Notice to individuals under Article 13 of the General Data Protection Regulation (GDPR) regarding the processing of personal data in 2.0.
The controller of personal data relating to the https://kakadu.si/ website and your other interactions with KAKADU, online shop, d.o.o., is:
KAKADU, online shop, d.o.o.
Pilonova ulica 34
1000 Ljubljana
Registration number: 3799344000
Tax code: SI 77775287
email: [email protected]
(hereinafter referred to as "the organisation" oz. "Company")
In our organisation, a Data Protection Officer has not yet been appointed. All questions, requests, inquiries and other communications related to the protection of personal data in our organisation can be addressed to: [email protected].
Introduction
Basic information about the organisation and its mission
Our organisation collects, stores and otherwise processes certain information and data, including personal data, as provided for by the Personal Data Protection Act (ZVOP-2) or Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: General Data Protection Regulation or GDPR).
Purpose and use of this notice
This notice describes how our organisation processes the personal data of individuals who have provided their personal data directly to us as to the operator personal data in connection with the website https://kakadu.si/ (e.g. when cookies are set when you visit the website, when you fill in and submit a contact form, etc.).
Use of terms and amendments to this Notice
Unless otherwise indicated, terms used in this Notice (e.g. personal data, processing, Operator, Processor, etc.) have the same meaning as in the GDPR.
Phrase website oz. website means https://kakadu.si/ and includes all associated sub-sites and related servers and systems.
It is considered that concepts reinforced or defined in this notice (e.g. Individual), which are written in the singular, also include the plural and vice versa, and concepts written in one gender include all genders (e.g. single).
We may update or change the information and statements in this notice from time to time, and news of major changes will be posted on our website.
In the event of substantial changes (e.g. to the legal basis and purposes of processing of data already collected), we will inform individuals of the proposed changes by email or other appropriate means.
1. overview of the collections and types of personal data, categories of data subjects, time limits for erasure of personal data, legal bases for processing and purposes and types of processing
1.1. Treatment table
| NAME OF THE CONTROLLER'S PERSONAL DATA COLLECTION | TYPES OF DATA IN THE PERSONAL DATA FILE | CATEGORIES OF DATA SUBJECTS | TIME LIMITS FOR ERASURE OF PERSONAL DATA* | LEGAL BASIS FOR PROCESSING, PURPOSES OF PROCESSING AND TYPES OF PROCESSING OF PERSONAL DATA ** |
| Information related to the registration of a user account | Username, email address,Password. | Persons who have registered a user account | When you delete your user account. | For the purposes of enforcing the contract (i.e. the General Terms and Conditions) we may store the data and in ways that are logically connected to the management of the user account and the provision of the related benefits (i.e. storage in the email system and in the back-end of the online shop, physical storage (account), access, forwarding, deletion, backup). |
| Data related to the contract (distance purchase) | The name of the buyer and any other data collected at the final step of the purchase (i.e. contact details, telephone, email address, delivery address, etc.). | The name of the customer who enters into a distance purchase contract with our organisation (i.e. a purchase via the website) or in relation to which our organisation issues an invoice for its services. | Until the expiry of the retention period or the fulfilment of the purpose of the processing of the individual personal data, in which case the data may generally be retained by the organisation for a period of 6 years after the completion of the purchase, or even longer (e.g. in relation to invoice data, which is generally retained for at least 10 years by law), as further detailed in points 1.3. and 2. of this document. | For the purpose of performing a contract (e.g. delivery of a product, invoicing) we may store and process the data in ways that are logically related to the performance of the contract or invoicing (i.e. storage in the email system and back-end of the online shop, physical storage (invoice), consultation, forwarding, deletion, backup). |
| Information about an individual who has previously been a customer of our online shop. | The email address of an individual who has previously been a customer of our online shop. | Individuals who have already purchased products from our online shop. | To unsubscribe from receiving electronic communications, with an unsubscribe link contained in each email.*In any case, the individual may also request the deletion of data by sending a request to the official e-mail address of the organisation, which is indicated at the beginning of this document. | Under an express legal exemption that permits such emails, we may, until we receive an individual's opt-out, store and use in ways that are logically connected to the sending of commercial emails (i.e. store and use in connection with the email system) solely for the purpose of providing information, advice and other useful data regarding the organisation's services. |
| Information about an individual who has added products to the basket but has not completed the purchase | The name of the buyer and any other data collected at the final step of the purchase (i.e. contact details, email address, delivery address, details of the product that has been added to the basket) | Individuals who have added products to their basket but have not completed their purchase | After the individual has been sent an email regarding the products left in the basket, or at the latest within 1 month from the day on which the individual left the last purchase step with the products in the basket. | On the basis of contract negotiations (i.e. the consumer's demonstrated interest in certain products) and in accordance with our legitimate interests, we may store for a limited period of time and in ways that are logically connected to the continuation of contract negotiations (i.e. storage in an email messaging system, consultation, forwarding, deletion). |
