Privacy Policy in accordance with Art. 13, 14 GDPR - Fulfilment of information obligations
1. JOINT CONTROLLERS
The following companies are Joint Controllers for all processing of personal data in accordance with Art. 4 (7) of the EU General Data Protection Regulation (GDPR) and Art. 26 of the GDPR:
- Designer Outlet Croatia d.o.o. Sop (Rugvica Municipality)
Alfreda Nobela 4, 10 361 Sesvete - Kraljevac - Tel: +385 1 6472 430
- E-Mail: info@designeroutletcroatia.com
hereinafter referred to as "data controllers".
Being Joint Controllers means that each of the data controllers process your data jointly, taking into account the highest data protection standards. A corresponding contract has been concluded between each of the data controllers. Even if there is joint responsibility, the data controllers fulfil the obligations under data protection law in accordance with their respective responsibilities. Within the framework of joint responsibility, you can assert your rights in connection with data processing with each of the data controllers.
Primarily, kindly direct your concerns and inquiries to ROS Croatia Management, Heinzelova 70, 10000 Zagreb, Tel: +385 1 6472 430, E-Mail: info@designeroutletcroatia.com
Furthermore, the company has appointed an external Data Protection Officer who can be contacted at the following email address: datenschutz-ros@meineberater.at.
2. GENERAL DATA PROCESSING
2.1. Data processing in accordance with Art 13 GDPR
We process the data that data subjects provide to us, for example in the context of an enquiry by E-Mail, for the purpose of initiating and concluding a contract or a business relationship.
2.2. Data processing in accordance with Art 14 GDPR
In addition, we process data of persons who may be part of a contractual relationship, which we have permissibly received in the context of information provided by third parties (e.g., managing directors provide us with the data of their employees or colleagues).
2.3 Data Subject to Whom the Personal Data Relates
From participants of prize games, we process the following data: name and surname, email address, date of birth. We collect this personal data for the purpose of enabling participation in the prize game based on the legal foundation of the Gambling Law and the Regulations on organizing prize games, namely, to comply with the legal obligations of the data controller.
From newsletter recipients and VIP Club members, we process the following data: name and surname, email address, date of birth. We collect this personal data for the purpose of sending general or personalized direct marketing messages (newsletter) in order to promote our activities, offers, and products as well as our partners, based on your consent. We retain them until the consent is withdrawn by the data subject or until a request for deletion is sent.
From contact persons of tenants, we process the following data: company, title and name of the contact person, business address and contact details, banking information, contract information. We process this personal data for the purpose of carrying out economic, financial, and/or administrative management activities based on the legal basis of contract execution.
From suppliers and business partners, we process the following data that are necessary for initiating or concluding a contract: company, title and names of contact persons, business address and contact information, banking details, contract information. We collect this personal data for the purpose of fulfilling rights and obligations under the contract, based on the legal basis of contract execution
From event participants, we process the following data: name, contact information, and address details. The purpose and legal basis for data processing is stated in a separate provision further in the text of the Privacy Policy.
2.4. Recipients of personal data
Recipients of personal data will only be third parties if it is necessary for the fulfilling of a contract or if it is required by law.
2. 5 Data Retention
- Expiration of contractual obligations: If there are contractual provisions prescribing how long personal data must be kept, the data controller ensures compliance with these deadlines. After these periods expire, the data is deleted or anonymized by the data controller.
- Withdrawal of consent: If a person withdraws their consent for the processing of their personal data, the data controller deletes those data, unless there is another legal basis for processing.
- Expiration of legal obligations: In some cases, there may be exceptions that not only permit but even require the data controller to continue storing personal data for a certain period, such as the storage of tax or accounting records. After these legal deadlines expire, the data controller also ensures anonymization or deletion of the data.
