whereby they access the data in order to ensure the operation of the basic functionalities of the service or the provision of support activities. Access to such databases is limited at the level of individual workstations with administrator passwords only being assigned to employees according to their position and actual work tasks.
The server application is isolated and protected by internal security mechanisms and software tools that prevent possible external intrusions.
Special categories of personal data are provided to the relevant Merchant via a web application interface that uses a secure encrypted connection using (HTTPS) certificates.
All special categories of personal data which are provided via e-mail at the express request of the relevant Merchant, shall be provided in an encrypted attachment, which shall require a password to open.
5. What rights do you have in connection with your personal data and how can you exercise them?
In connection with this data processing notification or regarding the processing of your personal data by us as (Appoteka d.o.o. - the company behind the Shopamine platform that is acting as the Provider and data processor) and our contractual processors, you can contact us at any time and without hesitation via firstname.lastname@example.org.
You can also contact us on the email mentioned above in order to send us your specific requests and for exercising your other rights, which relate to your personal data and applicable local legislation or the GDPR.
As a data subject, the GDPR gives you the opportunity to exercise the following rights both with the controller (i.e. the relevant Merchant) as well as with the Provider (whereby, in all such cases we shall forward your request to the Merchant that is acting as the controller in relation to said data):
5.1. Right of access to your personal data (Article 15 of the GDPR)
You have the right to obtain confirmation, whether personal data are processed in relation to you and, where applicable, request access to the personal data concerned together with the information referred to in Article 15 (1) of the GDPR:
When personal data is transferred to a third country or international organization, you, as the data subject, have the right to be informed of appropriate safeguards in accordance with Article 46 of the GDPR Regulation in respect of such transfer.
If you request the aforementioned, you must also be provided with a copy of the personal data processed in connection with you. For any further copies requested by you, the Merchant (or we as the Provider, as the case may be) may charge a reasonable fee based on administrative costs.
Where the data subject submits the request by electronic means, and unless the data subject requests otherwise, the information shall be provided in a commonly used electronic form.
5.2. Right to rectification of personal data (Article 16 of the GDPR)
As a data subject, you also have the right to have inaccurate personal data corrected in connection with you without undue delay.
The data subject has the right to supplement incomplete personal data, including the submission of a supplementary statement, taking into account the purposes of the processing.
5.3. Right to erasure of personal data ("right to be forgotten") (Article 17 of the GDPR)
As a data subject, you have the right to have your personal data deleted without undue delay. The Merchant (or we as the Provider should we receive such instructions from him) shall delete personal data without undue delay even when one of the following reasons applies:
a) personal data are no longer needed for the purposes for which they were collected or otherwise processed;
b) when the processing of personal data was carried out on the basis of your consent, which you have revoked;
c) if you have objected to the processing of personal data and there are no overriding legitimate reasons for the processing,
d) if personal data have been processed illegally;
e) if personal data need to be deleted in order to fulfill a legal obligation in accordance with Union law or national law,
f) if personal data have been collected in connection with the offer of the “information society” services (which was offered to a person under the age of 15 and was not agreed to by the guardian of such a person).
In accordance with Article 17 (3) of the GDPR, in certain cases you do not have the right to achieve the deletion of personal data that had been processed by the Merchant (or consequently by us as the Provider) (e.g. when the Merchant processes data for archiving purposes in the public interest, when he requires a minimized set of the data for the resolution of civil law procedures involving you, etc.).
5.4. The right to revoke consent or partially revoke consent
If, as a data subject, you have consented to the processing of your personal data for one or more specific purposes (see point 1.3 of this notice), you have the right to revoke your consent at any time without affecting the lawfulness of the processing that had been carried out on the basis of said consent until its revocation.
You can limit or revoke/withdraw your consent for the processing of data at any time by contacting the relevant Merchant that is acting as the controller in relation to such data, or by contacting us at email@example.com.
5.5. Right to limit processing (Article 18 of the GDPR)
As a data subject, you have the right to restrict the processing of your personal data when one of the following cases applies:
a) when, as a data subject, you dispute the accuracy of the data, for a period that allows the accuracy of the personal data to be verified;
b) where the processing is illegal and as a data subject, you oppose the deletion of personal data and instead request a restriction on their use;
c) where the client no longer needs personal data for the purposes of processing, but you, as the data subject, need them to assert, enforce or defend legal claims;
d) when, as a data subject, you lodge an objection to the processing and until it is verified that the legitimate reasons of the client as the controller prevail over your reasons (i.e. the reasons of the data subject).
