LogoCinestar

Privacy Statement of BLITZ-CINESTAR d.o.o. for Business Partners, Customers, and Suppliers

General information

  1. BLITZ-CINESTAR LLC, with its headquarters in Blitz-CineStar LLC, Rruga Fehmi Agani 79/8, 10 000 Prishtine, Kosovo, unique ID number: 811930438 (hereinafter: Company and/or Data Controller) collects and processes certain personal data of data subjects in accordance with this Privacy Statement.
  2. Through this Privacy Statement, the Company aims to provide data subjects with clear information about the processing and protection of their personal data and to enable them to easily monitor and manage their personal data and consents.
  3. The Company is committed to protecting privacy and personal data.
  4. If you have any questions regarding the protection of personal data, please contact our Data Protection Officer by email at dhë[email protected]
  5. We reserve the right to change this Privacy Statement at any time, for any reason. Data subjects will be informed of any changes to this Privacy Statement on the website www.cinestarcinemas-ks.eu (hereinafter: Website).
  6. We may occasionally remind you of the Privacy Statement via email, while the valid version of the Privacy Statement is always available on the website.

 

Principles of personal data processing

 

The data controller processes personal data of individuals (authorized persons, employees, or any other persons whose data is provided to the data controller) of its business partners – legal entities and/or natural persons who independently perform economic activity as craftsmen or individual traders (suppliers, customers, and other business partners) in the context of its business processes with business partners (hereinafter: data subjects) based on the following principles of personal data protection:

 

  • Lawfulness, fairness, and transparency – when processing personal data, the company acts in accordance with the law and provides the data subject with easily accessible and understandable information and communication regarding the processing of their personal data;
  • Purpose limitation – the company collects and processes personal data only for a specific and lawful purpose and does not process them in a manner that is incompatible with the purpose for which they were collected;
  • Data minimization – the company uses only those personal data of the data subject that are appropriate and necessary to achieve a specific lawful purpose;
  • Accuracy of personal data – to ensure fair and transparent processing of personal data and prevent potential misuse, personal data must be accurate, complete, and up-to-date. It is extremely important for the data subject to inform the data controller immediately or as soon as possible about any changes to their personal data;
  • Storage limitation – the company stores the data subject’s personal data only for as long as necessary to fulfill a specific purpose and then deletes them from all records, or applies anonymization and/or pseudonymization to them;
  • Integrity and confidentiality – the company processes personal data in a secure manner, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage (e.g., only authorized persons who need it to perform their job have access to the data subject’s personal data, not other individuals).

 

Personal data being processed and use of personal data

 

This Privacy Statement explains:

  • The types of personal data that the Data Controller collects about data subjects;
  • How the Data Controller obtains personal data of data subjects;
  • How the Data Controller uses personal data of data subjects;
  • The legal bases on which the Data Controller uses personal data of data subjects;
  • With whom the Data Controller shares personal data of data subjects;
  • How the Data Controller protects your personal data as a data subject.

 

Types of personal data collected and processed by the Data Controller

 

  1. The data controller collects only those personal data from the data subjects that are necessary for achieving a specific lawful purpose of processing.
  2. The data controller may collect personal data from data subjects when conducting its business, including when data subjects contact the data controller, request information from the data controller, or use the services of the data controller.
  3. The personal data that the data controller collects and processes regarding the data subject include:
  • identification data: name and surname;
  • contact information: the name of the data subject’s employer, the address of the data subject’s employer, email address, mobile phone number, the telephone number of the data subject’s employer;
  • data about the data subject’s job: job title/function;
  • financial data: data on business transactions, bank data, and other data required by accounting and/or tax regulations, etc.;
  • and other data about data subjects that the data subject may provide to the data controller (e.g., by contacting the data controller via email, telephone, etc.).