- Accounting documents (e.g., invoices and receipts for voucher/prize collection): 11 years (accounting regulations);
- Data obtained based on consent (e.g., email address for newsletters): only as long as valid consent exists;
- Database of potential tenants/business partners: maximum 12 months;
- Visitor messages (compliments, complaints, suggestions, etc.): within the time needed to consider and respond to your message, depending on its content and our capabilities (approximately 2 weeks).
- Consumer complaint records are kept for 1 year from the receipt of the written complaint (consumer protection regulations);
- Data in processes that may lead to compensation claims: in accordance with statutory limitation periods (up to a maximum of 5 years);
- Prize games and competitions: as long as there is a need to resolve complaints (depending on the deadline defined by the game/competition rules), or, exceptionally longer due to inspection supervision or pending legal proceedings, in accordance with limitation periods (maximum 4-5 years);
- Video surveillance recordings: as a rule, a maximum of 20 days from their creation. In the event of an incident that has been recorded on video and reported, a longer retention period may be required for the purpose of conducting an appropriate legal process;
- Legal proceedings: if legal proceedings are initiated, the personal data necessary for their conduct are kept until the final conclusion of the process. Compensation claims are kept for 10 years from the finality of the decision or settlement (limitation regulations).
2.6. Contact via E-Mail
When you contact us via email, the data you provide will be stored by us in order to respond to your inquiries. We will delete this data once it is no longer necessary for processing or restrict the processing if legal retention periods apply.
Legal basis: Art. 6 para. 1 lit. f GDPR
2.7. Publication of the names of originators
We are required by law to disclose names of creators of image data (photos or videos) whenever we publish image data. We automatically delete this personal data as soon as we stop using the image data.
2.8. Legal basis
The below points are the legal basis of data processing:
- Initiation and fulfilment of the contract in accordance with Art. 6 para. 1 lit. b GDPR.
- Legal obligations in accordance with Art. 6 para. 1 lit. c GDPR, (for example, legally prescribed storage and documentation obligations).
- Legitimate interests of our company within the meaning of Art. 6 para. 1 lit. f GDPR (for example usage of software).
- Art 6 para. 1 lit. a GDPR when obtaining consent (for example when processing image data or for advertising purposes).
3. DATA PROCESSING OF VIP CLUB MEMBERS
If you decide to become a member of our VIP Club, we will process the data you enter in our form (online or print).
A membership in our VIP Club with many financial advantages requires the authorisation of the Outlet to send you offers, information, advertising, invitations to competitions as well as promotions of the partners of the designer outlet by E-Mail.
In order to complete your registration in the VIP Club, we require your first and last name as well as a valid E-Mail address or a further confirmation that you are indeed the supposed recipient of the mailings sent to you. For this purpose, we will send a confirmation E-Mail to the E-Mail address entered with a link contained therein (double opt-in); only after clicking on this link is the registration completed.
If you want to receive special birthday vouchers as a member of the VIP Club, we also need your date of birth. However, you can also become a member without mentioning your date of birth. For this purpose of processing, the legal basis utilized is our legitimate interest in providing the client with a personalized service.
We collect further data in this context insofar as you provide it, but this is not necessary for the receipt of the advertisements.
If you do not wish to receive any more mailings, you can terminate your membership at any time informally by sending an E-Mail to the contact details given in section one of this Privacy Policy. When you terminate your membership, we will immediately delete your personal data processed for this purpose.
When you become a member of our VIP Club, you enter into a contract with us in that you receive discounts and we process your data in return. The processing of your data is thus necessary for the performance of the contract to which you are party.
Legal basis: Art. 6 para. 1 lit. b GDPR
4. DATA PROCESSING OF PRIZE GAME PARTICIPANTS
If you participate in our prize games, we will process your data for the purpose of conducting the prize game, determining and notifying the winners, and sending the offered prize. For this purpose, we must process your name and email address. Without this information, you cannot participate in the prize game.
We process your name and surname for the purpose of maintaining prize games based on the legal basis of laws, specifically the Gambling Law and the Regulations on organizing prize games.
