The company ROSIS UNUS d.o.o. (hereinafter: Rosis), as the owner of the Roses Design Outlet Centre (hereinafter: the Centre) is dedicated to protecting and respecting your privacy and personal data, in accordance with the General Data Protection Regulation (hereinafter: the Regulation, GDPR) and the Act on Implementation of the General Data Protection Regulation.
We invite you to read this Policy carefully in order to learn why and how we collect your personal data, as well as the manner in which it is processed.
The Data Controller is the company Rosis Unus d.o.o. PIN: 00378517235, Sv. Križ Začretje, Vrankovec 1.
What constitutes personal data?
Personal data is any data relating to a natural person – the data subject, i.e. an individual whose identity has been determined or can be determined using said data. Personal data is also different data, i.e. information, which, in aggregate, may identify a certain natural person (personal data such as name and surname, home address, e-mail address, etc.).
Who is a Data Subject?
A data subject is an individual whose identity can be determined, i.e. a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What does Personal Data Processing mean?
According to the Regulation, processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
When and how do we collect your personal data?
We collect personal data in one of the following ways:
Directly from the data subject – when personal data is collected for the purpose of concluding or executing a contract, via web forms (by accessing the Roses Designer Outlet Centre’s VIP club – by subscribing to the newsletter), when the data subject contacts the employees of the Data Controller or Data Processor, during a telephone call with the individual, by entering the facilities of the company (video surveillance), by participating in a prize game or contest organised by Rosis.
Indirectly – publicly available data on websites not affiliated with the company (e.g. social network posts), data obtained by access to our website (cookies) and similar technologies which were legally delivered to us by our partners.
We mostly receive your personal data directly from you – during the use of services, e.g. when you complete a certain form or when we collect data by monitoring (e.g. via CCTV in the Centre). Your personal data shall be processed for marketing purposes only should you agree, i.e. if you should provide us with the appropriate consent for the purpose (Article 6, subparagraph 1 (a) of the General Data Protection Regulation).
Which personal data do we collect?
The data we usually collect from the data subjects are: name, surname, address, e-mail, date of birth, sex and other data indicated in the form on our website, on the application form for membership in our VIP club, on the Kidsland form, as well as any other data you might voluntarily share. Moreover, we collect personal data via video surveillance in the facilities of the Centre.
- Where is your personal data stored?
The personal data we collect from you is stored in a secure environment. Your personal data is protected from unauthorised access, disclosure, use, modification or destruction by any individual or organisation.
Depending on their format, personal data is stored in our facilities and IT systems, but we also sometimes store data on servers and in facilities of our business partners with which we conduct regulated business in which they are obliged to abide by the provisions of the General Data Protection Regulation and our instructions.
- Sharing and accessing personal data:
The company Rosis Unus d.o.o. stores the personal data of data subjects.
Access to personal data processed by the company Rosis Unus d.o.o. is granted to the company: Roses Values d.o.o. PIN: 13402192535, Sv. Križ Začretje, Vrankovec 1, our partner in management activities for the Roses Designer Outlet Centre.
We entrust a series of business tasks to third parties – service providers contracted by us as Data Processors, which they perform on our behalf and which are related to the execution of such contracts. In such cases, third parties are merely provided with the personal data necessary for the performance of services, and we expressly prohibit the use of the data subjects’ personal data for any other purposes. Third parties as service providers, as per their agreements with Rosis, are obliged to process the received data exclusively in accordance with our instructions and for the purpose determined by us as Data Controllers. Our partners are obliged to protect and process the data subjects’ personal data by applying organisational and technical measures in accordance with the provisions regulating the protection of personal data.
We may share the collected personal data with:
- third parties providing technical support, such as IT support, the service of data storage on servers, database support and maintenance, maintenance of software which may contain personal data. The provision of such services, and, subsequently, access to personal data is necessary for the performance of business-related tasks. In the case of data transfer to servers, the transfer is made to servers within the European Union and the European Economic Area or to the country and partner ensuring the necessary level of protection in accordance with EU legislation. Personal data is transferred to Data Processors in the USA which acceded to the Privacy Shield agreement between the European Union and the USA which guarantees adequate protection of personal data;
- third parties providing accounting services;
- third parties providing security services in the area of the Centre;
- third parties participating in the execution of contractual and other obligations of Rosis, as well as all obligations incurred from the relation with the data subjects (such as co-organisers of prize games and contests), and persons providing debt collection services;
- business partners in accordance with the corresponding statutory provisions;
- where the delivery of such data presents a legal obligation.
Period of storage of the data subject’s personal data
The collected personal data shall be stored in accordance with the appropriate regulation, where the period of data storage depends on the fulfilment of a contractual or statutory obligation. The period of personal data storage depends on the purpose of processing and the category of personal data. At any rate, when we determine that we no longer require your personal data or that there is no longer a foundation for storing such data, it shall be erased.
How can your personal data be used?
