Personal data is information that directly or indirectly relates to, or can be used to identify, you. The legal basis governing data protection and the conditions for processing your data is the Personal Data Protection Act ('Official Gazette of the RS', no. 87/2018).

IDENTITY.PLUS COMPANY FOR PRODUCTION AND TRADE OF CLOTHING LTD BELGRADE (STARI GRAD), Skender begova 3A, 11000 Belgrade (hereinafter IDENTITY.PLUSAs the data controller, before collecting and processing personal data in accordance with Article 23 of the Personal Data Protection Act, hereby informs of the conditions for the collection and processing of personal data.

 

Information We Collect

 

Public data

You may visit and use our website without revealing your identity or any other data related to it. When visiting our website, taking into account the nature of the Internet, data is collected that records users, but it is not sufficient on its own to identify a specific person and represents statistical indicators used to improve the quality of the website. Such information may include the name of the internet browser, number of visits, average time spent on the page, type of computer and technical information about the connection the user uses when visiting the website, such as the operating system and internet service provider, the IP (Internet Protocol) address assigned by providers which is different for each internet user, as well as similar information.

 

Personal data

What types of personal data do we use?

1. Personal data: for contact such as name, surname, address, email, telephone number
2. BUSINESS CONTACT DETAILS: such as the business entity's address, business e-mail
3. Sensitive personal data: gender, date of birth, date of birth
4. Contract details: such as the content of the business cooperation agreement
5. PAYMENT INFORMATION: such as current account number, claims for damages, payment of contractual obligations

Purpose of data processing/legal basis:

1. For the provision of services: for the delivery of goods purchased from us via lilushoes.com For online stores, we need your contact details in order to deliver the goods to your desired address.;
2. Handling requests – resolving complaints and remarks: we endeavour to resolve them appropriately in accordance with the Law. In order to have sufficient information to carry out this procedure and make a proper decision, as well as to provide feedback regarding the complaint, we need to collect certain data about you. Also, if you wish to receive a refund, it will be necessary to complete the prescribed form – the so-called NI form – into which your JMBG is entered, as required by applicable regulations.
3. Contractual negotiation – to conclude a contract, we need to verify that the person with whom we are entering into a contractual relationship is authorised to do so. The same applies to the performance of specific contractual provisions by the individuals designated for that purpose. Sometimes it is necessary to verify the identity of these individuals to ensure we are acting correctly. We undertake these activities for the purposes of processing the contract we have entered into with you, in order to fulfil our legal obligations.
4. Offers Notice – if you have signed up to receive occasional notifications about promotions and other benefits, you have shared some of your data with us which we can use to send these notifications – for as long as you wish.
5. We take security measures – such as CCTV cameras – and have access to security data about our office premises to ensure that our staff, visiting customers, and property are protected.

IDENTITY.PLUS processes certain personal data which are considered to be
of a sensitive nature for the purpose of fulfilling our obligations in the manner and to the extent prescribed by law:

• Information about your health condition, including records of your absence from work due to health reasons; medical documentation, doctor's findings, etc., for the processing of any claims for damages that occurred in our retail outlet or business premises. We will not record your data from your health record, except when strictly necessary. It is possible that this data will be forwarded to our insurance company for the purpose of processing your claim for damages. In the event that you initiate legal proceedings against us, the relevant data may be submitted to the competent court for inspection during the proceedings.

Who has access to your personal data?

We share your personal data with the following parties:

• to third parties acting on our behalf (processors). In these cases, such third parties may use your personal data exclusively for the purposes stated above and solely in accordance with our instructions;
• Collaborators in sectors dealing with the above-mentioned services may have access to your personal data, but only when it is strictly necessary for them to perform their work duties, and when the collaborator is obliged to maintain the confidentiality of the information.;
• Insurance companies providing services to a commercial entity IDENTITY.PLUS and associates
• Third parties responsible for storing your personal data, independently of IDENTITY.PLUS (to external parties involved, independent auditors, lawyers, tax advisors, etc.)
• If required by law or court order, for example, law enforcement agencies or other government bodies.

How long do we keep your personal data?

We store your personal data for a certain period while it's needed for the purpose of processing, after which we delete it or disable access – it becomes anonymous.

The criteria used to determine the data retention period are:

• The duration of your contractual relationship;
• As long as we have established relations with you.;
• According to the legal conditions applicable to us.