As participants must be at least 18 years old to participate in the prize game, it is necessary to provide your date of birth. We process the date of birth to verify age in accordance with the rules of the prize game, based on legitimate interest.
You may also choose to disclose your telephone number voluntarily. If you do, we will use this information to contact you by phone if you have not responded to the email notification about the prize. However, this information is not necessary for entering the prize game. We process these personal data based on our legitimate interest in ensuring the winner receives the appropriate prize. Such data are collected based on our legitimate interest, which consists of ensuring the possibility of proving fulfillment of our obligations to the winner, or, defense and realization of legal claims.
The data will be deleted after determining the winner and the conclusion of the prize game.
When you join our game, you enter into a contract with us where you have the opportunity to win a prize, and in return, we process your data. Therefore, the processing of your data is necessary for the execution of the contract in which you are a party.
Legal basis: Article 6(1)(b) of the General Data Protection Regulation
5. DATA PROCESSING VIA OUR WEBSITE
5.1.Contact
If you have asked us to contact you via our web form or if you have sent us a message, we store the data that is required to contact you. This is your name and your E-Mail address. We additionally process data that you provide to us voluntarily. We delete the data as soon as storage is no longer necessary or you object to the processing. The processing of your data for this purpose is based on our legitimate interest in replying to our client’s inquiries and questions
Legal basis: Art. 6 para. 1 lit. f GDPR
5.2. Applicants
If you send us your application documents, we process your personal data contained therein as well as your CV and references for the purpose of personnel selection and filling the position. The processing of your data is necessary to take steps at your request prior to entering into a contract with you. In the event of a rejection, we delete your documents 7 months after sending the rejection to you.
Legal basis: Art. 6 para. 1 lit. b GDPR
If you consent to be kept on file with us for the purpose of contacting you later, we will approach you with a separate request for the transmission of a consent. If you explicitly give us this consent, we will store your consent. If there is no further opportunity to fill a vacancy with us within one year, we will delete all your applicant data one year after you have sent us your consent.
Legal basis: Art. 6 para. 1 lit. a GDPR
6. DATA PROCESSING WHEN VISITING OUR WEBSITE
6.1. Informative use of the website
In the case of informative use of the website, we only collect the personal data that your browser transmits to our server (server log files). If you wish to view our website, the most data we collect is that which is technically necessary for us to display our website to you and to ensure its stability and security:
- IP address
- Date and time of the request
- Time zone difference to Coordinated Universal Time (UTC)
- Content of the request (specific page)
- Access status/HTTP status code
- Website from which the request came
- browser
- Operating system and its interface
- Language and version of the browser software.
This data is not merged with personal data sources. We reserve the right to check this data retrospectively if we become aware of concrete indications of unlawful use and to pass on the data to the law enforcement authorities if there has been a hack attack. The data will not be passed on to third parties beyond this.
See details of our cookies
Legal basis: Art. 6 para. 1 lit. f GDPR
6.2. Cookies
Cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive in relation to the browser you are using and which provide the party setting the cookie (in this case us) with certain information. Cookies cannot execute programs or transmit viruses to your computer.
The cookie enables you to be recognised when you visit the website without having to re-enter data that you have already entered previously.
The information contained in the cookies is used, for example, to determine whether you are logged in or which data you have already entered, or to recognise you as a user when a connection is established between our web server and your browser.
We distinguish between technical cookies, which are used exclusively to ensure the operation of a website, and other cookies, which are set for the purpose of statistical analysis, tracking or advertising/marketing by us or third-party providers.
Legal basis: Art. 6 para. 1 lit. f GDPR (in the case of technical cookies), Art. 6 para. 1 lit. a GDPR (for all other cookies)
7. SOCIAL NETWORKS
We manage social media pages: Facebook and Instagram. When you visit our pages on social networks, personal data, including your IP address, are processed by the respective service provider, and cookies are used to collect data. For detailed information on the specific data transferred, please refer to the privacy policies of Facebook and Instagram.
