Notice to individuals under Article 13 of the General Data Protection Regulation (GDPR) regarding the processing of personal data

 

The controller of your personal data in relation to the online Expar Online Platform https://expar.si/ as well as your other interactions with LINKING MAP d.o.o. is:

  • LINKING MAP, digitalne rešitve, d.o.o.
  • Šmartno v Rožni dolini 21A
  • 3201 Šmartno v Rožni dolini, Slovenia, Europe
  • Company reg. no.: 9114572000
  • VAT ID no.: SI 68836643
  • telephone number: +386 41 619 69
  • email: info@linking-map.com

(hereinafter: LINKING MAP d.o.o., controller or organization)

 

A Data Protection Officer has not yet been appointed by the controller, whereby all data related requests and inquiries can be forwarded to and can be contacted at info@linking-map.com.

 

Customers, services and sources of personal data

 

LINKING MAP, digitalne rešitve, d.o.o. provides its clients with the use of its https://expar.si/ platform (hereinafter referred to as the “customer” or “client“) through which both LINKING MAP d.o.o. and its clients may act as the sellers of products to customers, as the case may be.

If you wish to obtain information on how LINKING MAP d.o.o. processes personal data in the above-stated cases (i.e. as a data processor in connection with the provision of its services to its clients), please follow the dedicated policies or notices on the processing of personal data published on the relevant product subpage belonging to the respective client that is acting as the seller of the product.

 

Purpose, use and amendments to this document

 

This document describes the processing carried out by LINKING MAP d.o.o. in relation to the personal data of individuals (i.e. data subjects) who have entrusted their data directly to our organization (either in the course of buying products directly from us, communicating with us, signing up to our newsletter, etc.) (hereinafter referred to as “data subjects” or “individuals“). 

If you, as an individual, wish to obtain information about the processing of your data by one of our clients who had sold you their products on our platform, we advise you to contact the client directly (e.g. by emailing the relevant legal entity that had been listed as the seller of the product you had purchased on our platform).

The data on the individual client, as well as other information about its processing of your personal data in relation to our service, must always be available to you at the moment you share your personal data.  In accordance with the GDPR, the provision of this information as well as the responsibility for the processing that is carried out rests with the individual data controller (i.e. us, when you are buying products directly from us or the legal entity that had been listed as the seller of the product you had purchased on our platform).

Unless otherwise stated, the terms used in the GDPR regulation (e.g. personal data, processing, controller, processor, etc.) that appear in this notice shall have the same meaning as the terms used in the regulation. References in this notice may be updated from time to time to better reflect changes in data protection or for other operational and legal reasons.

If we make material changes to this notice, we will post an announcement on our website or within the service, or notify end users (individuals) by email.

  1. What data we process, what gives the right to do so and why we process such data

1.1. Review of databases and types of personal data, categories of data subjects, deadlines for deletion of personal data and purposes and types of processing

NAME OF THE PERSONAL DATABASE

LEGAL GROUNDS

TYPES OF DATA & CATEGORIES OF DATA SUBJECTS

DEADLINES FOR DELETION OF PERSONAL DATA**

PURPOSES OF PERSONAL DATA PROCESSING AND

TYPES OF PROCESSING*

Data associated with a registered user account

Contract (i.e. acceptance of our General Terms and Conditions)

Data on the individual who had registered a user account with one of our platforms, which includes the individual’s email address, name, surname or other data as the case may be and as is needed to maintain a users account.

Until the termination of the user account and another 6 years after the termination of the user account if the user account is tied to purchases on one of our platforms.

For the purposes of providing the user the services that are tied to the user account, whereby the data shall be stored on our servers and in our CRM systems, viewed, shared inside and outside of our organization, structured and processed in other relevant ways for achieving these purposes.

Data associated with a purchase on on the Expar platform, when we are acting as the seller of the product

Contract (i.e. acceptance of our General Terms and Conditions)

Data on the individual who had committed to the purchase of a product on one of our platforms which is either sold by us or one of our partners, but where we are in both cases acting (and are disclosed as) the seller of the product, whereby these data may include the individual’s email address, name, surname, address, billing details or other data as the case may be and as is needed to deliver the product to the individual.

10 years after the issuing of the relevant invoice (see the section “Data associated with the issuing of invoices/billing” below) (or in a limited scope even longer, if, for example, processing is necessary because there is a dispute between the individual and our organization, etc.).