 

  1. For the purposes of this Privacy Statement, the term “employer” refers to the data subject’s employer in the case of authorized persons, employees, or any other persons who are business partners of the Company, regardless of whether the business partners are legal or natural persons. In the case of business partners who are natural persons who independently carry out economic activities as tradespeople or individual merchants, the term “employer” refers to their independent economic activity (trade, individual merchant).
  2. The data controller does not process special categories of personal data of data subjects revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation nor personal data related to criminal convictions and offenses.
  3. The data controller collects and processes your personal data collected through video surveillance of the Company’s premises for the purpose of ensuring the safety of persons and property.

 

Method of collecting personal data

 

  1. The Company collects personal data of data subjects in various ways, including:
  • as part of the Company’s business processes with business partners;
  • through video surveillance, and
  • when the data subject provides information during direct communication with the Company, including personal communication with the Company’s staff and communication via email addressed to and from the Company.
  1. When the Data Controller collects personal data of data subjects in any of the above-mentioned ways, it uses them solely for the purpose specified to the data subject at the time of collecting such data.

 

Purpose and retention period of personal data.

 

  1. When the Data Controller collects and processes personal data of data subjects, they do so in order to:
  • fulfill their contractual obligations with the company’s business partners;
  • offer the services of the Company and/or its affiliates on the market, including sending invitations to special events and similar materials and occasional gifts to data subjects;
  • protect property and individuals,
  • make available the data that the data subject has requested.

 

A. CONCLUSION AND PERFORMANCE OF CONTRACTS AND BUSINESS ACTIVITIES

 

The data controller, as a provider or contractor of services to its business partners, collects the following personal data about data subjects: identification data, contact information, financial data, and job-related data.

The aforementioned personal data is collected for the purpose of concluding and performing contracts by the data controller as a provider or contractor of services, and for carrying out business processes with business partners that include dispute resolution.

To the extent reasonably necessary in connection with the Company’s services, the data controller may need to share personal data with third parties. Please review the subtitle Persons with whom we share data about data subjects.

Personal data collected for this purpose will be completely deleted from all storage systems of the data controller and its processors (if any) upon the expiry of the statute of limitations for all claims arising from the concluded contract, or later if necessary for a court or other proceeding between the Company and the business partner, or if the data controller is required by law to keep such data for a longer period.

 

B. MARKETING

 

Some of the personal data of the data subjects (name, surname, email address, and company address) are used by the data controller for sending marketing messages, newsletters, email notifications about the Company’s services, or invitations to events organized by the Company or its affiliates for the purpose of promoting them, as well as for sending occasional gifts in order to improve the relationship with business partners.

If you no longer wish to receive the above-mentioned marketing messages, newsletters, or email notifications about the Company’s services, invitations to events organized by the Company or its affiliated companies, or occasional gifts from the Company, you can unsubscribe at any time by sending such a notice to the Company at the email address: dhë[email protected]

Personal data collected for this purpose will be completely deleted from all storage systems of the data controller and its data processors (if any) after the termination of business cooperation between the Company and the individual business partner, or after the data subject unsubscribes as mentioned above, or later if there is a legal obligation for the data controller to retain such data.

 

C. PROTECTION OF PEOPLE AND PROPERTY (VIDEO SURVEILLANCE)

 

The data controller, for the purpose of protecting persons and property, records the space inside and in front of the business premises through a video surveillance system, and the personal data collected through the video surveillance is not used for other purposes.

All areas that are recorded through video surveillance are marked with a sign indicating that the area is under video surveillance in such a way that the sign is visible at the latest upon entering the recording perimeter and contains all the necessary information prescribed by law.

The responsible person of the data controller and/or the person authorized by the data controller has the right to access personal data collected through video surveillance, and such persons cannot use the personal data collected through video surveillance for any purpose other than the protection of persons and property.

The video surveillance system is protected from unauthorized access.

The data controller will establish an automated system of records for logging access to video surveillance footage, which will include the time and place of access, as well as the identification of the persons who have accessed the personal data collected through video surveillance.