| Information about the individual who communicates with the organisation via the email addresses and other communication channels available on the website | Name and/or surname of the individual who communicates with our organisation Email address of the individual communicating with our organisation, if any Possible telephone number of the individual who communicates with our organisation Potential personal data contained in the communication with the individual | Personal data of an individual who interacts with the organisation of his/her own free will (e.g. enquires about the organisation's services, arranges a visit to a branch via a published email address or contact form, etc.). | Until the purposes for which the personal data were collected for the processing of the individual personal data have expired (e.g. until the end of the communication) or until 4 years have elapsed since the last communication with the individual. | On the basis of the negotiation of a contract (i.e. obtaining information about or ordering a service or other voluntary communication between the individual and the organisation in this respect), the organisation may process the data in ways that are logically connected to the negotiation of the performance of the service or the preparation of the response (e.g. storage in an email system for the purpose of the response and any further communication, storage of the data in the organisation's archives, etc.). |
| Details of individuals who have opted in to receive the organisation's information emails | Email address of the individual | Personal data of an individual who has consented to the organisation sending him/her information, advice and other useful information about the organisation's products/services to his/her email address from time to time. | To unsubscribe from receiving electronic communications, with an unsubscribe link contained in each email.*In any case, the individual may also request the deletion of data by sending a request to the official e-mail address of the organisation, which is indicated at the beginning of this document. | On the basis of the consent obtained, the organisation may process (i.e. store and use in connection with the email system) the data solely for the purpose of providing information, advice and other useful data regarding the organisation's services. |
| Details of individuals who register for the prize draw | The name and surname of the prize draw entrant, email address, and any other information that the individual may disclose during the course of participation in the prize draw (e.g. address for delivery of the prize, tax code for tax deposit, etc.). | Individuals participating in the prize draw. | Until the end of the prize draw period and for 6 years from that date for the purposes of evidence (complaints/inspections). | On the basis of the negotiation of the contract (i.e. the promise of a prize in accordance with the provisions of the Code of Obligations and the rules of the relevant prize draw), the Company may collect, store for the duration of the prize draw and for a period of 6 years after the end of the prize draw, structure and otherwise make reasonable use of the data for the sole purpose of conducting the prize draw (e.g. for the purposes of: publishing the name of the winner on the Company's website, reviewing the entries received, drawing/conducting the selection, contacting the individual in the event of selection, delivery of the product, payment of the deposit, etc.). |
| Details of individuals applying for a vacancy in the organisation | The candidate's name, email address, CV, motivation letter, details of previous work experience or other information relevant to the selection process and mentioned as such when the vacancy is advertised, and any personal data that may be included in email correspondence with such individual. | An individual applying for a vacancy in an organisation. | Until the end of the recruitment process, unless the organisation has obtained the individual's explicit consent for longer data retention. | In the context of negotiating an employment contract, the organisation may process (i.e. collect, store for the duration of the selection process, review, structure) and otherwise use the data in a reasonable way for the sole purpose of the recruitment process (e.g. evaluating the individual's references and communicating with him/her about the progress of the recruitment process, using the data to view other publicly available information about the individual, etc.). |
| Information we obtain from website visitors using cookie technology providers | The data described for each type of necessary or non-necessary cookie (such as IP address, session time, browser data, etc.) (see our dedicated cookie policy) | Personal data of an individual who visits our website and sets essential or non-essential cookies (see our dedicated cookie policy). | (See our dedicated cookie policy) | (See our dedicated cookie policy) |
* The Organisation reserves the right to retain certain data longer than the time limits set out above in certain cases based on its legitimate interests (e.g. in the case of an inspection procedure in relation to a service/feature/game/form), but in all such cases the Organisation will limit the retention of the data to that which is necessary for the pursuit of such legitimate interest. In any case, the data subject may request the erasure of the data by sending his/her request to the official e-mail address indicated at the beginning of this document.
