GDPR – user rights – Data Privacy Policy

The operators of these pages (hereinafter only “controller” or “operator”) take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

Based on applicable regulations KOKO kozmetika, Nina Berginc s.p., Vrunčeva ulica 1, 3000 Celje, registration number: 8157049000, tax number: SI 70073392


Article 1

These rules determine the purpose of processing personal data, type of personal data, which will be processed and storage period, archiving or deletion of personal data managed by KOKO kozmetika, Nina Berginc sp, Vrunčeva ulica 1, 3000 Celje, (hereinafter : operator). If matters are not covered by this privacy policy, those are in accordance with national and European law, in particular the General Data Protection Regulation (hereinafter referred to as “GDPR”)

Article 2

The privacy policy of these pages is based on the terms of Article 4 of the GDPR, which were defined by the European Union at the time of the order of the GDPR. Terminology used. We use the following terms in this privacy policy, including but not limited to:

 1. “Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject” or “user”). A natural person is considered to be identifiable who, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more special features, expresses the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person can be identified.

2. “Processing” means any process or series of operations related to personal data, such as gathering, collecting, organizing, arranging, storing, adapting or modifying, reading, querying, using, with or without the aid of automated procedures; disclosure by submission, dissemination or other form of provision, reconciliation or association, restriction, erasure or destruction.

3. “Limitation of processing” is the marking of stored personal data with the aim to limit their future processing.

4. “Pseudonymisation” is the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the need for additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that the personal data not assigned to an identified or identifiable natural person.

5. “Collection” means any structured set of personal data which is accessible according to specific criteria. The string can be centralized, decentralized or dispersed on a functional or geographical basis.

6. “Controller or person in charge of controlling” is the natural or legal person, public authority, agency or body that, alone or in concert with others, decides on the purposes and means of processing personal data. Where the purposes and means of such processing are determined by Union law or the law of the Member States, the controller or the specific criteria for his designation may be provided under Union or national law.

7. “Processor”  is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

8. “Recipient” is a natural or legal person, public authority, agency or other body to whom Personal Data is disclosed, whether or not it is a third party. However, authorities which may receive personal data under Union or national law in connection with a particular mission are not considered as beneficiaries. The processing of this data by these public authorities is carried out in accordance with the applicable GDPR regarding to purposes of the processing.

9. “Third parties”  is a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons authorized under the direct responsibility of the controller or the processor to process the personal data.

10. “Consent” is any voluntarily given and unambiguously expressed in the form of a statement or other unambiguous confirmatory act by the data subject for the particular case, by which the data subject indicates that they consent to the processing of the personal data concerning him / her is.

11. “Violation of Data Privacy Policy” means a breach of security which results in the unintentional or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, archived or otherwise processed.

12. “Biometric data” means personal data as a result of special technical processing relating to the physical, physiological or behavioral characteristics of individuals which enables or confirm the unique identification of the individual, such as facial images, or dactyloscopic data.

13. “Company” is a natural or legal person, who carries out an economic activity, regardless of its legal form, including partnerships or associations regularly engaged in an economic activity.

14. “Supervisory authority” means the Information Commissioner, established by this Policy and the law governing the Information Commissioner.

15 “Cross-border personal data processing” means either: a) the processing of personal data taking place in the Union in the context of the activities of the controller’s or processor’s headquarters, where either the controller or the processor is established in more than one Member State. b) the processing of personal data taking place in Union in the context of the activities of the controller’s or processor’s only place of business, but the processing has a significant impact or could significant affect individuals, on which personal data refering to, in more than one Member State.

16. “linking of databases” means linking at least two databases in such a way as to enable the content of personal data in different databases to be automatically updated in such a way that the personal data in the personal data file are updated or that the personal data is automatically


Article 3

1. The controller or authorized processor (Commissioner) process the personal data of employees and customers for the purposes of cosmetic products marketing.