Please note that this data shall not be deleted if our organization is obliged to keep such data after the termination of the contract (e.g if a high probability of fraud exists or other special cases apply, as described in section 2). 

For the purposes of providing/selling the user purchased product on the platform, the data shall be stored on our servers and in our CRM systems, viewed, shared inside and outside of our organization, structured and processed in other relevant ways for achieving these purposes.

 

The data may also be shared with our partners (namely the legal entity  who you are staying with as a tourist/visitor/guest at the moment when committing to the purchase) so that this entity may deliver you the products. 

 

For a list of all such partners, please contact us at info@linking-map.com.

Data associated with the contract for using our Expar service 

Contract 

 

Data on the authorized person of the client or representative who had concluded/negotiated for the conclusion of a contract with our organization (such as his email address, password, first name, last name) as well as the relevant business data (company name, pricing package, special usage requirements).

Until the termination of the contract and another 6 years after the termination of the contract (or in a limited scope even longer, if, for example, processing is necessary because there is a dispute between the individual and our organization, etc.).

Please note that this data shall not be deleted if our organization is obliged to keep such data after the termination of the contract (e.g if a high probability of fraud exists or other special cases apply, as described in section 2). 

For the purposes of concluding / negotiating the conclusion of the contract, whereby the data shall be stored on our servers and in our CRM systems, viewed, shared inside and outside of our organization, structured and processed in other relevant ways for achieving these purposes.

Data associated with the issuing of invoices/billing

Fulfilling our legal obligations.

Data on the authorized person of a client who has a registered account for the use of our services (such as his email address, password, first name, last name) as well as the relevant account data (company name, pricing package, special usage requirements).

We are legally required to store these data for a period of 10 years.

Please note that this data shall not be deleted if our organization is obliged to keep such data after the termination of the contract (e.g. archiving data on issued invoices), as is described in more detail under points 1.3. and 2. of this notice. 

For the purposes of issuing invoices/billing on the basis of a concluded contract whereby the data shall be stored on our servers and in our CRM systems, viewed, shared inside and outside of our organization, structured and processed in other relevant ways for achieving these purposes.

Data associated with the use of the Expar service by our client and that is required for offering support services

 

Contractual.

Data on the authorized person of a client who has a registered account for the use of our services (such as his email address, password, first name, last name) as well as other account data (previous projects, open tickets, support messages, system errors, log data, usage analytics, other messaging data).

 

Until the termination of the contract or earlier, if a deletion request is received. 

Please note that this data shall not be deleted if our organization is obliged to keep such data after the termination of the contract (e.g if a high probability of fraud exists or other special cases apply, as described in section 2).

Data that is tied to the client’s account is usually automatically processed by the backup systems of the service for normal use of the service (i.e., based on the concluded contract at the first login with the registered account data). This type of processing generally involves collecting, storing on our/third party servers, and making the data available both inside and outside of our organization.

Data an individuals who communicate with our organization via our email addresses and other communication channels

Negotiations for the conclusion of a contract.

The name and/or surname of the individual who communicates with our organization as well his email address and possibly his phone number and any other personal data that is disclosed in such communications.

Until we receive  the opt-out request or data deletion request of such individuals or until 6 years have elapsed since the last communication.

*Individuals can always opt-out via the provided link or request the deletion of their data by sending their request to the official email address of our organization: info@linking-map.com.

Based on negotiations for the conclusion of a contract (i.e., obtaining information about or ordering a service or other voluntary communication of the individual with our organization), whereby our organization shall process the data in ways that are logically related to negotiations regarding the conclusion of a contract or the preparation of a response (e.g., storage in the system for sending electronic messages for response purposes and possible further communication, data storage in our organization’s archives, etc.).

Sending emails to individuals from companies who are our prior clients 

Legitimate interest.

Email addresses of individuals from companies that had been our clients in the past.

Until we receive  the opt-out request or data deletion request of such individuals or until 6 years have elapsed since the last communication.

*Individuals can always opt-out via the provided link or request the deletion of their data by sending their request to the official email address of our organization: info@linking-map.com.

The E-privacy Directive and consequently our legitimate interests allow us to send personalized electronic messages with customized marketing content (e.g., in the form of e-newsletters) to prior customers, whereby we may store and use these data in our system for sending electronic messages exclusively for the purpose of providing information, advice, and other useful data regarding our services.