** In relation to overriding purposes (e.g. data retention), data may be transferred for processing to the organisation's contractual partners (sub-processors) listed in section 3.3 of this notice. Sub-processors may only process data in connection with the performance of the tasks assigned to them and in direct relation to the purposes pursued.
1.2 The legal basis for the processing of personal data may be the performance of a contract or the negotiation of a contract.
We may process personal data of individuals on the basis of a concluded contract (e.g. performance of a service in our office) or contract negotiations (e.g. when an individual uses our official communication channels and wishes to obtain more information about our services).
In the cases described above, you provide us with personal data as part of a contractual obligation or as part of the negotiation of a contract, and we consequently do not need your explicit consent for the above processing of your personal data.
In principle, you will not suffer any serious negative consequences in situations where we would otherwise need your personal data to perform our services and you do not provide it to us. However, such situations may make it significantly more difficult or even impossible for us to perform the services you have requested or for us to cooperate with you, in which case you will be informed in advance or after the fact.
1.3 The legal basis for processing your data may also be the law
We also process personal data for the following purposes compliance with laws and regulations, especially those governing taxation and accounting (e.g. records of invoices issued and received, etc.), e.g.:
- where an inspector or other public authority requires an organisation to entrust it with the personal data of a specific customer/visitor in accordance with the law (e.g. in the context of inspections under the provisions of the Inspection Control Act (ICA),
– where an organisation processes personal data of a customer to whom it has issued an invoice, the organisation processes that invoice and the customer's data (e.g. personal name, contact details, etc.) is processed on the basis of the Law on Value Added Tax value (ZDDV-1) (see section 3.2.), etc.
1.4. Based on the legitimate interests of the organisation
We may also process certain personal data for the purposes of protecting our own legitimate interests. This would be the case, for example, where the processing of your data would be necessary for administrative, criminal or civil proceedings (e.g. where the organisation would need to provide the database as evidence in the proceedings, otherwise the organisation would suffer a penalty or serious and irreparable damage), in which case we will only ever process the data that is strictly necessary for the pursuit of such legitimate aims.
The organisation may also process the personal data of the data subject in cases where the processing is necessary to protect the vital interests of the data subject (e.g. access to the address of an individual facing imminent and serious danger to life).
1.5. Subject to consent
In principle, your cooperation with us and the use of our services is not conditional on your consent to the processing of your personal data.
However, we may also process your personal data on the basis of your explicit consent (i.e. consent). The explicit consent of the individual is considered to be his or her free will statement by which he or she consents to the processing of certain personal data for a specific purpose (e.g. your consent to receive our newsletters), in which case we process the data listed in the section of the table referred to in point 1, where it is indicated that the processing is based on consent.
Such communications may be revoked at any time by following the link contained in each such email or by contacting us at the address set out at the beginning of this document.
However, our online advertising may also be carried out on the basis of your consent, if you have agreed to the setting of optional (advertising) cookies and tracking pixels by our advertising partners when you visit our website (e.g. the setting of the Google Analytics cookie, which enables us to advertise our services to you more easily on other websites, etc.). A detailed description of the optional cookies of our advertising partners, the data we process with them and the retention periods for this data is set out on the "Cookies" sub-page.
The Organisation guarantees the individual the right to withdraw his or her explicit consent at any time by simply contacting us at any time at the email address provided at the beginning of this document.
Withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of the consent up to the time of withdrawal.
In the event that you do not consent to the processing of your personal data, give partial consent or withdraw (partial) consent, we will, as far as possible, only cooperate with you to the extent of the consent given or in the ways permitted by applicable law.
Consent is voluntary and if you decide not to give it, or later withdraw it, this will in no way prejudice your other rights or impose additional costs or aggravating circumstances on you.