Where the processing of personal data has been restricted, such personal data, with the exception of their storage, shall be processed only with the consent of the data subject or to assert, enforce or defend legal claims or to protect the rights of another natural or legal person due to important interests of the European Union or the nation in which the controller resides.
Where the Merchant that is acting as the data controller achieves a processing restriction, we may help inform the data subject about this before lifting the processing restriction.
5.6. Right to data portability
As a data subject, you have the right to receive personal data that relate to you and which you have provided to the Merchant in a structured, commonly used and machine-readable form, and you have the right to pass this information on to another controller without the Merchant being able to hinder you in doing so when:
(a) processing is based on consent or a contract; and
(b) processing is carried out with automated means.
As a data subject, in exercising this right of data portability, you have the right to transfer personal data directly from one controller (e.g. the Merchant) to another, where technically feasible.
5.7. Right to object to processing (Article 21 of the GDPR)
As a data subject, you have the right to object to the processing of personal data concerning you on grounds relating to your specific situation, where the processing is necessary for the performance of a task in the public interest or in the exercise of official authority, which has been granted to the controller or where the processing is necessary for legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular when the data subject is a child. The above also applies to the creation of profiles in such cases of processing.
In the event that you object, the controller or we as the Provider shall stop processing personal data unless it can be proven, that the legitimate interests for processing outweigh the interests, rights and freedoms of you as a data subject, or that the processing is necessary for the enforcement, implementation or defense of legal claims.
When personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data relating to them for the purposes of such marketing, including the creation of profiles insofar as such direct marketing is concerned.
Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for those purposes.
As part of using information society services, you, as a data subject, can exercise your right to object to processing by automated means using technical specifications.
Where data are processed for scientific or historical-research purposes or for statistical purposes, you as the data subject have the right to object to the processing of data relating to you for reasons related to your particular situation, unless the processing is necessary for the performance of a task carried out due to reasons of public interest.
5.8. Right to lodge a complaint with a supervisory authority
If you believe that the processing of personal data performed in connection with you by a Merchant that is acting as the controller in relation to the data or by us as the Provider (i.e. processor), violates personal data protection regulations, you may, without prejudice to any other (administrative or other) remedy, lodge a complaint with the supervisory authority, in particular in the country where you have your habitual residence, your place of work or where the infringement is alleged to have taken place (in Slovenia the relevant authority is):
- Informacijski pooblaščenec, Dunajska 22, 1000 Ljubljana, Slovenia, EU, email: firstname.lastname@example.org, phone: +38612309730, website: www.ip-rs.com.6. Existence of automated decision making and profiling
A list of other EU supervisory authorities and their contact information can be found here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
The service does not include automated decision making or profiling based on your personal data.
7. Processing of personal data of persons under 15 years of age
Our organization does not knowingly collect or otherwise process personal data of persons under 15 years of age. When Merchants collects personal data of such persons and enter them into the service or ask such persons to enter personal data into the service, the Merchant is always obliged to obtain the prior consent of the parents or guardians of such a person and respect all other legal requirements.
If we subsequently find out that a Merchant has processed the personal data of such a person without the consent of his parent or guardian, we shall do everything necessary to delete all of the data.
The above-described persons or their parents or guardians may submit their requests for the deletion of such data (firstly to the relevant Merchant or to us) at at email@example.com.
8. Who can you contact for further clarification regarding the processing of personal data in our organization and regarding your rights?
You can limit or revoke your consent for the processing of data at any time by contacting the controller (e.g. the Merchant that is acting as the data controller in relation to your data).
You can also contact us as the processor of your personal data at:
- the email address: firstname.lastname@example.org
Should you provide sufficient information (or evidence, as the case may be) we may help you identify which Merchant is acting as the data controller in relation to your data.
9. Protection of personal data
Our company carefully stores and protects personal data through organizational, technical and logical procedures and measures to protect the data from accidental or intentional unauthorized access, destruction, alteration or loss, and unauthorized disclosure or other form of processing to which you have not expressly consented to.
To this end, we have also adopted appropriate internal processes and set up various measures (e.g. assigning, using and changing passwords, locking premises, offices, server and workstation locations, regularly updating software and upgrading security-critical components, physically protection of material containing personal data in specially designated places, training of employees, etc.). The organization also demands these security commitments from its contractual processors.
Our subprocessors also protect the data with their own security mechanisms and tools, whereby we can offer you such information upon receiving your request at email@example.com.
10. Version and date of the last update of this notice
The text of this notice represents version 1.0 of this document. Feel free to reach out to us via our official channels should you require any previous version of this document that might be relevant to your needs.
This notice was last updated on the 28th November, 2022.
Published: 28. 11. 2022
Last update: 28. 11. 2022