 

Website Visit Data Processing

When using certain functionalities (applications, requests) on our website, in the contact form, for purchase or sale quotes, for receiving news, information, and promotions… IDENTITY.PLUS processes your personal data (personal identity details and contact information) only if you have voluntarily provided them on our website for the use of our services and products. This personal data may include first name, last name, email, phone number and/or other contact information and will be used in accordance with the privacy policy and the purpose for which you left it.

Purpose of data processing / legal basis: When visiting our website, the browser used on your device will automatically and without your action send to our website's server:

• The IP address of the device from which the query was sent and which has internet access.,
• Date and time of access,
• Filename and URL of downloaded file,
• Internet page/application accessed from (referrer URL),
• the browser you use and, if necessary, the computer's operating system that supports the internet, as well as the name of your provider.

The server temporarily stores the provided data in a so-called log file for the following purposes:

• ensuring the establishment of a seamless connection,
• ensuring the comfortable use of our website/application,
• Assessment of the system's safety and stability.

The legal basis for processing the IP address is Article 12, paragraph 1, point 6) of the Law on Personal Data Protection (legitimate interest). Our legitimate interest arises from the aforementioned purpose of data processing.

Recipients / categories of recipients: Generally, we do not pass this data on to third parties.

Data retention period / criteria for determining data retention period: Data is stored temporarily during the website visit and is then automatically deleted. After you leave our website, the geolocation data is deleted.

Cookies: On our website, we use so-called cookies in accordance with Article 12, Paragraph 1, Point 6 of the Data Protection Act (legitimate interest). We consider the interest in optimising our website to be justified within the meaning of the aforementioned provision. Cookies are small files that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not harm your device and do not contain viruses, Trojans, or other malicious software. Cookies store information related to the device you are using. However, this does not mean that we are aware of your identity. On the one hand, the use of cookies serves to make your visit to the website more pleasant. For example, we use so-called session cookies to recognise that you have already visited certain parts of our site or that you are already logged into your user account. These are automatically deleted when you leave our website. In addition, we also use temporary cookies that are stored on your device for a certain period of time. When you visit our website again, it is automatically recognised that you have already been on the page and what settings you have made, so you will not have to repeat these actions.

On the other hand, we use cookies to statistically record the use of our website, with the aim of optimising our offerings and displaying information tailored to your interests. These cookies allow us to automatically recognise you when you revisit our website. These cookies are automatically deleted after a certain period. Most browsers automatically accept cookies. However, you can set up your browser so that cookies are not stored on your computer or so that a message always appears before a new cookie is created. However, completely disabling cookies may mean that you cannot use all the functions of our website.

 

DATA PROCESSING FOR SECURITY REASONS (VIDEO SURVEILLANCE)

Purpose of data processing / legal basis: We process your data through video surveillance that we have introduced in our shops and business premises for your and our protection, based on a legitimate interest for the purpose of protecting property, employees, customers and visitors, and particularly for protection against the following identified risks:

• unauthorised access to areas and premises;
• carrying out, or alienation and unauthorised use of protected items;
• introduction of weapons, explosives, radioactive and other dangerous items and substances;
• diversions and violent attack on an object or seizure of property;
• unauthorised access to data and documentation; and
• Money transport vehicle protection and other means of transport.

The legal basis for processing data via video surveillance is Articles 29 and 30 of the Private Security Act.

Recipients / categories of recipients: Videos will not be published publicly or disclosed to third parties, except where it constitutes our legal obligation or authorisation. Access to the videos will be granted to our partner providing private security services, i.e., the entity responsible for the physical and technical security of our stores. Additionally, for the purpose of maintaining the video surveillance system, we have engaged a service technician who may have access to the videos solely for the purpose of ensuring its functionality.

Retention period / criteria for determining data retention period: Video recordings are kept for 30 days. Copies of video recordings are kept for longer than 30 days in certain situations (legal proceedings). Video recordings that are no longer needed are deleted without delay (conclusion of legal proceedings).

 

PROCESSING OF DATA PROVIDED TO US VIA EMAIL

Purpose of data processing / legal basis: We naturally treat the personal data that you provide to us via the contact form, by telephone or by e-mail, as confidential. We process your data exclusively in accordance with the stated purpose, in order to respond to your enquiry. The legal basis for data processing is Article 12, Paragraph 1, Point 6 of the Act on the Protection of Personal Data (legitimate interest). Our, and at the same time your, (legitimate) interest in such data processing arises from the need to answer your questions, if it is necessary to resolve existing problems, and thereby ensure your satisfaction as our customer or as a user of our website.

