GENERAL INFORMATION
- The company BLITZ-CINESTAR LLC, based in Rruga Fehmi Agani 79/8, 10 000 Prishtine, Kosovo, unique ID number: 811930438 (hereinafter: the Company and/or the Data Controller) collects and processes certain personal data from you in accordance with this Privacy Statement
- Through this Privacy Statement, the Company aims to ensure fair and transparent processing and provide clear information to users of its services on the processing and protection of their personal data, as well as enable them to easily monitor and manage their personal data and consents.
- The company is committed to protecting privacy and personal data.
- If you have any questions regarding the protection of personal data, please contact our Data Protection Officer by email at dhë[email protected]
- We reserve the right to change this Privacy Statement at any time, for any legitimate reason. Users will be notified of any changes to this Privacy Statement on the website www.cinestarcinemas-ks.eu (hereinafter: the Website).
- We may occasionally remind you of the Privacy Statement via email, while the valid version of the Privacy Statement is always available on the Website.
- By entering into force of this Privacy Policy, the General Terms of Personal Data Protection and the Use of “Cookies” (Cookie policy) are repealed and no longer valid.
- This statement comes into force on the day of publication on the Website and applies from May, 2023.
Personal data processed and use of personal data
This Privacy Policy explains:
- The types of personal data the data controller collects about you;
- How the data controller obtains your personal data;
- How the data controller uses your data;
- The legal basis on which the data controller uses your personal data;
- Who the data controller shares your personal data with;
- How the data controller protects your personal data.
- Types of personal data collected and processed by the Controller
The data controller collects only personal data that is necessary to achieve a specific lawful processing purpose. - The data controller may collect your personal data when conducting its business, including when you contact the data controller, request information from the data controller, use the data controller’s website, or use the data controller’s services.
- The personal data that the data controller collects and processes from website users and/or Stars Club members (hereinafter referred to as “Respondents”) include:
- personal identification data: name, surname, date and year of birth, gender;
- user data: username, password, and Stars Club ID number;
- contact data: residence address, place and postal code, e-mail address, phone number, and mobile phone number;
- history of purchasing data from the data controller’s services;
- technical data (number of website visits, or receipt and use of materials and communications sent to the Respondent by the data controller electronically) collected through cookies;
- data on transactions performed through the website (name, surname, residence address, phone number or mobile phone number, e-mail address, IP address, partial bank card number, amount, time, and location of the transaction);
- and other data that the Respondent may provide to the data controller.
- For the purpose of performing the contract for organizing a birthday party, the data controller may collect personal identification data, including the name and surname, and the date and year of birth of the child (celebrant) provided to the data controller by the child’s legal representative (parent or guardian). The data controller uses the child’s personal data exclusively and only for the purpose of performing obligations under the aforementioned contract and does not use or forward them to any third party for any other purpose. The personal data of the child are deleted no later than two months from the date of the data controller’s service provision.
- For the purpose of performing the contract for providing the service “Your private cinema” or “Gaming hall”, the data controller may collect personal identification data, including the name and surname, address, personal identification number (unique ID number/personal identificaton number), e-mail address, and mobile phone number. The data controller uses the aforementioned personal data exclusively and only for the purpose of performing obligations under the aforementioned contract and does not use or forward them to any third party for any other purpose.
- For the purpose of ensuring the safety of people and property, the data controller collects and processes your personal data collected through video surveillance.
- The data controller does not process special categories of personal data of the Respondents revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, or data concerning a person’s sex life or sexual orientation, nor personal data concerning criminal convictions and offences.
Method of collecting personal dana
- The Data Controller collects personal data from the Data Subject in various ways, including:
- as part of the Company’s business processes (inspection of identification documents, such as ID cards and student IDs or other documents that confirm the student status, pension receipt confirming the retirement status), and during the fulfillment of the Company’s obligations under the contracts for the sale of Company’s services or other contracts concluded between the Company and the Data Subject (such as a contract for catering storage), especially in relation to the reservation and purchase of tickets and other CineStar services;
- by accessing the Stars Club membership and during the management of the Data Subject’s membership rights;
- during the monitoring of the Website, including email communication sent to and from the Company;
- by registering for one of our contests;
- when the Data Subject provides information during direct communication with the Company, including personal communication with Company staff and online communication via the website or email;
- through the mobile application (iCineStar) and
- from third parties (including, for example, Facebook and other social networks)
- through video surveillance.
- When the Data Controller collects your personal data in any of the ways mentioned above, they use them solely for the purpose stated at the time of collecting that data.