2. The controller set up for each structured set of personal data, which is centralized, collection.

3. The operator must ensure the accuracy and promptness of the contents of the collection.

4. The controller keep records of the processors activities on personal data.

Article 4

The controller in the company keeps the following collections:

1. Records related to the company’s employees or employment.

2. Customer records.

Protected personal data are those data about a natural person that indicate the characteristics, conditions or relationships of the individual, regardless of the form in which they are expressed. For the purposes of the first paragraph of this Article, the following shall be considered personal data on a natural person in particular:

a) personal data of individuals (name, address, e-mail address, telephone number)

b) data relating to family relationships,

c) data relating to housing and living conditions of individuals,

d) employment data,

e) data on the social and economic situation of the individual,

f) data on education and acquired knowledge,

g) data on usage of communication channels  

h) data on leisure activities,

i) data on the habits of the individual.

The controller may collect or process personal data for a purpose other than the initial purpose specified in the first paragraph of Article 4 of this Policy, hereof and under the condition of a written assessment of the compatibility of the new purpose of processing, which includes the following criteria:

a) whether the requirements as to the legality, fairness and proportionality of the original processing,

b) an assessment of the compatibility of the intended purpose with the original purpose of processing or collection,

c) an assessment of the fairness and proportionality of the planned further processing,

d) the circumstances in which personal data were collected, in particular relationship between the individuals to whom the data subject  are regarding, and the controller.

e) the reasonable expectations of individuals, to which personal data relate and in particular possible consequences of planned further procession on their rights and obligations, positions or personal status,

f) the existence of appropriate security measures regarding the processing of personal data (hereinafter: protection of personal data), which may also include pseudonymisation, anonymisation or encryption.

Processing for other purposes than the original may be performed without providing a specific legal basis only if a written assessment of the previous paragraphs clearly shows that the expansion of the processing of personal data is necessary in order to attain the legitimate interests of the controller and these interests clearly outweigh the interests of the individuals , to which personal data relate.

A written assessment under this paragraph shall be part of the documentation with which the controller demonstrates the compliance of its processing with the rules set out in the provisions of the applicable regulations.

Taking into account of fourth and fifth paragraphs of Article 4 of the Policy, the processing of personal data for another purpose is permitted only if:

a) obtained confirmation of the individual to whom the personal data relate

b) processing for another purpose is determined by a law or legal act or decision of the European Union, which is equivalent to law and is directly applicable in Republic of Slovenia,

c) it is necessary for the purposes of preventing, investigating, detecting, prosecuting criminal offenses or misdemeanors, enforcing criminal sanctions, protecting against threats to public security and their prevention, the security of the State or the defense, or

d) it is necessary for the establishment, exercise or defense of civil claims, if not dominated by the interests of the individual to whom the personal data relate. In particular, the confidentiality of legal relationship giving rise to the processing of personal data.

Article 5

An individual collection may consist of one or more physical collections.

Article 6

Physical collection can exist in paper form (paper, registrar, file cabinet, etc.) or electronic (computer drive, magnetic disks, USB, and other media electronic records).

Article 7

The protection of personal data includes legal, organizational and appropriate logistical and technical procedures and measures to protect personal data, prevent accidental or intentional unauthorized destruction of data, their modification or loss, and unauthorized processing of such personal data, securing by:

a) protect premises, hardware and system software, including input and output units;

b) protects the application software with which personal data is processed;

c) prevent unauthorized access to personal data for their transmission, including the transmission via telecommunications and networks;

d) provides an effective way of blocking, destruction, deletion or anonymisation of personal data;

e) prevent unauthorized persons from accessing the devices on which personal data are processed and their collections;

f) enables subsequent determination of when individual personal data entered into the database of personal data, used or otherwise processed and by whom, and for the period for which the specific data is collected and stored.


Article 8

Premises where the holders of protected personal data are located – any document containing personal data and any other computer or electronic transfer – hardware and software (hereinafter: protected premises) must be protected by organizational and physical and technical measures to prevent unauthorized persons access to data.

Access to the premises referred to in paragraph 1 of this Article is possible and permissible only during working hours, and outside working hours only with the permission of the manager (director).

The keys to the protected premises shall be used and kept by the Director, and shall be used in accordance with the instructions on the protection and destruction of keys issued by the Director.

Personal data stored outside work areas or outside protected areas (corridors, common areas, active archives, etc.) must be permanently stored in a locked area of the company.

Article 9

Outside working hours, personal data carriers must be stored in locked lockers in the work areas. Computers or other hardware on which personal data is processed or stored must be switched off and physically or programmatically locked outside working hours, and access to personal data stored on the computer disk must be encrypted.