If you participate in any of our surveys, such participation is voluntary. For anonymous surveys, we do not store data that would allow us to identify who the survey participant is. We only store the date and time of your participation. Any personal data you have provided to us through a survey is considered voluntarily given and is stored in accordance with the provisions of the Law on Personal Data Protection. Please do not enter names or similar details into free fields, which would allow us to identify who it is, whether it is about you or other individuals. In the event that you have given consent for the survey to be conducted, the legal basis for data processing is based on your consent in accordance with Article 12, paragraph 1, item 1) of the Law on Personal Data Protection. In that case, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal. Details regarding data processing in relation to surveys are regulated by the data protection rules of each individual survey.

Recipients / categories of recipients: We generally do not transfer data to third parties. Exceptionally, data will be processed by our partners (processors) on our behalf. All our partners have been selected very carefully and are contractually obliged to keep personal data confidential, in accordance with Article 45 of the Law on Personal Data Protection.

Furthermore, in some cases, it becomes necessary for us to forward your queries to other contractual partners (e.g., suppliers for product-related queries) so that they can process them. In such cases, the query is anonymised beforehand, so that it cannot be determined who it concerns. If there is a need to transfer your personal data in a specific case, we will notify you in advance and ask for your consent.

The results of our surveys are generally used only for our own purposes. We generally do not pass this data on to third parties, unless you have given us your express consent to do so.

Data retention period / criteria for determining data retention period: All personal data you provide us when asking a question (suggestions, praise or criticism) through this website or via e-mail, will be deleted or anonymised no later than 90 days after the final answer is given. Our experience has shown that follow-up questions regarding our answer usually do not appear after 90 days.

 

Processing of data for advertising purposes

Purpose of data processing / legal basis: With your consent, we record your behaviour as a user of our website and newsletter. Tracking user behaviour primarily involves data on the sections you have visited and the links you have used. In this way, we create personalised user profiles with your personal data and/or data about your e-mail address in order to better tailor our communications in the form of newsletters, on-site advertising and printed materials to your personal interests, thereby improving our offering.

The legal basis for the aforementioned processing of data is Article 12, paragraph 1, point 6) of the Personal Data Protection Act (legitimate interest) or Article 12, paragraph 1, point 1) of the Personal Data Protection Act (consent). The processing of customer data for our own advertising purposes or for the advertising needs of third parties is considered a legitimate interest.

Right to object: You may object to the processing of your data for the purposes mentioned above at any time and free of charge via any communication channel. Once you have objected, we will no longer process your data, although the objection does not affect processing that took place on the basis of your consent prior to the objection. For this purpose, it is sufficient to send an email or a letter by post to our contact address.

Recipients / categories of recipients: Generally, we do not pass this data on to third parties.

Retention period / criteria for determining the retention period of data: If you withdraw your consent for personalised advertising or do not agree with certain promotional activities, we will delete your data from the relevant mailing list. If you object, your contact details will be blocked from further processing for advertising purposes. Please note that in exceptional cases, it may be possible for a single piece of promotional material to be sent after we have received your objection. This is a technical consequence of the time required to prepare the promotional material and does not mean that we are not complying with your objection. Thank you for your understanding.

 

Data processing for newsletter sign-up

Purpose of data processing / legal basis: You have the option to subscribe to our newsletter on our website. If you have agreed to receive our newsletter, we will use your email address and potentially your name to send you information about products, promotions, prize draws/competitions, news, and shop offers. We store and process this data for the purpose of sending the newsletter.

The newsletter content includes offers (deals, promotions, prize draws, etc.) as well as products that are on lilushoes.com

With your consent, we record your behaviour as a user of our website. lilushoes.com and newsletters. The assessment of user behaviour primarily involves data about the sections you linger on and the links you use there. In this way, we create personalised user profiles with your personal data and/or your email address in order to enable the creation of an advertising offer by IDENTITY.PLUS in the form of a newsletter and printed materials, tailored to your personal interests and thereby improve our offer.

The legal basis for processing data when sending the newsletter is your consent in accordance with Article 12, paragraph 1, point 1) of the Personal Data Protection Act.

To ensure that no error has occurred when entering your email address, we use the so-called double-opt-in procedure. When you enter your email address in the registration field, we will send you a confirmation link. Only when you click this confirmation will your email address be added to our mailing list.