- Depending on the types of activities, some requested data are specified as mandatory, while others are voluntary. If you do not provide mandatory data for an activity that requires them, you will not be allowed to participate in that activity.
Purpose and period of retention of personal data
- When the Controller collects and processes personal data, it does so in order to:
- fulfill its obligations under the contract for the sale of Company’s services or other contracts concluded between the Company and the Data Subject (e.g. contract for catering services applicable to items left in Company’s cinemas);
- offer Company’s services on the market, including sending publications and event details to Data Subjects, as well as invitations to events organized by the Company;
- improve Company’s services, measure satisfaction with Company’s services and conduct prize competitions;
- manage relationships with Data Subjects and other persons in the course of its business;
- make data requested by the Data Subject available;
- manage Stars Club membership;
- protect persons and property (through video surveillance);
- and fulfill any of its legal obligations;
- carry out analysis and administration of the Website, including monitoring its use.
A. SALE OF COMPANY SERVICES
The data controller as a service provider processes the following personal data of service users (data subjects): name, surname, date and year of birth, residential address, place, postal code, gender, telephone number, mobile phone number, and email address, as well as transaction data (name, surname, residential address, telephone number or mobile phone number, email address, IP address, partial bank card number, amount, time, and location of the transaction). The data controller also processes the data of registered service users who are also members of the Stars Club memberships, including their username, password and membership number.
The aforementioned personal data is collected for the purpose of concluding and performing the contract for the sale of services of the Company (reservation and/or purchase of cinema tickets, reservation and/or purchase of other services of the Company) or other contract concluded between the Company and the Data Subject (e.g. in the case of a catering agreement – name, surname, e-mail address and/or telephone number or mobile phone number of the Data Subject) by the Data Controller as the service provider, and for the execution of business processes which include resolving requests from users (Data Subjects) and disputes with service users (Data Subjects).
To the extent reasonably necessary in connection with the Company’s services, it may be necessary for us to share personal data with third parties. Please review the section of this Statement entitled “Persons with whom the Data Controller shares Your Personal Data.
Personal data collected for the purpose of fulfilling the contractual obligations of the data controller, in general, in the case of registered users, users who request the services of Your Private Cinema or Gaming Hall, and members of the Stars Club memberships (Data Subjects), are kept until the registered user or Stars Club member (Data Subject) requests the deletion of their user account, in which case only data on completed transactions may be further processed to fulfill requirements deriving from tax and accounting reporting. The data controller does not keep personal data of unregistered users (Data Subjects), except for data on completed transactions, which may be kept for longer period. Data on transactions are kept for a longer period due to the legal obligation of the data controller in accordance with applicable accounting regulations. As exceptions to the aforementioned rule:
- The Controller shall keep the completed request form for birthday celebrations, Your private Cinema or Private Gaming service in electronic format with the Personal Data of the Data Subject for a maximum of two months from the date of the provided service, after which it shall be deleted or destroyed.
- In the case of exceptional group screenings and group discounts service, the Controller shall keep the Personal Data of the Data Subject contained in the request for the said service for one year from the date of service provided, after which it shall be deleted or destroyed.
- The Controller shall keep the Personal Data of the Data Subject under the contract for hospitality services until the moment of lost property retrieval, after which it shall be deleted or destroyed.
- Personal data of the Data Subject used by the Controller to inform about changes or cancellations of the screening schedule (name, surname, telephone number and/or mobile phone number, email address) shall be destroyed at the end of the day on which the notification was sent to the Data Subject.
B. MARKETING AND DEVELOPMENT OF COMPANY SERVICES
The personal data that you have provided to the Data Controller during registration (name, surname, date and year of birth, gender, home address, city and postal code, phone number, mobile phone number, and email address) may be used by the Data Controller to determine whether:
- You read emails or other materials from the Company, including newsletters, by downloading attachments in emails or opening links;
- You open web links, unsubscribe links, or links to events included in email messages and marketing materials of the Company;
- You visit and how you visit the page after opening the links provided to you by the Company. We do this by using software that sets cookies on your device that track and record this activity. Please check our Cookie Notice for more information on how to manage and remove cookies.
Some of the personal data of the respondents (name, surname and email address) are used by the data controller for sending marketing messages, newsletters, email notifications about the services of the Company to the members of the Stars Club and users of the Company’s services, provided that the respondent has given their consent for this.
If you no longer wish to receive the above-mentioned marketing messages, newsletters, or email notifications about the services of the Company, you can unsubscribe at any time on the website www.cinestarcinemas-ks.eu by clicking on the unsubscribe link at the bottom of each newsletter or by sending an email to: dhë[email protected].