2. How long do we keep or process your personal data?
The period of retention of personal data depends on the basis and purpose of the processing of each category of personal data. As a general rule, personal data are kept for as long as necessary to fulfil the purpose for which the data were collected or as long as a regulation requires us to keep them, at which point they are deleted.
To the extent that the retention period for individual data is not further specified in the table in Chapter 1, the following shall apply:
- Data relating to the contract entered into or the provision of our services and invoicing. Until the expiry of the retention period or the fulfilment of the purpose of the processing of the individual personal data, in which case the organisation may, as a general rule, retain the data for 6 years after the end of the cooperation or even longer (e.g. invoice data), whereby we retain the personal data of the subscribers on the invoices for a period of up to 10 years, as this obligation is imposed on the organisation by the Law on Value Added Tax (ZDDV-1),
- We retain data about individuals who communicate with the organisation via the email addresses and other communication channels available on the website until the purposes for which the personal data were collected for the processing of the individual personal data have expired (e.g. until the end of the communication) or until 4 years have passed since the last communication with the individual.
- Based on your explicit consent to marketing communications or our legitimate interest to advertise to people who are already our customers, we keep the data until the person withdraws his/her consent.
The organisation may retain the data for 15 days after the expiry of that retention period in order to be able to carry out the destruction of the stored data from all data storage media and servers during that period.
In any case, the data subject may request erasure of the data by sending his or her request to the official e-mail address of the organisation at the address indicated at the beginning of this document.
3. Who processes your personal data within and outside the organisation (users of personal data)?
3.1. Designated employees of the organisation
Your personal data is processed by those employees of the organisation who need the data in order to carry out their work tasks. All employees are committed to confidentiality and to respecting the protection of personal data.
3.2. National authorities
In certain cases, as required by applicable law, the organisation must also disclose or report your personal data to the competent government authorities, as well as to authorities responsible for, for example, financial, tax or other supervision (e.g. the Office of the Information Commissioner of the Republic of Slovenia, etc.In certain cases, the organisation is also obliged to disclose data to third parties if the organisation is required to do so by law or by a legal right of a third party.
3.3. Contractual processing of personal data
In addition to employees of the organisation, users of personal data may include employees of the organisation's contractual processors, who may process personal data as confidential solely on behalf of the organisation and within the limits of the following the external processing contract that the organisation has with each such processor. Contract processors may only process personal data under the instructions of the organisation (i.e. the contract) and may not use the data to pursue any of their own interests.
The contractual processors with which the organisation cooperates are:
The Organisation will not share your personal data with unauthorised third parties..
To obtain a detailed list of all the organisation's contractual subcontractors, please contact us at the email address given at the beginning of this document.
3.4 Website hosting service provider
Our website is hosted on servers of a company in the Republic of Slovenia.
3.5 Transfer of personal data to third countries and international organisations and measures to protect the transferred data
Our organisation of personal data as a general rule, not exported to third countries (i.e. outside the European Union, Iceland, Norway and Liechtenstein, i.e. the EEA) and international organisations.
Exceptions to this are the occasional transfer of certain technical and personal data to the servers of the above-mentioned processors whose headquarters or servers are located in the USA (i.e. the automatic transfer of certain data collected by cookies of companies in the USA - see our Cookie Policy, transfer of data to Klaviyo Inc, etc.), where the relevant contract processors are former members of the "Privacy Sheild" (https://www.privacyshield.gov/) and have complied with and adopted security measures in relation to the receipt or transfer of data after 12 July 2020 (e.g. standard contractual clauses) or have adequately performed and achieved full self-certification in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data in the EU-US data privacy framework (i.e. in the context of the new EU-US data transfer framework in accordance with the above adequacy decision as of 10 July 2023).
A list of all such sub-processors can be obtained by sending a request to the e-mail address indicated at the beginning of this document.
4. Processing and protection of special categories of personal data
We do not direct individuals to provide specific personal data (i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data or biometric data, data relating to health or data relating to an individual's sex life or sexual orientation) in connection with our website or services.