**IIn certain cases, based on its legitimate interests and unless otherwise stated above or elsewhere in this notice, our organisation reserves the right to store certain data beyond the stated period, as stated-above and in section 2 of this notice, whereby our organization will, in all such cases, limit data storage to the data that are essential for pursuing such legitimate interests. Individuals can always request the deletion of data by sending their request to our official email address: info@linking-map.com. In connection with the above-stated purposes (e.g., where data storage is listed), the data shall be transferred for processing to our organization’s contractual partners (subprocessors), which are listed in section 3.3. of this notice. Subprocessors shall process data only in connection with the performance of tasks assigned to them and are directly related to the pursued purposes.

 

1.2.  The legal basis for the processing of personal data may lie in the fulfillment of a concluded contract or in negotiations for the conclusion of a contract

 

We may process personal data of individuals on the basis of a concluded contract (e.g., the conclusion of a contract for the use of our services) or negotiations for the conclusion of a contract (e.g., when an individual contacts our organization through our official communication channels and wants to obtain more information about our services). 

In the described cases, you provide us with personal data as part of a contractual obligation or as part of negotiations for the conclusion of a contract, whereby we consequently do not need your explicit consent for the above-mentioned processing of your personal data. In principle, you will not suffer any serious negative consequences in situations where we would otherwise need your personal data to perform our services and you do not provide us with these data. However, such situations can significantly complicate or even prevent the execution of ordered services or our cooperation, and you will be informed in advance or subsequently in these cases.

1.3. The legal basis for the processing of your data may also be set out in legislation

Our organization may also process personal data for the purposes of fulfilling legal and other lawful obligations, especially those governing taxes and accounting requirements (e.g., records of issued and received invoices, etc.), for example: when an inspector or another holder of public authority orders our organization to entrust him with personal data of a certain customer/visitor in accordance with the law (for example, in the context of conducting inspection supervision under the provisions of the applicable law, when our organization processes personal data of a customer to whom it has issued an invoice, our organization processes this invoice and customer data (e.g., personal name, contact details, etc.) on the basis of the applicable tax laws and regulations (see Chapter 3.2.), etc.

 

1.4. Based on our legitimate interests

We are also allowed to process certain personal data for the purposes of safeguarding our own legitimate interests. Such cases may arise, for example, when the processing of your data would be necessary from the perspective of administrative, criminal, or civil proceedings (e.g., when our organization would have to submit a database as evidence in a procedure, otherwise our organization would suffer a penalty or severe and irreparable damage), in which case we will always process only those data that are absolutely necessary to pursue such legitimate goals. OUR organization is also allowed to process the personal data of an individual in cases where the processing is necessary to protect the vital interests of the individual (e.g., looking up the address of an individual who is facing an immediate and serious life-threatening danger).

1.5. Based on prior consent 

Interacting with us and the use of our services is generally not conditional on you agreeing to the processing of your personal data.

However, we can also process your personal data based on your explicit consent. An individual’s explicit consent is considered as his voluntary declaration of will by which he agrees to the processing of certain personal data for a certain purpose, (e.g., when you consent to receiving our newsletter or other commercial messages), whereby in such cases we process those data that are indicated in the relevant section of the table from point 1, where consent is indicated as the legal basis for processing.

Receiving such communication can be stopped at any time by following the link contained in every newsletter/commercial email message or by contacting us at info@linking-map.com.

Based on your consent, our online advertising can also be performed, provided that you have agreed to the installation of optional (advertising) cookies and tracking pixels of our advertising partners when visiting our website (e.g., installation of the Google Analytics cookie, which enables us to advertise our services more easily on other websites, etc.). A detailed list of optional cookies from our advertising partners, the data we process with them, and the retention periods of these data is defined on the “Cookies” page.

Our organization provides each individual with the right to withdraw his explicit consent at any time in a simple way, by contacting us at any time at info@linking-map.com.

The withdrawal of consent does not affect the legality of the processing that was carried out on the basis of consent until the moment of withdrawal.

If you do not give consent for the processing of personal data, give consent partially or withdraw consent (partially), we will, if possible, cooperate with you only to the extent of the given consent or in ways permitted by applicable law.

Consent is voluntary and if you decide not to give it or later withdraw it, this in no case infringes on your other rights or represents additional costs or aggravating circumstances for you.

2. How long do we store or process your personal data?

The retention period of personal data depends on the basis and purpose of processing each category of personal data. Personal data is usually stored as long as necessary to fulfill the purpose for which the data was collected, or until some regulation requires us to keep it, after which it is deleted.