You can withdraw your consent to receive newsletters or the creation of personalised user profiles at any time. Withdrawing your consent does not affect the lawfulness of processing that was carried out on the basis of your consent before its withdrawal. You can do this, for example, by unsubscribing from our mailing list on our website. You will find the unsubscribe link at the bottom of every newsletter. If you withdraw your consent, we will delete your data.

Recipients / categories of recipients: If we have engaged external partners for the dispatch of the newsletter, they are contractually bound in accordance with Article 45 of the Personal Data Protection Act. Any further disclosure of data to third parties is excluded.

Retention period / criteria for determining the retention period of data: If you withdraw your consent for our newsletter, we will delete your data from the relevant mailing list for sending the newsletter.

 

BUSINESS PARTNER DATA PROCESSING

The following notes on data processing apply to you if you have contacted us, are in negotiations with us for the conclusion of a contract and/or already have a contract with us, and if personal data is processed in this regard. Which data is processed in a particular case depends primarily on the services agreed. For this reason, not all sections of this chapter will be relevant to you.

How do we collect your data and what categories of data do we process?

We generally collect data directly from you.

However, we can also collect data from other companies, government bodies, or third parties, e.g. credit bureaus, tax authorities, etc. In addition, we can collect personal data through our reporting systems on possible violations of laws or internal guidelines.

The following personal data can be processed: personal data (e.g. full name, address and other contact details, date and place of birth, as well as nationality), identification and authentication data (e.g. extract from the commercial register, ID card details, specimen signature), data relating to our business relationship (e.g. payment data, order data), creditworthiness data, company structure and ownership structure data, photographs and video recordings (e.g. during delivery of goods), as well as other data similar to the categories of data mentioned above.

Purpose and legal basis of data processing

Processing for the fulfilment of contractual obligations (Article 12, paragraph 1, point 2) of the Personal Data Protection Act

Data is processed for the purpose of preparing the conclusion of a contract, which precedes the contractual relationship, as well as for the purpose of fulfilling obligations after the contract has been concluded.

Processing for the purpose of fulfilling a legal obligation (Article 12, paragraph 1, point 3) of the Personal Data Protection Act

The purpose of data processing arises, depending on the individual case, from legal provisions. For example, data is processed for the purpose of fulfilling record-keeping obligations and for identification, e.g. under money laundering regulations, for tax control, and for the reporting and processing of data in response to enquiries from government authorities.

Processing for the purpose of pursuing legitimate interests (Article 12(1)(f) of the Personal Data Protection Act)

It may be necessary for the personal data you have made available to be processed for purposes that go beyond the original fulfilment of the contract. Our legitimate interests for such processing are the selection of a suitable business partner, compliance with legal requirements, addressing claims of liability, access control, clarifying potential breaches, preventing criminal offences and processing damages arising from the contractual relationship.

In the event of a contract being concluded, for the purpose of fulfilling the legitimate interests stated above, we collect data about your creditworthiness from a credit reference agency in individual cases. We process the creditworthiness data we have received from the credit reference agency in order to check your creditworthiness. The credit bureau stores data which it receives, for example, from banks or companies. This data primarily includes your surname, first name, date of birth, addresses and information on your payment history. You can obtain information about the data stored about you directly from the credit bureau.

Who has access to your data?

Within our company, only those departments that require the data you have provided us with to fulfil contractual or legal obligations, or for the purpose of pursuing legitimate interests, have access to it. Within the framework of the contractual relationship, we also engage other service providers who may be granted access to your personal data. Compliance with data protection regulations is ensured by contract in these cases.

How long do we keep your data?

We retain personal data for as long as is necessary to fulfil the purposes stated above. In doing so, we take into account legal retention obligations, for example the statutory 5-year period in accordance with the Accounting Act.

Are you obliged to provide us with your data?

As part of our business relationship, you are required to provide us with the personal data that is necessary for the initiation, performance and termination of the contractual relationship and for fulfilling the obligations associated with it, as well as for the collection of which we have a legal obligation or a right based on legitimate interests. Without this information, as a rule, we will not be able to enter into a business relationship with you.

What rights do you have as a data subject?

You have the right to receive information about your data that we process, upon request and free of charge. Furthermore, in accordance with legal provisions, you have the right to rectification and erasure of your data, the right to data portability, as well as the right to restrict processing. If we process your personal data based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out based on consent before its withdrawal. In the aforementioned cases, please contact us in writing or by email at the address of our Data Protection Officer listed below. Additionally, if you do not agree with the processing of your personal data, you have the option to lodge a complaint with the state authority (Commissioner for Information of Public Importance and Personal Data Protection).