There you will also find contact information and various privacy settings. We prioritize comprehensive customer satisfaction and primarily use these services to engage and communicate with you.
In services with a US connection, the data collected is usually transmitted to a server in the USA and stored there. We have no control or ability to supervise the nature or extent of the data processed by these services, the way it is processed and used or the disclosure of this data to third parties. To limit the processing of this data within the settings of these services, please refer to the detailed descriptions provided in the privacy policies of the respective providers.
Furthermore, we point out that you use the respective services and their features at your own responsibility. This applies particularly to the use of interactive functions such as sharing, commenting, or rating.
The providers of the social media services have provided us with corresponding agreements - in most cases these are agreements on joint responsibility for data processing. The use of social media is based on our legitimate, operational interest.
Legal basis: Art. 6 para. 1 lit. f GDP
8. CLOUD.TYPOGRAPHY
Our website uses external fonts from Hoefler & Co, 611 Broadway, Room 725, New York, NY 10012-2608, USA.
This service provides the "Cloud.Typography" fonts, which are displayed on users' end devices. In each session, your browser establishes a direct connection with the company's servers in the USA, whereby your IP address can be retrieved.
For more information, please see Typography's privacy policy: https://www.typography.com/policies/privacy
With this service, a transfer of personal data to the USA cannot be excluded! The GDPR requires appropriate safeguards under Article 46 GDPR for any data transfers to a third country or international organization. Such guarantees do not exist for the USA.
Furthermore Hoefler & Co. has at the current time not certified itself under the US Data Privacy Framework or the Privacy Shield. For this reason certain risks cannot be entirely ruled out for you as data subjects. These risks include:
- Your personal data may be shared with other third parties (e.g.: US authorities) by the respective service provider.
- You may not be able to sustainably assert or enforce your rights of access against the respective service provider.
- There may be a higher probability of incorrect data processing because the technical organizational measures for the protection of personal data do not fully comply with the requirements of the GDPR in terms of quantity and quality.
Legal basis: Art. 6 para. 1 lit. a GDPR
9. FACEBOOK
9.1. Facebook Pixel
Our website uses Facebook pixels ("Pixel") of the social network Facebook (Meta Platforms Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland) for the analysis, optimisation and economic operation of our online offer.
Facebook can use the pixels to determine the website visitors as a target group for the display of advertisements (so-called "Facebook ads"). Accordingly, we use them to display the Facebook ads placed by us only to those Facebook users who have also shown interest in our online offer or who have certain characteristics (e.g., interests in certain topics or products determined based on the websites visited) that we transmit to Facebook (so-called "Custom Audiences"). The aim is to ensure that our Facebook ads correspond to user interest and do not have a harassing effect. On the other hand, we can use pixels to track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called "conversion").
Your actions are stored in one or more cookies. These cookies allow Facebook to match your user data (such as IP address, user ID) with your Facebook account data. The data that is collected is anonymous and not visible to us and can only be used in the context of advertisements. If you would like to prevent the linking with your Facebook account, you have the option to log out before taking any action.
We have entered into a contract with Facebook Ireland, nevertheless it may happen that Facebook Ireland transfers personal data to Facebook USA. Meta Platforms, Inc. has certified itself under the EU-U.S. Data Privacy Framework for the transfer of personal data from the EU to the United States. The European Commission has determined that there is an adequate level of protection for personal data transferred from the EU to a company in the United States certified under the EU-U.S. Data Privacy Framework. Consequently, the data transfer is permissible in accordance with Article 45 of the GDPR.
For further information, please refer to Facebook's data policy at https://en-gb.facebook.com/policy.php
For specific information on Facebook Pixels, please refer to https://en-gb.facebook.com/business/help/742478679120153?id=1205376682832142.
Legal basis: Art. 6 para. 1 lit. a GDPR
For specific information on Facebook Pixels, please refer to https://en-gb.facebook.com/business/help/742478679120153?id=1205376682832142.