If the retention period of individual data is not more precisely defined in the table in Chapter 1, the following applies:

  • we keep the personal data of clients on invoices for another 10 years after issuing the invoice, as this is a duty imposed on our organization by applicable tax laws,
  • based on the concluded contract for the use of our services, data is processed for the duration of the contract, or for another 6 years after the termination of the contract (or in a limited scope even longer, if, for example, processing is necessary because there is a dispute between the individual and our organization, etc.),
  • we keep account data until we receive a request for data deletion (or until these data are deleted by the users themselves / or the client terminates the contract),
  • we keep data about an individual who communicates with our organization via email addresses and other communication channels available on the website until we receive an opt-out or data deletion request from such individual or until 6 years have elapsed from the last communication,
  • based on the explicit consent to receive our newsletters/commercial communication or our legitimate interest for advertising to people who are already our clients, we keep the data until such person withdraws his consent. 

Our organization may retain data for another 15 days after the expiration of the said retention period with the aim of being able to destroy the stored data from all data carriers and servers during this period.

An individual can always request the deletion of data by sending their request to our organization’s official email address: info@linking-map.com.

3. Who processes your personal data?

3.1. Certain employees that work for our organization

Your personal data is processed by those employees in our organization who need the data in order to perform their work. All employees are bound by confidentiality and are required to protect your personal data.

 

3.2. Government bodies 

 

In certain cases, as prescribed by applicable legislation, our organization must also provide or report your personal data to the competent state authorities, as well as to authorities that are, for example, competent for financial, tax or other supervision (e.g., the Information Commissioner’s Office of the Republic of Slovenia, etc.). In certain cases, our organization is obliged to provide data to third parties, if such an obligation to provide or disclose is imposed on our organization by law or the legal entitlement of a third party.

 

3.3. Contractual Processing of Personal Data

In addition to the employees in our organization, the users of personal data can also be employed persons of contractual processors of our organization, who can process personal data as confidential exclusively on behalf of our organization and within the limits of the contract on external processing of personal data, which our organization has concluded with each such processor. Contractual processors may only process personal data within the instructions of our organization (i.e., the contract), and they may not use the data to pursue any of their own interests.

 

The contractual processors our organization engages that might come into contact with your personal data are:

 

  • Guest houses, hotels, Airbnb operators and other partners that we cooperate with in providing the Expar service (e.g. entities where you are staying at as a guest / visitor and where you scanned the QR code to purchase a product from us)
  • individuals who collaborate with us based on other contractual or authorship contracts (support, development of the service, etc.). For a list of all such partners, please contact us at info@linking-map.com.
  • our hosting provider (see Chapter 3.4.),
  • our external bookkeeping/accounting service provider,
  • our external tool for sending emails and other messages,
  • our external IT system maintenance provider.

Our organization will not disclose your personal data to third unauthorized persons.

If you would like to obtain an exact list of all contractual subprocessors of our organization, you can write to us at info@linking-map.com.

3.4. Hosting Provider 

 

The hosting of our service and the storage of data contained therein is provided by the contractual processor Alphabet Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, whereby its servers are located in Frankfurt. 

 

3.5. Transfer of Personal Data to Third Countries and International Organizations and Measures to Protect Transferred Data 

Our organization does not generally export personal data to third countries (i.e., outside the European Union, Iceland, Norway and Liechtenstein, i.e., the EEA) and international organizations.

An exception to this are occasional transfers of some technical and personal data to the servers of the above-mentioned hosting or API providers or other processors, whose headquarters or servers are located in the USA (e.g., automatic transfer of some data collected by cookies and tracking pixels of Alphabet Inc. or Meta Platforms Inc., input of email addresses into the tool for sending commercial messages, etc.), whereby the relevant contractual processors are former members of the Privacy Shield program (https://www.privacyshield.gov/) and after July 12, 2020, respect and have adopted security measures regarding receipt or transfer of data (namely Standard Contractual Clauses) or have duly undergone and achieved full self-certification in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (i.e. the new EU-USA data transfer framework as per the stated adequacy decision from the 10th of July 2023).

 

An exception to the above are also cases of hosting data from our services, as our services may use application programming interfaces and hosting provided by Google Cloud Platform service, i.e., Alphabet Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. Part of the services also benefits from the security and other services of the AWS platform, i.e., Amazon Web Services, LLC., 410 Terry Avenue North Seattle, WA 98109, United States.

The translated content of the above list as well as more detailed information about the categories of users and contractual data processors can be obtained by sending a request in connection with this to the email address: info@linking-map.com.