Responsible person (operator)

The person responsible for processing your data, i.e. the data controller, is IDENTITY.PLUS COMPANY FOR PRODUCTION AND TRADE OF CLOTHING LTD BELGRADE (STARI GRAD), Skender begova 3A, 11000 Belgrade, MB: 20009659, GVA 103731893, Telephone: +381 60 3262 653, E-mail: sales@lilushoes.com. You also have our Data Protection Officer at your disposal at the following address: IDENTITY.PLUS COMPANY FOR PRODUCTION AND TRADE OF CLOTHING LTD BELGRADE (STARI GRAD), Skender begova 3A, 11000 Belgrade, Serbia.

 

Processing of data on social networks

The operator of a particular social media platform is also partly responsible for the processing of your data. Furthermore, in some cases, we are also the platform operator, and in that respect, there is joint responsibility in accordance with Article 43 of the Act. IDENTITY.PLUS, manages the following social media pages:

• Facebook: Facebook page
• Instagram Instagram page

 

1. Operator's responsibility

We only have limited influence over the processing of data by social media platform operators (e.g. member administration and information sharing). Where we can influence and set parameters for the processing of your data so that the social media platform operator acts in compliance with data protection, we take all measures available to us. However, in many cases we cannot influence the operator's data processing, nor do we know exactly what data the operator processes.

The platform operator manages the entire IT infrastructure of the service, adheres to their own data protection rules, and has a special user relationship with you (if you are a registered user of the social media service). Additionally, the operator is solely responsible for all matters relating to your user profile data, which we as a company do not have access to.

More detailed information about data processing by social media platform operators and about the possibilities of objection can be found in their data protection policies:

• Facebook: https://www.facebook.com/privacy/explanatios
• Instagram https://help.instagram.com/519522125107875

 

2. Our responsibility

a) Purpose / legal basis for data processing:

On our social media pages, we process your data for the purposes of informing consumers about offers, products, services, promotions, prize draws, important information, company news, for the purpose of interacting with social media visitors, and for the purpose of responding to questions, praise, and criticisms.

We reserve the right to delete content where necessary. Additionally, we will share your data or content on our page if it serves the function of a social networking platform. We also process your data for the purpose of communicating with you.

The legal basis for processing your data is Article 12(1)(6) of the Law (legitimate interest). Data processing is carried out in the interest of achieving our public relations and communications.

For the processing of your data, which IDENTITY.PLUS COMPANY FOR PRODUCTION AND TRADE OF CLOTHING LTD BELGRADE (STARI GRAD) which the operator cannot influence for the purpose of communicating with consumers.

As we have already mentioned, in those places where the social network platform operator provides us with the opportunity, we take care to configure our pages in accordance with data protection.

b) Beneficiaries / categories of beneficiaries:

Information that you enter on our social media pages, such as comments, videos, images, likes, public notifications, etc., are published by the platform operator, and we do not process them for any other purpose than intended at any time. We reserve the right to delete illegal content if necessary. This is the case, for example, in the case of infringements or illegal posts, hate speech, comments (explicitly sexual content) or attachments (e.g. images or videos), which, among other things, infringe copyrights, personal rights, constitute a criminal offense or violate the ethical principles of the company. IDENTITY.PLUS.

In that case, we may potentially share your content on our page if it aligns with the functionality of a social networking platform. We also process your data for the purpose of communicating with you. If you send us an enquiry via social media, we may direct you to other, secure communication channels that guarantee confidentiality. Please note that you always have the option to send confidential enquiries to us via the email address stated in the general information or via the contact form.

The data you send us confidentially (e.g. private notices, correspondence or e-mail) is generally not passed on to third parties. In exceptional cases, our external partners, to whom we entrust certain tasks in order to provide our services at the highest level, may have access to your data. In such cases, these are processors who use the data on our behalf. All our partners are selected very carefully and are contractually bound to keep personal data confidential in accordance with Article 45 of the Law.

Furthermore, it may be necessary to forward parts of your confidential queries to our contractual partners (e.g. suppliers for queries relating to specific products) for the purpose of processing your query. However, in such cases, the query is anonymised beforehand, so that the third party cannot link it to you in any way. If forwarding your personal data is necessary in an individual case, we will inform you beforehand and request your consent.

c) Retention period / criteria for determining retention period:

All personal data that you provide with your enquiry (questions, suggestions, praise or criticism) will be deleted or securely anonymised no later than 90 days after we have provided you with a final answer. We store your data for 90 days because in individual cases, you as a consumer may contact us again regarding an answer to the same question, and in such cases, we must be able to refer back to previous correspondence. Experience has shown us that, as a rule, follow-up questions regarding our answers no longer arise after 90 days.