Personal data collected for this purpose will be kept for a maximum of 1 month, unless a longer retention period is prescribed by another law or if they are evidence in a judicial, administrative, arbitral or other equivalent proceeding.

 

D. THE FULFILLMENT OF LEGAL OBLIGATIONS OF THE DATA CONTROLLER

 

In addition to everything mentioned above, the data for identification, contact information (name and surname of the business owner, business name, OIB, business address, IBAN, phone/mobile number, e-mail) and financial data of business partners who are natural persons and independently engage in economic activities are processed by the Data Controller for the purpose of fulfilling its legal obligations, such as accounting and bookkeeping regulations.

Personal data collected for this purpose are kept in accordance with the retention periods prescribed by applicable regulations.

 

Bases for personal data processing

 

The data controller processes personal data of data subjects on the basis of the following legal grounds:

  • performance of a contract for the provision of services between the Company and its business partners or other contracts concluded between the Company and its business partners;
  • legitimate interests of the data controller for: determining, resolving disputes and conducting proceedings between business partners and the Company, sharing personal data with affiliated companies of the data controller and third parties as detailed in this Privacy Statement, as well as for sending marketing messages, newsletters, event invitations and gifts, protecting the property and individuals of the Company through video surveillance;
  • explicit consent of the data subjects for receiving marketing messages, newsletters, email notifications about the services of the Company or invitations to events organized by the Company and/or affiliated companies and/or gifts;
  • fulfillment of legal obligations of the data controller in relation to transactions with business partners.

 

The people with whom the data controller shares your personal dana

 

The Controller processes the personal data of the data subjects on the following legal grounds:

  • Performance of a contract for the provision of services between the Company or another contract concluded between the Company and its business partners;
  • Legitimate interests of the Controller, including: establishment, exercise or defense of legal claims between the business partners and the Company, sharing personal data with the Controller’s affiliated companies and third parties as detailed in this Privacy Statement, sending marketing messages, newsletters, event invitations, and gifts, protecting the property and persons of the Company through video surveillance;
  • Explicit consent of the data subjects to receive marketing messages, newsletters, e-mail notifications of the Company’s services, or invitations to events organized by the Company and/or affiliated companies and/or gifts;
  • Compliance with legal obligations of the Controller regarding transactions with business partners.

The Company’s data that the Controller processes may be shared with the Controller’s affiliated companies: Blitz d.o.o. from Zagreb, Kamenarka 1, Vox Komunikacije d.o.o. from Zagreb, Ulica Vice Vukova 6, and Duplicato Media d.o.o. from Zagreb, Kamenarka 1, based on the Controller’s legitimate interest, who may also process them.

The Company may share the data subjects’ personal data with third parties – business partners in accordance with contractual obligations it has with them. This represents the legitimate interest of the Controller. Such third parties include:

  • professional advisers and auditors,
  • third-party suppliers engaged by the Company to provide services on behalf of and for the account of the Company, including IT service providers, event organizers; and
  • other third parties engaged by the Company to provide services to you, including courier services, lawyers, experts, and translators.

The list of business partners of the Controller can be found under the Business partners section.

The Controller may also share personal data with supervisory authorities, courts or government agencies when such sharing is necessary, including to comply with all legal requirements. Unless prohibited by law, the Company will make reasonable efforts to notify the data subject in advance of such disclosure of their personal data.

The Company does not allow the personal data of the data subjects to be made available to third parties for the purpose of offering third-party products and services, unless the data subject has given their explicit consent for this purpose.

The Company does not transfer the personal data of the data subjects outside the European Union.

 

Protection of your personal data

 

  1. The company takes the protection of personal data seriously and has taken various precautions to protect the personal data of data subjects.
  2. In accordance with applicable laws on the protection of personal data, the company uses technical and organizational measures to protect personal data from unauthorized access, use, disclosure, or destruction.
  3. To protect the personal data and privacy of users, the company implements appropriate physical, technical, and organizational security measures. Security maintenance and testing are performed on a regular basis. The company limits access to data subjects’ data in such a way that only authorized personnel who are directly involved in providing or maintaining the service, as well as improving the quality and billing of the service, have access to it. In addition, the company continuously trains its staff on the importance of confidentiality and maintaining the privacy and security of personal data, and engages partners who contract appropriate protection measures.