The data controller may use personal data of the respondent (name, surname, email address, and gender) for sending invitations to events organized by the Company and/or related companies of the data controller for the purpose of their promotion.
When the Company organizes prize contests for its promotion, it may request from you, in addition to identification data, some additional personal data defined by the rules of the contest.
The data controller stores the personal data collected for this purpose insofar as necessary to achieve the purpose for which are collected/processed or until the respondent withdraws their consent (if required for a particular purpose for which personal data were collected), after which they delete or destroy them. Exceptionally, with regard to personal data collected for the purpose of a prize contest, the data controller stores the personal data of the respondent only for as long as is necessary to achieve the purpose for which they were collected, but not longer than six months from the moment of awarding the prize, after which they delete or destroy them.
C. CUSTOMER RELATIONSHIP MANAGEMENT
The data controller, as the provider of services of the website, processes the following personal data for the purpose of visiting the website, registration, or opening a user account for registered users of the website, solving problems, carrying out administrative tasks, and/or establishing contact with website users: first name, last name, email address, residential address, city, postal code, phone number, mobile phone number, gender, username, Loyalty Club card number, password, date, and year of birth.
Additionally, the Company uses cookies on the Website. Please check our Cookie Notice.
Personal data collected for this purpose is kept permanently for registered users and members of the Stars Club (Data Subjects), or until the registered user or Stars Club member (Data Subject) requests deletion of their user account.
D. STARS CLUB MEMBERSHIP
The data provided by the user during registration, such as name, surname, date and year of birth, phone number, mobile phone number, email address, residential address, postal code, and gender, are processed by the data controller for the purpose of fulfilling the rights of the Stars Club members.
Personal data collected for this purpose is stored permanently for registered users (data subjects), or until the user (data subject) requests the deletion of their user account.
E. PROTECTION OF PERSONS AND PROPERTY (VIDEO SURVEILLANCE)
The data controller, for the purpose of protecting individuals and property, records the interior and exterior of cinema halls through a video surveillance system, and the personal data collected through video surveillance is not used for any other purpose.
All areas recorded through video surveillance are marked with a notice that the area is under video surveillance, in a manner that is visible at the latest upon entering the recording perimeter, and contains all necessary information prescribed by law.
The right to access personal data collected through video surveillance belongs to the responsible person of the data controller and/or the person authorized by them, and those same individuals cannot use the personal data collected through video surveillance for any other purpose except for the purpose of protecting individuals and property.
The video surveillance system is protected from unauthorized access.
The data controller will establish an automated system for recording access to video surveillance footage, which will contain the time and place of access, as well as the identification of the persons who accessed the data collected through video surveillance.
Personal data collected for this purpose will be kept for a maximum of 1 month, unless a longer retention period is prescribed by other laws or if they are evidence in a judicial, administrative, arbitration, or other equivalent procedure.
F. Fulfillment of legal obligations of the data controller
In addition to the foregoing, the Data Controller processes personal data of the Data Subject such as name, surname, address of residence, place of residence, postal code, date and year of birth, telephone number and/or mobile phone number, and email address, in order to fulfill its legal obligations, such as those arising from accounting and bookkeeping regulations, as well as consumer protection regulations.
Personal data collected for this purpose are stored in accordance with retention periods prescribed by applicable regulations.
Bases for processing personal data
The data controller processes your personal data based on the following grounds:
- performance of a contract for the sale of services between the data subject and the controller (e.g. contract for storage services, membership contract in the Stars Club, etc.);
- legitimate interest of the data controller, namely for: providing and managing the website, resolving disputes and proceedings between the data subject and the controller, sharing personal data with affiliated companies and third parties as detailed in this Privacy Statement, sending invitations to events organized by the controller, monitoring users’ habits to improve services, and video surveillance;
- explicit consent of the data subject for receiving marketing messages, newsletters, email notifications about the services of the controller, participation in prize draws, and
- compliance with legal obligations of the data controller.
Persons with whom the data controller shares your personal data
The data you provide to the Company may, based on the legitimate interest of the Data Controller, be shared with the affiliated companies of the Data Controller who may also process them. The affiliated companies of the Data Controller are:
- Blitz d.o.o.
- VOX komunikacije d.o.o.
- Duplicato Media d.o.o.