Article 10

Persons who do not work on the premises and who are not employees of the company may not enter the protected premises without prior notice.

Employees working in secure areas should conscientiously and carefully monitor the room and lock the room when leave.

An employee who uses personal data in his work or processes them in any way, may not leave during working hours personal data carriers on desks or otherwise expose them to the danger of access to them by unauthorized persons or employees.

In premises where customers or persons who are not employees of the company have access, data carriers and computer displays must be installed during processing or partially on them in such a way that customers are not allowed to see them.

Article 11

Employees of the company may not take personal data carriers out of the company without the permission of the director. The processing of personal data from collections is only allowed on the company’s premises. The transfer of personal data to authorized external institutions and others that demonstrate a legal or contractual basis for the acquisition of personal data is permitted by the Director.

An employee who provides personal data to external institutions and others who demonstrate a legal or contractual basis for obtaining personal data, with the permission of the director, must enter the facts of the transfer of personal data in the records of processing activities.

Article 12

Maintenance and repair of computer hardware and other equipment with which personal data is processed is permitted only with the knowledge and approval of an authorized person (or director), and may only be performed by authorized service providers and their maintainers.

Article 13

Maintainers of premises and other equipment in protected premises, business partners and other visitors may be present in secure premises only in supervisory of company employee.


Article 14

Access to computer software must be secured in a way that allows access only to certain authorized workers and workers who perform computer and software servicing for the company under a contract.

Article 15

Correction, modification and supplementation of system and application software is allowed only with the approval of the director, and it can only be performed by an authorized service and companies or their employees who have a contract with the company.

Article 16

The same provisions apply to the storage and protection of application software as to other data from this policy.

The employee authorized to process and handle personal data and the computer must ensure that in the event of servicing, repair, modification or addition of system or application software, the copy is destroyed when the personal data is copied, after the need for a copy ceases.

The employee authorized to process and handle personal data and the computer must be present at all times during the servicing of the computer and software and must supervise that unauthorized handling of personal data does not occur.

Article 17

The contents of the network server disks and local workstations where personal data is located are checked daily for the presence of computer viruses.

When a computer virus appears, everything must be done to eliminate the virus with the help of experts and to determine the cause of the virus.

Article 18

Employees may not install software and remove software from the company’s premises without the express permission of the director.


Article 19

The controller must ensure the availability of the processed data. Access to data via application software must be protected by a system of passwords for authorization and identification of users of programs and data. The Director shall determine the regime for assigning, storing and changing passwords.

Article 20

All passwords and procedures used to log in and administer the PC network, e-mail administration and application via application administration are kept in sealed envelopes at the company’s administration. Secure passwords stored in sealed envelopes may be used in exceptional cases. and emergencies. Any use of the contents of sealed envelopes shall be documented. After using the sealed passwords from the envelopes, the director sets new passwords.

Article 21

For the purposes of restoring personal data or the computer system after malfunctions or loss of data for other reasons, the company must regularly make copies of the content of personal data that it manages. All produced copies of the contents of personal data files must be entered in the book of records of processing activities. Computer copies of the contents of personal data collections on diskettes or other media shall be kept in secure locked lockers.


Article 22

Letter consignments containing personal data are sent to the addressee by registered mail with a return receipt. The transfer of personal data via telecommunications, e-mail or other computer media outside the company’s premises must be secured by procedures and measures in a way that prevents unauthorized persons from misappropriating, destroying or unauthorized access to their content. The transfer of personal data by e-mail must be secured with an identification password.


Article 23

The controller must ensure the confidentiality of the processed data.

Organizationally, the confidentiality of data can be ensured in the act on job systematization, where the rights and authorizations on an individual database are defined for each job. If this is not specified in the job classification, the mentioned rights and authorizations derive from the operational regulation adopted on the basis of these rules. For each job, the internal acts of the controller may also define the duty to protect the confidentiality of personal data.

The confidentiality of data is also ensured by the physical protection of the premises, system and application software and data carriers.


Article 24

The controller of personal data must provide personal data to users of personal data against the payment of transmission costs, unless otherwise provided by law.