All public posts you make on the page will be permanently available unless we delete them during an update to a specific topic, or due to a legal violation, a breach of our guidelines, or if you delete the post yourself.

We have no possibility to influence the deletion of your data by the operator themselves. In that case, the data protection rules of the specific operator apply.

Prize draws

Purpose / legal basis for data processing:

You have the option on our website, via our newsletter, on our social networks or on the site lilushoes.com , you participate in various prize draws. Unless otherwise specified in a particular prize draw, or if you have not given us different express consent, we will process the personal data you have provided us as part of your participation in the prize draw solely for the purpose of implementing the prize draw (e.g., drawing/determining the winner, notifying the winner, sending the prize, and, if necessary, anonymously publishing the winner). If you use your full name and surname on a social network or are identifiable through photos on your profile, we cannot exclude your identification by other users.

The legal basis for processing your data within the scope of prize draws is, in principle, Article 12(1)(2) (performance of a contract) of the Law. In the event of giving consent within a prize draw, the legal basis for data processing is consent in accordance with Article 12(1)(1) of the Law. In this case, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to withdrawal.

Recipients / recipient categories:

We only pass on data to third parties when it is necessary for the execution of the prize draw, i.e. for sending prizes (e.g. sending of prizes by the prize draw sponsor or passing on data to a logistics company) or if you have given us your explicit consent. Please note that in some cases it may be possible to participate in a prize draw on publicly accessible pages (e.g. on a notice board or via comments), so that other users may publicly see the fact of your participation through your interaction with us. In such cases, others on the social network may also become aware of your prize. If.

Retention period / criteria for determining the retention period:

Upon conclusion of the prize draw and announcement of the winners, the personal data of participants will be deleted, with the exception of data pertaining to the prize winners, which we are legally obliged to retain when organising a prize draw. In cases where the prize is a product with a warranty, the data of the prize winners will be retained for the duration of the statutory warranty period to facilitate repair or replacement if necessary in the event of a defect. When participating in a prize draw on social media (e.g. via a post or comment), we have no means to influence the deletion of your data by the platform operator. In such cases, the data protection rules of the platform operator shall apply.

e) Sending newsletters

Purpose / legal basis for data processing:

You can also sign up for our newsletter via social media. If you have consented to receive our newsletter, we will only process your email address and, if necessary, your name in order to send you (individual, where possible) information about products, promotions, prize draws, and news from our shop offerings, as well as customer satisfaction surveys. We store and process this data for the purpose of sending out the newsletter. The newsletter content includes product offers, promotional discounts, prize draws, etc.

With your consent, we will record your behaviour as a user of our site, which has been collected on lilushoes.com as well as in our newsletter. The evaluation of user behaviour primarily encompasses the categories you navigate on the relevant page, i.e. the newsletter, and which links you click there. In doing so, personalised user profiles are created which are linked to your identity and/or email address, so that marketing communications (primarily in the form of newsletters, advertising banners, and printed advertisements) are as targeted as possible to your personal interests and the advertising offer is improved.

The legal basis for the above processing of your data is your consent in accordance with Article 12 paragraph 1 point 1) of the Act.

So that we can be sure there was no error when entering the email address, we have set up a so-called Double-Opt-In process: after you enter your email address in the registration field, we will send you a confirmation link. Only when you click on that link will your email address be added to our mailing list.

You can withdraw your consent to receive newsletters, participate in customer satisfaction surveys, and the creation of personalised customer profiles at any time. You can find the opt-out link in this text or at the end of every newsletter. By opting out, we will consider you to have withdrawn your consent for the creation of your personalised customer profile and receipt of newsletters. We will then delete your customer data. Withdrawal does not affect the lawfulness of processing carried out on the basis of consent prior to withdrawal.

Recipients / recipient categories:

If external partners – data processors – are engaged for sending out newsletters, they are bound by a contract in accordance with Article 45 of the Law.

Retention period / criteria for determining the retention period:

If you withdraw your consent to receive our newsletter, your email address will be blocked from receiving newsletters. Your data will be deleted from the relevant mailing lists six months after that. When signing up on a social network, we have no way to influence the deletion of your data by the operator. In that case, the data protection rules of the specific operator apply.