- POSitive
The company may share your personal data with third parties in accordance with contractual obligations it has with them. This represents the legitimate interest of the data controller. Such third parties (business partners of the data controller) include:
- professional advisors and auditors,
- suppliers that the company engages to perform services on behalf of and for the account of the company, including IT service providers, event organizers; and
- other persons that the company engages in order to provide services to you, including courier services, lawyers, experts, and translators.
The controller may share personal data with supervisory authorities, courts or government agencies when such sharing is necessary, including to comply with all legal requirements. Unless prohibited by law, we will make all reasonable efforts to notify you in advance of such disclosure of your personal data by the Company.
The Company does not allow your personal data to be made available to third parties for the purpose of offering third-party products and services, unless you have given your express consent for this purpose.
Protection of your personal data
- The company takes the protection of personal data seriously and has taken various precautions to protect your personal information. The survey participant can access their personal data on the website using a password and username/e-mail address.The participant’s password is encrypted. It is recommended that the participant not disclose the password to anyone. In addition, the participant’s personal identification data is stored on a server that can only be accessed by selected individuals and service providers. The company encrypts certain sensitive information using Secure Socket Layer (SSL) technology to ensure the participant’s personal data is secure. You are responsible for the security of your password, and you should change it periodically. Your password must not be simple and must contain at least 8 characters (numbers and letters, at least one uppercase letter, one lowercase letter and one symbol). They must not contain personal information (name, surname, email, home address, phone number, date of birth), consecutive or identical numbers, consecutive or identical letters, and also words such as “password,” “passcode,” “CineStar,” “cinestar,” etc. The system will not allow you to change your password or log in with the same one if it does not meet the security requirements.
- Unfortunately, no data transmission over the Internet or any wireless network can be 100% secure, and the company cannot guarantee the protection of any information transmitted to or from the website and is not responsible for the actions of any third party who may gain access to such data.
- In accordance with applicable data protection laws, the company uses technical and organizational measures to protect personal data from unauthorized access, use, disclosure, or destruction.
- To protect the participant’s personal data and privacy, the company implements appropriate physical, technical, and organizational measures of protection. The aforementioned security maintenance and testing is carried out on a permanent basis. The company limits access to the participant’s data to authorized individuals who work directly on the provision or maintenance of the service, and on improving the quality and billing of the service. In addition, the company continually trains its staff on the importance of confidentiality and maintaining the privacy and security of personal data and engages partners with whom appropriate protective measures are contracted.
- The data controller adheres to internationally recognized PCI DSS standards with regard to credit/debit card transactions, internal security procedures for document and email system management, and maintenance infrastructure in all company premises.
Rights of the data subject
- Filing a complaint – The data controller strives to ensure the highest standards when processing personal data and takes seriously the resolution of each complaint from data subjects. If you believe that the processing of your personal data by the data controller violates data protection regulations, please inform us in writing at the data controller’s address (Blitz-CineStar LLC, Rruga Fehmi Agani 79/8, 10 000 Prishtine, Kosovo, attn: data controller – do not open) or via email: dhë[email protected] . You can also file a complaint with the supervisory authority – the Information and Privacy Agency, Str. Zejnel Salihu, no.22, Prishtina, Kosovo .
- Right of access: Every data subject has the right to request details about the personal data that the data controller processes in relation to them and how they are processed.
- Right to rectification: If the data controller processes your personal data that are incomplete or inaccurate, you can request at any time that they be corrected or supplemented by the data controller. Please inform us of any changes to your personal data by email: dhë[email protected] , so that we can update your information.
- Right to erasure (“right to be forgotten”): You can request the erasure of your personal data from the data controller if they have been processed unlawfully or if such processing represents a disproportionate interference with your protected interests. Please note that there are reasons that may prevent immediate deletion, such as legally prescribed archiving obligations.
- Right to restriction of processing: You can request the restriction of the processing of your data by the data controller:
- if you contest the accuracy of the data for a period that allows the data controller to verify the accuracy of the data;
- if the processing of the data was unlawful, but you refuse to have it deleted and instead request the restriction of the processing of the data;
- if the data is no longer needed for the intended purposes, but you still need it to establish legal claims; or
- if you have objected to the processing of the data.
- Right to data portability – You may request the Data Controller to provide you with the data you have entrusted to them in a structured, commonly used, and machine-readable format:
- if the data is being processed based on your consent, which you can withdraw, or for the performance of a contract; and
- if the processing is carried out by automated means
- Under certain circumstances, each data subject also has the right to request the cessation of any unauthorized transfer of their personal data to third parties and to demand that the data controller does not transfer personal data relating to them to third parties.