Article 25

For each transfer of personal data, the controller must ensure that it is possible to determine at a later stage which personal data have been transferred, to whom, when and on what legal basis, for a period when legal protection of the data subject’s rights, to which the personal data relate, due to the inadmissible transmission of personal data.

Subscribers’ personal data is collected in appropriate software, which is protected by entry codes. The purpose of data collection and processing is to maintain an active record of service subscribers.


Article 26

In accordance with the principle of proportionality and the purpose of processing personal data from Article 4 of the Rules, the controller shall keep the shortest possible period.

Article 27

Upon termination of the need to keep personal data recorded on a special statement signed by the customer or employees, the data shall be deleted or destroyed, unless this is contrary to applicable general rules, the current contractual relationship or the nature of the employment relationship.

Article 28

Deletion of personal data on computer media is done in a way that prevents the restoration of deleted data.

Personal data contained on traditional data carriers (documents, files, register, list) are deleted by destroying the data carriers. Data carriers are physically destroyed (burned, dismembered) on the premises of the controller, and under the supervision of an authorized employee of the controller, they may also be destroyed by another organization that deals with the destruction of confidential documentation.

Article 29

With diligence and conscientious work determined by these rules for the destruction of personal data kept in databases or on individual data carriers, supporting documentation or computer products, templates containing individual personal data, must also be deleted and destroyed.

The destruction of personal data on the media referred to in the previous paragraph must be carried out on an ongoing and promptly.


Article 30

Employees of the company are obliged to take measures to prevent the misuse of personal data and must handle personal data diligently and carefully in the manner and according to the procedures set out in these policy.

A worker who notices that there has been misuse of personal data (disclosure of personal data, unauthorized destruction, unauthorized alteration, damage to the collection, misappropriation of personal data) or intrusion into the collection, must immediately notify the director and authorized employee who manages the collection, which has been abused or invaded.

Article 31

The controller must send a notification to the Information Commissioner about personal data breaches within 72 hours of becoming aware of the breach. Unless it is clear whether a breach of personal data protection would jeopardize the rights and freedoms of individuals.

The processor shall notify the controller after being informed of the personal data breach.

Where a breach of personal data protection is likely to pose a significant risk to the rights and freedoms of individuals, the controller shall without undue delay inform the data subject that a breach of personal data protection has occurred.

The director must take appropriate action against anyone who misuses personal data or intrudes into the database without authorization.

If there is a suspicion that the intrusion into the database was committed intentionally and with the intention of misusing personal data, the director must, in addition to initiating disciplinary proceedings against the perpetrator or issuing a reprimand before regular termination of the employment contract or regular termination of the employment contract, if this is an employee of the company, report the intrusion or abuse or attempted abuse to the law enforcement authorities.

Misuse of personal data is any use of personal data for purposes that are not in accordance with the purposes of collection set out in the applicable regulations on the basis of which they are collected or the purposes set out in the collections. An attempt to misuse personal data for unauthorized purposes is considered an attempted misuse.


Article 32

The individual shall have the right to obtain confirmation from the controller as to whether personal data are being processed in relation to him or her and, where applicable, access to personal data and the following information:

(a) processing purposes;

(b) the types of personal data concerned;

(c) users or categories of users to whom personal data have been or will be disclosed, in particular users in third countries or international organizations;

(d) where possible, the envisaged retention period of the personal data or, if that is not possible, the criteria used to determine that period;

(e) the existence of a right to require the controller to rectify or delete personal data or to restrict the processing of personal data in relation to the data subject, or the existence of a right to object to such processing;

(f) the right to lodge a complaint with the supervisory authority;

(g) where personal data are not collected from the data subject, all available information concerning their source.

Before handing over personal data, the individual signs a special statement on which he / she indicates the personal data he / she wishes to hand over and determines the purpose for which he / she allows the use of personal data (customer’s statement ANNEX 1).

The controller shall provide a copy of the personal data being processed. For additional copies requested by the data subject, the controller may charge a reasonable fee, taking into account administrative costs.

Individual/data subject has the right to have the controller correct inaccurate personal data concerning him or her without undue delay. The data subject has the right to supplement incomplete personal data, including the submission of a supplementary statement, taking into account the purposes of the processing.