5. What are your rights regarding your personal data and how can you exercise them?
In relation to this notice on the processing of personal data or the processing of your personal data by our organisation and our contractual processors, you may contact us at any time and without any objection at the email address provided at the beginning of these General Terms and Conditions.
You can also use that address to send your requests and exercise other rights related to personal data and the GDPR.
As a data subject, the GDPR gives you the opportunity to exercise the following rights with our organisation:
Right to information: Individuals have the right to be informed about the collection and processing of their personal data.
Right of access: Individuals have the right to access their personal data and to obtain information on how the data is processed and a copy of the data itself.
Right to erasure (right to be forgotten): Individuals have the right to request the erasure of their personal data in certain circumstances.
Right to withdraw consent: If the processing of personal data is based on consent, individuals have the right to withdraw their consent at any time without suffering any adverse consequences.
Right to rectification: Individuals have the right to request the rectification of inaccurate or incomplete personal data. If the data have been disclosed to third parties, we will, as far as possible, inform these third parties of the rectification.
Right to restriction of processing: Individuals have the right to request the restriction of the processing of their personal data. This right applies in certain cases, for example where the accuracy of the data is contested or the data subject has objected to processing.
Right to data portability: Individuals have the right to receive their personal data in a structured, commonly used and machine-readable format in certain cases. They can also request that their data be transferred to another controller if the processing is based on consent or a contract and if the processing is carried out by automated means.
Right to object: Individuals have the right to object to the processing of their personal data on the grounds of legitimate interests or public interest/exercise of official authority. In such cases, we will cease such processing unless we can demonstrate compelling legitimate grounds which override the interests, rights and freedoms of the individual.
Rights relating to automated decision-making and profiling: Individuals have the right not to be subject to solely automated decisions, including profiling, which significantly affect them. They also have the right to human intervention, to express their views and to complain about such decisions.
Right to lodge a complaint with the supervisory authority: If you believe that the processing of personal data concerning you by our organisation violates data protection law, you may, without prejudice to any other (administrative or other) legal remedy, lodge a complaint with a supervisory authority, in particular in the country in which you are habitually resident, where you work or where the violation is alleged to have taken place (in Slovenia, the Information Commissioner):
- Information Commissioner, Dunajska 22, 1000 Ljubljana, e-mail: [email protected], phone: 012309730, website: www.ip-rs.com.
A list of other EU supervisory authorities and their contact details can be found here: https://www.edpb.europa.eu/about-edpb/about-edpb/members_sl.
| 6. Existence of automated decision-making and profiling |
The processing carried out by our organisation does not involve automated decision-making and profiling based on your personal data.
7. Processing of personal data of persons under 15 years of age
Our organisation has focused the development and provision of its services on the collection of personal data from people over the age of 15. In cases where a younger person would use the services of the organisation, the organisation will, if it becomes aware of such a case, obtain the consent of the parent or guardian of such person.
If the organisation itself subsequently becomes aware that personal data of a person under the age of 15 is being processed in connection with the service without the consent of the person's parent or guardian, it will take all necessary steps to delete all personal data covered.
The undersigned, or their parents or guardians, may at any time submit their requests for the deletion of the data concerned to the e-mail address indicated at the beginning of this document.
You can contact us at any time regarding the processing of your personal data at the email address provided at the beginning of this document.
We carefully store and protect personal data using organisational, technical and logical-technical procedures and measures to protect against accidental or intentional unauthorised access, destruction, alteration or loss, as well as unauthorised disclosure or other processing to which you have not explicitly consented.
The organisation has also adopted appropriate internal processes to this end, and has put in place various measures (e.g. assigning, using and changing passwords, locking premises, offices, and server and workstation locations, regularly updating supporting software and upgrading security-protected components, physically securing material containing personal data in designated areas, training of employees, etc.). The organisation also requires the same security requirements of its contractual processors.
10. Version and date of the last update of this notice
The text of this Notice constitutes version 2.0 of this document. This notice was last updated on 22.6.2025.
KAKADU, online shop, d.o.o.
If you are not satisfied with the product or want to exchange it, you have 14 days.
More about returns and exchanges
Products in stock are shipped every day. Personal pickup is possible.
More about delivery
online with credit card, Paypal, bank transfer and cash on delivery.
More about our Terms and Conditions