We process the collected personal data in accordance with the provisions regulating personal data protection. The manner of processing, personal data categories, as well as the legal foundation for the processing depend on the purpose of data collection.
- VIP CLUB and newsletter
Upon applying for the Roses Designer Outlet Centre’s VIP club, you gain the right to receive the Roses anniversary VIP booklet containing additional discounts in stores within the Centre. We collect the following personal data during the application process: name and surname, postal code, country, e-mail, date of birth. This data is necessary for verifying the authenticity of the registered person and for the fulfilment of our obligation of delivering the booklet of discounts in Centre stores. The collected data is stored for the duration of the user’s membership in the VIP club.
VIP club members are able to register for the newsletter so that they may receive information on promotions, prize games and contests organised by the Centre. Data processing for marketing purposes can be performed on the basis of the data subject’s given consent (Article 6, subparagraph 1 (a) of the General Data Protection Regulation). Said consent may be withdrawn at any moment, and the personal data shall subsequently cease to be processed and shall be erased. The data collected in this manner shall be stored until the given consent is withdrawn.
Obtaining membership of the VIP club and subscription to the newsletter can be achieved through registration on the website of the Centre.
Registration to the newsletter containing information on promotions, prize games and contests organised by the Centre can also be conducted in other ways: by submitting a written form; by registering for wireless Internet access within the Centre or in other ways. At any rate, personal data processing for marketing purposes is only possible with the data subject’s consent.
- Website www.rosisdesigneroutlet.hr and cookies
We process personal data collected through website cookies based on your consent. If you wish to withdraw your consent, you must first select the appropriate settings in your browser. However, some of the functions of our website may not operate with deactivated cookies. When we request your consent, you shall receive a description of the purpose for which the data will be processed and you shall be informed of your rights. You can find more information on cookies under the link on our website.
- Website links for social network sharing
Our website may contain active third-party content. If you should click on one of the links for social network sharing while visiting our website, communication data will be exchanged between you and the corresponding service provider.
By activating the link for social network sharing, the service provider receives the information collected by your browser on the corresponding subpage of our website, even if you do not possess an account with said service provider or if you are currently not logged in with the service provider. The information is transferred directly from the browser to the server of the service provider.
The corresponding service provider may process your data for its own purposes. The communication and subsequent data processing by the service provider is only initiated after you actively select the corresponding service. Roses cannot control the data collected and processed by third parties and we cannot provide binding information as to the objective and purpose of such processing of your data.
FACEBOOK: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland
INSTAGRAM: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland
YOUTUBE: Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA
- Special events, prize games and contests
In cases where Rosis is the organiser or one of the organisers of an event, prize game or contest, the participants may be requested to provide certain personal data. The purpose of collecting and processing data is to ensure a regularly conducted event and provide security or award prizes to participants. In case of a certain event, game or contest being organised in collaboration with a business partner – third party, the collected personal data may be transferred to said business partners. Personal data collected in this manner will be stored until the event, game or contest is completed, except for cases in which the data must be stored for longer periods (e.g. in case of awarding prizes or filing reimbursement claims).
- Wireless Internet in the Centre area (Wi-Fi)
Rosis provides a wireless Internet access service (Wi-Fi) in the area of the Roses Designer Outlet Centre.
Personal data of the data subject is collected during the use of the wireless Internet access service only if the user registers to the Service via their social network account (Facebook, Instagram, etc.), via their Google account or by completing a special form. The personal data thus collected is name, surname and e-mail address. Other data may be collected as well: data about the device used to access the service and the data on the browser used. If the registration to the wireless Internet access service should not be conducted through a social network account, the data subject’s personal data shall not be collected.
The personal data thus collected is used for the purpose of enabling secure provision of the Service, protecting the interests of Rosis and its employees and preventing, detecting and processing potential misuse to the detriment of the Data Controller and Data Processor, in cases where the processing is founded on legitimate interest of Rosis in accordance with the processing (Article 6, subparagraph 1, point (f) of the General Data Protection Regulation). Where the processing is based on the data subject’s consent, Rosis may process the collected personal data for the purpose of advertising its own services, as well as service and products of its partners, by sending promotional notifications on services and products.
The personal data is processed and stored on servers within the European Union and/or in the Republic of Croatia. The personal data shall not be shared with third parties, unless in such cases where another party has been contracted as Data Processor for the purpose of performing certain tasks of the Data Controller, where the process of logging into the Service is done via a Google or social network account used upon registration, and where there is a statutory obligation or express authorisation, i.e. lawfully based obligation.
If you log into the Service via a Google or social network account (Service Provider), the collected personal data shall be forwarded to the corresponding Service Provider.
- Direct contact with the Centre
The following personal data is collected upon contact with the Data Controller or its business partner, either by e-mail or telephone: name, surname and e-mail address of the data subject, and the correspondence is archived.
Said data is processed for the purpose of improving our services, more efficient response to enquiries, resolving enquiries regarding a possible business relationship based on an existing or future contractual relationship, and is necessary for the purposes of the Data Controller’s legitimate interests (Article 6, subparagraph 1, point (f) of the General Data Protection Regulation). The data is stored for 5 years following the last instance of contact.