 

4. Processing of special category personal data

Exceptional circumstances or situations may mean that our organization is forced to process special category of personal data (e.g., when verifying your identity in accordance with AML and KYC requirements etc.). 

Special categories of personal data may also include other data that directly or indirectly reveal your political opinion, religious or philosophical belief, or trade union membership, genetic data, biometric data for the purposes of unique identification, and data related to an individual’s sexual life or sexual orientation.

If such situations should arise, we shall take necessary steps to protect special category personal data as required under the GDPR.

 

5. What are your rights regarding your personal data and how can you exercise them?

In relation to this personal data processing notice or the processing of your personal data by our organization and our contractual processors, you can contact us at any time and without any reservations via the email address info@linking-map.com. You can also use the mentioned address to send your requests and exercise other rights related to personal data and GDPR regulation.

As an individual to whom the personal data refers, the GDPR regulation provides you with the opportunity to exercise the following rights with our organization: 

Right to be Informed: Individuals have the right to be informed about the collection and use of their personal data. 

Right of Access: Individuals have the right to access their personal data and obtain information about how it is being processed, as well as a copy of the data itself. 

Right to Erasure (Right to be Forgotten): Individuals have the right to request the deletion of their personal data in specific circumstances. 

Right to Withdraw Consent: If personal data processing is based on consent, individuals have the right to withdraw their consent at any time and without any detriment.

Right to Rectification: Individuals have the right to request the correction of inaccurate or incomplete personal data. If the data has been shared with third parties, our organizations must inform those parties of the rectification, if possible.

Right to Restrict Processing: Individuals have the right to request the restriction of processing of their personal data. This right applies in certain cases, such as when the accuracy of the data is contested or the individual has objected to the processing.

Right to Data Portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format in certain cases. They can also request that their data be transmitted to another controller if the processing is based on consent or a contract and where the processing is carried out by automated means.

Right to Object: Individuals have the right to object to the processing of their personal data based on legitimate interests or public interest/exercise of official authority. Our organization must cease such  processing unless it can demonstrate compelling legitimate grounds that override the individual’s interests, rights, and freedoms.

Rights in Relation to Automated Decision Making and Profiling: Individuals have the right not to be subject to solely automated decisions, including profiling, which significantly affects them. They have the right to obtain human intervention, express their point of view and challenge the decision.

Right to lodge a complaint with a supervisory authority: If you believe that the processing of personal data performed in connection with you by our organization violates personal data protection regulations, you may, without prejudice to any other (administrative or other) remedy, lodge a complaint with the a supervisory authority, in particular in the country where you have your habitual residence, your place of work or where the infringement is alleged to have taken place. In Slovenia the relevant authority is:

 

Informacijski pooblaščenec, Dunajska 22, 1000 Ljubljana, Slovenia, email: gp.ip@ip-rs.com, phone: +38612309730, website: www.ip-rs.com.

 

A list of other EU supervisory authorities and their contact information can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en#.

 

6. Existence of automated decision making and profiling

The service does not include automated decision making or profiling based on your personal data.

 

7. Processing of personal data of persons under 15 years of age 

Our organization does not knowingly collect or otherwise process personal data of persons under 15 years of age. 

If our organization subsequently finds out that it has processed the personal data of such a person without the consent of his parent or guardian, our organization shall do everything necessary to delete all provided personal data.

At the address info@linking-map.com, the above-described persons or their parents or guardians shall be able to submit their requests for the deletion of the data concerned at any time.

 

8. Who can you contact for further clarification regarding the processing of personal data in our organization and regarding your rights?

 

You can limit or withdraw your consent for the processing of data at any time by contacting our organization as a processor of your personal data at:

9. Protection of personal data

Our organization carefully stores and protects personal data through organizational, technical and logical procedures and measures to protect the data from accidental or intentional unauthorized access, destruction, alteration or loss, and unauthorized disclosure or other form of processing to which you have not expressly consented to.

To this end, our organization has also adopted appropriate internal processes and set up various measures (e.g. assigning, using and changing passwords, locking premises, offices, server and workstation locations, regularly updating software and upgrading security-critical components, physically protection of material containing personal data in specially designated places, training of employees, etc.). Our organization also demands these security commitments from its contractual processors.

 

10. Version and date of the last update of this notice

The text of this notice represents version 1.0 of this document. 

 

This notice was last updated on February 13, 2024.