 

3. Joint responsibility, Art. 43 of the Law on Personal Data Protection

With the social network operator, there is partly a relationship in accordance with Article 45 of the Law (joint liability):

For web tracking methods that the social media platform operator makes available, the operator and we are jointly responsible. Web tracking may also occur regardless of whether you are logged in or registered on the social media platform. As we have already noted, we can unfortunately only influence the operator's web tracking methods to a limited extent; for example, we cannot deactivate them.

The legal basis for web tracking methods is Article 12 paragraph 1 point 6) of the Act (legitimate interest). The justified and legitimate interest consists in optimising the social network platform and the specific fan page.

Further information on recipients, i.e. categories of recipients, as well as the retention period, i.e. criteria for determining the retention period, can be found in the platform operators' data protection policies. We have no influence over these policies.

You can find the possibility of exercising your rights regarding the prevention of these web tracking methods in the operator's data protection policies, which are listed in point 2. You can contact the platform operators on this matter via the operator's contact details listed in their policies.

Regarding the statistics that the social media platform operator makes available to us, we can only influence and prevent them conditionally. However, we take care not to be supplied with any additional optional statistics.

From all of the above, please be aware of the fact that it is not possible to exclude the possibility that the social network platform operator uses data from your profile, as well as data on your behaviour, to, for example, assess your habits, personal relationships, tendencies, etc. IDENTITY.PLUS has no impact on the processing or forwarding of your data by the social network operator.

 

4. Your Rights

In accordance with Article 26 of the Law, you have the right to request information or details about the processing of your data free of charge.

Furthermore, provided that the legal requirements are met, you have the right to rectification (Article 29 of the Law), erasure (Article 30 of the Law), as well as the right to restrict processing (Article 31 of the Law).

If the processing of your data is based on Article 12(1)(5) or (6) of the Act, you have the right to object to the processing of data in accordance with Article 37 of the Act. If you submit an objection, we will be obliged to cease processing your data, unless we demonstrate that there are legitimate grounds for processing your data which override the interests, rights or freedoms of the data subject.

If you have provided us with your data yourself, in accordance with Article 36 of the Act, you have the right to transfer that data to another controller. As a rule, on social networks, you can exercise this right directly with the social network operator, as only the operator has access to your profile data.

If the processing of your data is based on your consent in accordance with Article 12, paragraph 1, point 1) of the Law, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

To exercise the aforementioned rights, or if you have any additional questions or complaints, please contact our Data Protection Officer using the contact details provided in the next section of this text.

In addition, in accordance with Article 82 of the Law, you have the right to lodge a complaint with the state authority responsible for personal data protection (the Commissioner for Public Information and Personal Data Protection).

If you wish to exercise your rights regarding the specific processing of your data, please contact us. We will then review your query (e.g., request for information or objection) or forward it to the relevant social network platform, if necessary, in case your request concerns data processing by the operator.

 

5. Contact person for personal data protection in IDENTITY.PLUS:

If you have any additional questions or concerns regarding the processing of your data, please feel free to contact us and we will do our best to assist you.

For these purposes, you have a data protection officer available at IDENTITY.PLUS Who you can contact in writing or by email: IDENTITY.PLUS COMPANY FOR PRODUCTION AND TRADE OF CLOTHING LTD BELGRADE (STARI GRAD), Skender begova 3A, 11000 Belgrade, Email sales@lilushoes.com.

 

YOUR RIGHTS

 

1. Overview

In addition to your right to withdraw your consent, provided the legal requirements are met, you have the following rights:

• the right to information about your personal data that we process, in accordance with Article 26 of the Law on Personal Data Protection,
• the right to rectification of inaccurate or incomplete data, in accordance with Article 29 of the Personal Data Protection Act.,
• the right to erasure of your saved data, in accordance with Article 30 of the Law on Personal Data Protection,
• the right to restrict the processing of data, in accordance with Article 31 of the Law on Personal Data Protection,
• the right to data portability, in accordance with Article 36 of the Law on Personal Data Protection,
• right to object, in accordance with Article 37 of the Law on Personal Data Protection.