- Exercising your rights: If you wish to exercise any of the aforementioned rights, please contact us using the contact details provided in Article 1 of this Statement.
- Confirmation of identity: In case of doubt, we may request additional information to verify your identity. This is to protect your rights and privacy.
- Abuse of rights: If you use any of the aforementioned rights with an obvious intention of abuse, the data controller may charge an administrative fee or refuse to process your request.
- When you object to the processing of your personal data by the data controller or when you withdraw your previously given consent, there is a possibility that the Company will not be able to achieve the purposes of processing stated in this Privacy Statement or that you will not be able to use our services. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
- When you object to the processing of your personal data by the data controller or when you withdraw your previously given consent, it is important to understand that the Company may still continue to process your personal data to the extent necessary or otherwise permitted by law.
Consequences of not providing personal data and management of consents
- In case you do not provide personal data that the Company requests for the purpose of concluding and exercising rights from a contract of sale of our services or other contracts between the Company and the data subject, the contract cannot be concluded since the Data Controller will not be able to perform the contract.
- User registration is not possible if the Data Subject does not want to provide their personal data, such as email, and set a username and password. Without registration, a range of website services is not available, such as purchasing and booking tickets.
- If you do not give consent or withdraw consent for receiving our marketing notifications, you will not receive our marketing messages, newsletters, email notifications about the Company’s services, or surveys that the Company sends to improve its services.
- You can revoke the consent given to the Data Controller for a specific purpose of processing at any time, in which case your personal data collected based on the consent will no longer be used for the stated purposes.
- You can give or withdraw consent by sending an email to the email address dhë[email protected] or by sending a written request to the Data Controller’s address.
- If you want to give your consent again, you can do so by sending an email to the email address dhë[email protected] or by sending a written request to the Data Controller’s address.
Confidentiality of third-party data
- This Privacy Statement applies only to the use and handling of data that the Data Controller collects from the data subjects. Other websites that can be accessed through the Website have their own privacy statements and data collection, usage, and disclosure practices. If you visit one or more of these websites through the Website, we recommend that you review their privacy statement. The Company is not responsible for the practices and terms of operation of third parties.
Notice regarding the use of cookies (so-called “cookies”)
- We would like to inform you that our Company uses cookies on its website.
- Cookies are text files that are stored on a visitor’s computer. We use cookies to ensure the proper functioning of all functions of the website that are necessary for the normal functioning of the website and without which it is not possible to access the website. Such cookies cannot be excluded or deleted because without them the website would not function properly. However, these cookies (ASP.NET Sessionld) do not store any personal data, but only technical data necessary for the proper functioning of the website.
- In addition to the necessary cookies for the functioning of the website, the Company also uses cookies that allow for the recognition of users when revisiting the website in order to personalize certain content specifically for you, and we use software for website analysis to analyze the use of the website. This allows the Company to gain valuable knowledge about the needs of its users, with the aim of improving the quality of its offerings.
- The aforementioned analysis software also collects and stores some technical data, including the user’s IP address. Personal data collected by these cookies include: centartab (selected center), EUCookie (cookie bar indicating if you have read it), CookieWarningAgreed, deadpoolBanner (if the banner has been displayed).
- Furthermore, third-party cookies (such as Google Analytics, Facebook, etc.) may also be present on the website, as well as advertising cookies and similar links, which may also collect certain personal data about you. These cookies are not set or controlled by the Company. For more information on how third parties use cookies and how you can manage them, please visit the relevant third-party websites. Third-party cookies used on the website include: Google Analytics – a service for measuring website traffic.
- Cookies for analysis, third-party cookies, advertising cookies, and similar cookies can only be stored on your computer with your explicit consent. Such cookies can usually be disabled or deleted through the appropriate browser settings.
- You can manage cookies by selecting settings in your browser menu. You can always withdraw your consent for the use of cookies in the same way, by selecting settings in your browser menu.
- Most web browsers accept cookies, but you can usually change your browser settings to reject new cookies, disable existing ones, or simply be notified when new cookies are sent to your device.
- To set your browser to reject cookies, please refer to the instructions provided by your browser provider (usually found under the “Help”, “Tools” or “Edit” menus).
- Please note that certain functionalities of the Website may be lost if you reject or disable cookies. In addition, disabling cookies or cookie categories does not delete cookies from your browser. You must do this manually in your browser menu.
- We do not share your personal data collected through cookies with third parties without your explicit consent. Google Analytics stores this data permanently, and users can delete it at any time.
- Rights of data subjects and other information regarding the personal data collected about you through cookies can be found in the Privacy Policy.