Legal basis: Art. 6 para. 1 lit. a GDPR
10. GOOGLE SERVICES
We have signed a contract with Google Ireland Limited ("Google"), a company incorporated and operated under the laws of Ireland (registration number: 368047) with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. Nevertheless, it may happen that data is transmitted from Europe to the USA, over which we as a company have no influence.
Google has certified itself under the EU-U.S. Data Privacy Framework for the transfer of personal data from the EU to the United States. The European Commission has determined that there is an adequate level of protection for personal data transferred from the EU to a company in the United States certified under the EU-U.S. Data Privacy Framework. Consequently, the data transfer is permissible in accordance with Article 45 of the GDPR.
Legal basis: Art 6 para 1 lit a GDPR
10.1. Google Ads Remarketing for Google Analytics
We have integrated Google Ads Remarketing on our website. This service enables us to display interest-based advertisements to website visitors. In doing so, the browser stores cookies that enable the website user to be recognised if the website user visits other websites that belong to the Google advertising network. There, the user can be shown advertising campaigns that relate to content that the user has previously accessed on other websites.
10.2. Google Analytics
We have integrated Google Analytics on our website, a web analysis service from Google, which enables us to analyse visitor flows and the length of stay on our website.
This website uses the function "Activation of IP anonymization" (i.e. Google Analytics has been extended by the code "gat._anonymize Ip();" to ensure anonymized collection of IP addresses (so-called IP masking)). This means that your IP address is shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
According to Google, Google will use the information obtained to evaluate your use of the website, to compile reports on website activity and to provide us with other services related to website and internet use. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. Google may, however, transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. You can prevent the storage of cookies by setting your browser software accordingly. However, we would like to point out that in this case you may not be able to use all the functions of the website to their full extent. Furthermore, you can prevent the collection of the data generated by the cookie and related to your use of the websites (including your anonymized IP address) by Google as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link (https://tools.google.com/dlpage/gaoptout?hl=en).
For more information on the terms of use and data protection, please visit https://marketingplatform.google.com/about/analytics/terms/us/ or https://support.google.com/analytics/answer/6004245?hl=en.
10.3. Google Analytics Conversion Tracking (Google Ads)
This website also uses Google Conversion Tracking. Google Ads sets a cookie on your computer if you have accessed our website via a Google advertisement. These cookies lose their validity after 30 days and are not used for personal identification. If the user visits certain pages of the Ads client's website and the cookie has not yet expired, Google and the client can recognize that the user clicked on the ad and was redirected to that page. Each Ads client receives a different cookie. Cookies can therefore not be tracked across Ads clients' websites. The information obtained using the conversion cookie is used to create conversion statistics for Ads clients who have opted into conversion tracking. Ads clients learn the total number of users who clicked on their ad and were redirected to a page tagged with a conversion tracking tag. However, they do not receive any information that personally identifies users. If you do not wish to participate in the tracking procedure, you can also refuse the setting of a cookie required for this - for example, via a browser setting that generally deactivates the automatic setting of cookies. You can also deactivate cookies for conversion tracking by setting your browser so that cookies from the domain "www.googleadservices.com" are blocked. Google's privacy policy can be found here.
When you use SSL search, Google's encrypted search feature, the search terms are usually not sent as part of the URL in the referring URL. However, there are some exceptions to this, for example if you are using certain fewer common browsers. For more information on SSL search, click here. Search queries or information in the referral URL could also be viewed through Google Analytics or an application programming interface (API). In addition, advertisers may receive information about the exact search terms that triggered a click on an ad. https://policies.google.com/faq?hl=en
10.4. Google Font
We use Google Fonts on our Website. To ensure a uniform and appealing display of the fonts and icons, your browser loads the required fonts into your browser cache. To do this, it is necessary for the browser you are using to contact the Google Fonts servers, which results in Google Fonts becoming aware that our website has been accessed via your IP address.