 

2. Right to information in accordance with Article 26 of the Law on Personal Data Protection

In accordance with Article 26 of the Law on Personal Data Protection, you have the right to request information from us free of charge on whether we process your personal data, access to that data, as well as information:

• purpose of processing;
• regarding the types of personal data being processed;
• of the data subjects or categories of recipients to whom the personal data have been or will be disclosed, and in particular recipients in third countries or international organisations;
• on the envisaged retention period for personal data, or if not possible, on the criteria for determining that period;
• regarding the existence of the right of the controller ( IDENTITY.PLUS ) requests correction or deletion of personal data, the right to restrict processing and the right to object to processing, the right to lodge a complaint with a supervisory authority (Commissioner for Information of Public Importance and Personal Data Protection); on the source of personal data (available information), if personal data have not been collected from the data subject (from you); on the existence of an automated decision-making process, including profiling, referred to in Article 38, paragraphs 1 and 4 of the Personal Data Protection Act, and, at least in those cases, meaningful information about the logic involved, as well as the significance and expected consequences of such processing for the data subject (for you).

If personal data is transferred to another country or international organisation, you have the right to be informed about the appropriate safeguards relating to the transfer, in accordance with Article 65 of the Personal Data Protection Act.

 

3. Right to rectify in accordance with Article 29 of the Law on Personal Data Protection

You have the right to request that your inaccurate personal data be corrected without undue delay. Depending on the purpose of the processing, you have the right to have your incomplete personal data supplemented, which includes the provision of a supplementary statement.

 

4. Right to erasure pursuant to Article 30 of the Data Protection Act

You have the right to request that your personal data be deleted by us in the following cases:

• personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• you have withdrawn your consent on the basis of which the processing was carried out, in accordance with Article 12 paragraph 1 point 1) or Article 17 paragraph 2 point 1) of the Law on Personal Data Protection, and there is no other legal basis for processing;
• when you lodge an objection to processing pursuant to Article 37(1) or (2) of the Data Protection Act, and there is no other legal basis for processing that outweighs the legitimate interest, right or freedom of the data subject;
• personal data has been unlawfully processed;
• personal data must be deleted in order to fulfil our legal obligations;
• personal data has been collected in connection with the use of information society services from Article 16, paragraph 1 of the Law on Personal Data Protection.

If we have publicly disclosed personal data, and we are obliged to erase the data, we shall take all reasonable steps, including technical measures, in accordance with available technologies and the costs of their implementation, to inform other controllers processing this personal data that you have requested the erasure of all copies of such data and all links to, or imitation of, such personal data.

 

5. Right to restriction of processing under Article 31 of the Data Protection Law

You have the right to request that we restrict the processing of your personal data if one of the following applies:

• you dispute the accuracy of personal data, within a timeframe that allows us to verify the accuracy of the personal data;
• processing is unlawful, and you object to the erasure of personal data and instead request the restriction of the use of data;
• The controller (we) no longer needs personal data for the purpose of processing, but you do need it for the submission, exercise or defence of a legal claim; or
• You may lodge an objection to the processing pursuant to Article 37, Paragraph 1 of the Personal Data Protection Act, and it is currently being assessed whether the legal basis for processing by the controller (us) outweighs your interests.

 

6. Right to data portability in accordance with Article 36 of the Law on Personal Data Protection

You have the right to receive the personal data that you have previously provided to us in a structured, commonly used and machine-readable format and you have the right to transmit that data to another controller without hindrance from us, if the following conditions are cumulatively met:

• processing is based on consent in accordance with Article 12 paragraph 1 point 1) or Article 17 paragraph 2 point 1) of the Law on Personal Data Protection or on the basis of a contract, in accordance with Article 12 paragraph 1 point 2) of the same Law; processing is carried out automatically.

This right also includes the right for your personal data to be directly transferred by us to another controller, provided that this is technically feasible.

 

7. Right to object in accordance with Article 37 of the Personal Data Protection Act

Under the conditions set out in Article 37(1) of the Personal Data Protection Act, the processing of data may be objected to for reasons relating to your specific situation.

The aforementioned general right to object applies to all processing purposes described in this data protection policy, which are processed on the basis of Article 12(1), point 6) of the Data Protection Act. In contrast to the right to object to data processing for commercial purposes (see point 6), we are obliged under the Data Protection Act to implement such a general right to object only if there are significant reasons for doing so, for example, a potential danger to life or health. In addition, you have the option to contact the state authority responsible for data protection or the data protection officer at IDENTITY.PLUS.

These privacy rules apply to the website lilushoes.com and for the processing of data by us as data controller:

IDENTITY.PLUS COMPANY FOR PRODUCTION AND TRADE OF CLOTHING LTD BELGRADE (STARI GRAD), Skender begova 3A, 11000 Belgrade, MB: 20009659, GVA 103731893, Telephone: +381 60 3262 653, E-mail: sales@lilushoes.com.