 

The rights of the data subjects

 

  1. Complaints – The data controller seeks to ensure the highest standards in processing personal data and takes every complaint from data subjects seriously.
  2. If you believe that the processing of your personal data carried out by the data controller is contrary to the provisions on personal data protection, please notify us in writing at the data controller’s address or by e-mail: dhë[email protected] . You may also submit your complaint to the supervisory authority – Information and Privacy Agency, Str. Zejnel Salihu, no.22, Prishtina, Kosovo .
  3. Right of access: Each data subject has the right to obtain details about the personal data processed by the data controller in relation to them and the manner in which it is processed.
  4. Right to rectification: If the data controller processes your personal data which is incomplete or inaccurate, you may request that it be corrected or completed at any time. Please inform us of any changes to your personal data via e-mail: dhë[email protected]  so that we can update your data.
  5. Right to erasure (“right to be forgotten”): You may request the erasure of your personal data from the data controller if it has been processed unlawfully or if such processing constitutes an excessive intrusion into your protected interests. Please note that there are reasons that may prevent immediate erasure, such as legal obligations to archive data.
  6. Right to restriction of processing: You may request that the data controller restrict the processing of your data:
  • If you dispute the accuracy of the data during the period that enables the data controller to verify the accuracy of the data;
  • If the processing of data was unlawful, but you refuse erasure and instead request restriction of data processing;
  • If the data is no longer required for the intended purposes, but is still necessary for the establishment, exercise, or defense of legal claims; or
  • If you have objected to the processing of such data.
  1. Right to data portability: You may request the data controller to provide you with the data you have entrusted to them in a structured, commonly used, and machine-readable format: • If the processing is based on your consent, which you may revoke, or for the performance of a contract; and
  • If the processing is carried out by automated means.
  1. In certain circumstances, each data subject also has the right to request the cessation of any unauthorized transfer of their personal data to third parties and to demand that the data controller does not transfer personal data relating to them to third parties.
  2. Exercise of rights: If you wish to exercise any of the above rights, please contact us using our contact details: BLITZ-CINESTAR LLC with its registered office in Kosovo, Prishtina, 10 000,  Rruga Fehmi Agani 79/8, e-mail address: dhë[email protected]
  3. Identity confirmation: In case of doubt, we may request additional information to verify your identity. This serves to protect your rights and privacy.
  4. Abuse of rights: If you use any of the above rights with an obvious intention of abuse, the data controller may charge an administrative fee or refuse to process your request.
  1. When you object to the processing of your personal data by the Data Controller or when you withdraw your previously given consent, there is a possibility that the Company will not be able to achieve the processing purposes stated in this Privacy Statement or that you will not be able to use our services. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.
  2. When you object to the processing of your personal data by the Data Controller or when you withdraw your previously given consent, it is important to understand that the Company may still continue to process your personal data to the extent necessary or otherwise permitted by law.

 

Consequences of not providing personal data and managing consents

 

  1. If you notify the Company that you no longer wish to receive marketing messages, newsletters, or email notifications about the Company’s services or invitations to events organized by the Company or its affiliated companies and/or promotional gifts, or if you withdraw your consent given for such purposes, you will no longer receive our marketing messages, newsletters, or email notifications about the Company’s services.
  2. You may revoke the consent you have given to the Company for a specific processing purpose at any time, in which case we will no longer use your personal data collected on the basis of the consent for the stated purposes.
  3. You can change your consent by using the web interface or by sending an email to the email address dhë[email protected]

 

Business partners of Blitz CineStar LLC

 

POSitive LLC
Span d.o.o.
Globaldizajn d.o.o.
Microlab d.o.o.