- Video surveillance
The facilities of the Centre are monitored by video surveillance. The purpose of conducting video surveillance and such data processing is compliance with statutory obligations and maintaining legal interests, protection of persons and assets in the Centre, and is based on legitimate interest of Rosis in accordance with the processing (Article 6, subparagraph 1, point (f) of the General Data Protection Regulation). At the same time, said legitimate interest shall not have priority over the interests, fundamental rights or liberties of the data subject. The recorded video is stored for 14 days, expect for cases in which a proper request has been made by a competent authority or where there are legal grounds for storing the recordings for a longer period of time (e.g. when used as evidence in legal or similar proceedings). The stored recordings are erased after the period of storage has expired. Access to recordings is limited to especially appointed employees of the Data Controller, as well as other persons appointed by the manager of the Data Controller, such as employees of the company managing the Centre and employees of the company performing the activities of guarding and protecting the Centre’s facilities.
- Other cases
We may process personal data for the purpose of complying with statutory obligations to which we are bound to adhere (e.g. complying with the Anti-Laundering and Terrorist Financing Act, tax regulations, etc.).
Processing of personal data is also possible if the data subject has provided their express consent in cases where there is no other basis for processing. The data subject has the right to withdraw the given consent at any moment by sending a request to Rosis using its contact information.
The data subject’s rights
One of the fundamental objectives of the General Data Protection Regulation is the protection of individual rights and individual privacy.
As per the General Data Protection Regulation, you are entitled to the following rights:
Right of access
- The data subject has the right to be informed whether Roses processes their personal data, and, if so, they have the right to access (view) their personal data and data concerning the purpose of processing, personal data categories, recipients, recipient categories, period of storage of personal data or the criteria used to determine said period, the existence of their rights as data subjects. If the data should be extensive, Rosis can ask the data subjects for a more specific request for delivery of certain groups of data. The data subject may exercise this right at no charge, except in cases where the request is clearly unfounded or excessive, in which case Rosis maintains the right to charge for the expenses incurred. The data subject’s request may be denied if it should not be legally and statutorily permitted.
Right to rectification
- The data subject has the right to request rectification of incorrect personal data, as well as to supplement incomplete personal data regarding their person. In order to ensure that personal data is up to date and accurate, the data subject should provide the Data Controller with such data immediately.
Right to be forgotten (erasure)
- Under certain circumstances, the data subject may request that Rosis erase their personal data. Erasure of personal data may be requested, for example, in the case of withdrawal of consent for processing of certain data when it is no longer needed for the purpose for which it was initially collected, when the data was processed without valid legal grounds or when such erasure is necessary for the compliance with the Data Controller’s statutory obligations. Personal data cannot be erased if it remains necessary for the fulfilment of statutory or contractual obligations, or other legal grounds as per the General Data Protection Regulation. Where it is possible to erase personal data, it shall be deleted from our system, and only general statistical data which cannot be linked to the data subject’s identity will remain.
Right to restriction of processing
– Under certain circumstances, the data subject has the right to request Rosis to restrict processing of personal data, for example, in the case of submitting an objection to data processing, contesting the accuracy of personal data or conducting processing based on the Data Controller’s legitimate interest.
Right to withdraw consent
- If personal data processing is based on the data subject’s consent, they may withdraw that consent at any moment, in which case Rosis shall cease to use personal data for that purpose, unless there are alternative legal grounds that would justify further personal data processing on which the data subject shall be informed.
Right to data portability
- The data subject has the right to request their personal data to be transferred to another Data Controller, or to be shared with a third party. In such cases, the data subject has the right to receive their personal data, previously submitted to Rosis, in a structured, commonly used and machine-readable format, and has the right to transfer that data to another Data Controller, in cases where the data processed is data submitted by the data subject and the processing was based on consent or contract and was conducted automatically.
Right to object
- The data subject has the right to file an objection to the processing of their personal data in such cases where the processing is performed on the basis of legitimate interest or where it is necessary for the Data Controller to execute a task in the public interest. You may object to data processing at any moment if the processing should be based on the above-mentioned grounds. If there should be no substantiated and justified legal grounds for such processing, we shall erase the data and cease to process it.
If the data subject should wish to exercise any of the above-mentioned rights of withdraw their consent for personal data processing (in cases where the consent represents legal grounds for personal data processing), please contact us. We will store our correspondence in order to resolve any issues in a timely manner.
You can contact us at any time and by any of the following means:
Rosis Unus d.o.o.,
Sv. Križ Začretje, Vrankovec 1.
e-mail: [email protected]
If you should be dissatisfied with the manner in which we collect or use your personal data, you have the right to contact the Croatian Data Protection Agency, at the address Martićeva ulica 14, 10 000 Zagreb, e-mail: [email protected], web: www.azop.hr.
This personal data management policy entered into force on 25 May, 2018.