You can find out what data is collected by Google and what it is used for at https://policies.google.com/privacy?hl=en
10.5. Google Maps
On this website, we use the Google Maps service. This allows us to show you interactive maps directly on the website and enables you to use the map function conveniently. By visiting the website, Google receives the information that you have called up the corresponding sub-page of our website. In addition, the data already mentioned under the point "Informational use of the website" will be transmitted. This occurs regardless of whether Google provides a user account via which you are logged in or whether no user account exists. If you are logged in to Google, your data will be directly assigned to your account. If you do not want your data to be associated with your Google profile, you must log out before activating the button. Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or designing its website in line with requirements. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, and you must contact Google to exercise this right.
For more information on the purpose and scope of data collection and processing by the plug-in provider, please refer to the provider's privacy policy. There you will also find further information on your rights in this regard and setting options for protecting your privacy: https://policies.google.com/privacy?hl=en&gl=en.
10.6. Google ReCAPTCHA
We use Google's ReCAPTCHA service to determine whether a human or computer is making a particular entry in our contact or newsletter form. Google uses the following data to check whether you are a human or a computer: IP address of the terminal device used, the website you visit with us on which the captcha is embedded, the date and duration of the visit, the recognition data of the browser and operating system type used, Google account if you are logged in to Google, mouse movements on the ReCAPTCHA areas and tasks that require you to identify images.
10.7. Google Tag Manager
We use Google Tag Manager to recognise your user behaviour. The Google Tag Manager is a solution with which marketers can manage website tags via an interface. The tool itself processes the following personal data: IP address of the user. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. The Google Tag Manager can set cookies, at least in the preview and debug mode of the administrator, but also outside of it. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager.
More detailed information is available here: https://support.google.com/tagmanager/?hl=en#topic=3441530
11. YOUTUBE
We operate a YouTube channel and have embedded YouTube videos on our website, which are hosted on http://www.YouTube.com. The operator of YouTube is YouTube, LLC, located at 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Ireland Limited, located at Gordon House, Barrow Street, Dublin 4, Ireland.
We use YouTube videos in the extended privacy mode. With this setting, YouTube does not store cookies when you access our website. A connection to YouTube servers is only established when you start playback of the embedded videos. YouTube uses cookies for data collection and statistical analysis. YouTube is informed about the pages you visit. If you are logged into YouTube, your data is directly associated with your account. YouTube uses your data for advertising and market research purposes.[MH4]
By using this service, there is a transfer of personal data to the USA, or such a transfer cannot be ruled out. Google has certified itself under the EU-U.S. Privacy Shield Framework for the transfer of personal data from the EU to the USA. The European Commission has determined that there is an adequate level of protection for personal data transferred from the EU to a company in the USA certified under the EU-U.S. Privacy Shield Framework, making data transfer in accordance with Article 45 of the GDPR permissible.
By consenting to the data processing by YouTube, you agree that YouTube may load additional cookies and services, particularly from Google.
For more informatIon about the privacy practices of "YouTube," please refer to the provider's privacy policy at: https://www.google.com/intl/en/policies/privacy/.
Legal basis: Art 6 para. 1 lit. a GDPR
12. YOUR RIGHTS
You have the following rights in relation to personal data relating to you:
- Right of access, right to rectification and erasure
- Right to restriction of processing
- Right to object to processing
- Right to data portability
- The right to object to automated individual decision-making, including profiling.
- The right to access personal data.
Please direct your enquiries and requests by E-Mail to info@designeroutletcroatia.com or contact us using the contact details provided.
If you believe that we have violated Croatian or European data protection law in the processing of your data and have thereby infringed your rights, please contact us so that we can clarify any issues.
You also have the right to complain to the supervisory authority, which is the Croatian Data Protection Authority:
Agencija za zaštitu osobnih podataka
13. CHANCES TO THIS PRIVACY POLICY
We reserve the right to modify this Privacy Policy at any time. Changes to this Privacy Policy will be published by us on this page. Please refer to the current version of our Privacy Policy in this regard.