Individual/data subject has the right to have the controller delete the personal data concerning him or her without undue delay, and the controller has the obligation to delete the personal data without undue delay when one of the following reasons applies:

(a) personal data are no longer required for the purposes for which they were collected or otherwise processed;

(b) the individual to whom the data subject withdraws consent on which the processing takes place and where processing there are no other legal basis;

Where the controller publishes personal data and is obliged to delete the personal data in accordance with paragraph 4, taking reasonable steps, including technical measures, including technical measures, inform the controllers that individual /data subject requests them to delete any links to this personal data or copies thereof.

Article 33

Before the employee starts working at the workplace (list of authorized persons ANNEX 3), where personal data or personal data carriers are collected, edited, processed, modified, stored, transmitted or used, the employee must sign a statement undertakes to protect personal data as a professional secret and draws its attention to the consequences of a breach of the undertaking.

The obligation to protect personal data with which the employee becomes acquainted during his work in the company continues even after the termination of the employment relationship in the company.

Article 34

The employee commits a minor breach of duty:

  1. If it does not control carefully and conscientiously protected premises (the first point of Article 7 of these Rules);
  2. If he abandons actions to prevent access to or to personal data carriers (Item 5 of the first paragraph of Article 7 of these Rules);
  3. If it does not destroy a copy of personal data in the cases referred to in paragraph 2 of Article 25 of these Rules;
  4. If he is not full time present during the servicing of the computer and software (paragraph 3 of these Rules);
  5. If it does not carry out prevention in connection with computer viruses (Article 21 of these Rules);
  6. If he does not keep records of copies of the contents of personal data files in the book of records on the handling of personal data (paragraph 1 of Article 25 of these Rules) and
  7.  If he does not inform the Director or an authorized worker in the event of misuse of personal data or intrusion into the personal database (second paragraph of Article 34 of this Regulation).

Article 35

The employee commits a serious breach of duty:

  1. If he communicates personal data obtained at work, from co-workers or other persons;
  2. If it does not control personal data subjects during working hours and thus allows unauthorized persons to inspect them (Article 10 of this Policy);
  3. If he removes personal data carriers from the company’s premises without explicit permission (Article 11 of these Policy);
  4. If it transmits personal data to authorized external institutions without the permission of the director (Article 11 of these Policy);
  5. If it does not enter in the records of activities of processing the fact of transmission of personal data to external institutions (paragraph 4 of Article 15 of these Rules);
  6. If it repairs, modifies or supplements system or application software (Article 15,16 of these Policy);
  7. If it installs or removes software from the company’s premises without the express permission of the director (Article 18 of these Policy);
  8. If he does not keep computer copies of the contents of personal data files in locked cupboards (Article 21 of these Rules).


  1. Responsible workers

Article 36

The persons listed in ANNEX 2 shall be responsible for the establishment, management, updating and handling of personal data files and personal data kept in the company.

Article 37

Collections of personal data of employees are established at the time of concluding an employment relationship with the employee or are updated upon each change reported by the employee. Personal data in the personal data file of employees is established or updated by the human resources employee or the head of the company’s accounting.

Customer personal data sets are established upon request and purchase and are updated with each change reported by the customer.

Article 38

The storage of personal data files is the responsibility of the employees authorized to process personal data files.

Article 39

Collections of personal data of employees the company (personnel records) and other personal data collection kept in the company are kept in a locked cupboard.

Article 40

Retention of personal data collections shall be specified for each collection of personal data separately.


Article 41

Collections, the organization of personal data protection and the regulation of other matters specified in these Rules must be harmonized with the applicable regulations and provisions of these Rules within 60 days from the day of the adoption of these Policy.

Amendments to these Rules shall be adopted in accordance with the procedure and in the manner applicable to the adoption of the Rules.

All employees of companies must be acquainted with the provisions of these rules

This policy will receive services and workers, where they collect, compile, process, change, store, transmit, or use personal data or personal data holders must sign the declaration set out in Annex 1 hereto within 30 days from the date of adoption of this Policy.

This Policy shall enter into force on the date of 01.3.2018. Based on the applicable policy of KOKO kozmetika, Nina Berginc s.p., Vrunčeva ulica 1, 3000 Celje, registration number: 8157049000, ident. no. for VAT and tax number: SI 70073392