1. General provisions
1.3. The Controller observes the principles relating to personal data processing provided by legislation and, among other things, processes personal data in a lawful, fair, and secure manner. The Сontroller is able to declare that personal data has been processed in accordance with the provisions of the legislation.
2. Collection, processing, and storage of personal data
The companies’ privacy/data policy, which is one of the purposes of data processing (for online shopping, delivery, digital receipts, etc.) provides decisions regarding users in case the purchased product is subject to recall or if there are any other problems with it. Thus, when consumers accept the terms of registration to make online purchases, product deliveries, or digital receipts, they simultaneously give their consent to the processing of their data for this purpose. If the operator needs a recall protocol, then there is no prevention in using customer data to communicate directly with the subjects affected by the recall.
2.1. The personal data collected, processed, and stored by the Controller has been collected electronically, mainly via the website and e-mail.
2.4. The Controller is not liable for any damage or loss caused to the data subject or a third party as a result of the submission of false data by the Data subject.
3. Processing of personal data of customers
3.1. The Controller may process the following personal data of the Data subject:
3.1.1. Name and surname;
3.1.2. Date of birth;
3.1.3. Telephone number;
3.1.4. E-mail address;
3.1.5. Delivery address;
3.1.6. Transaction data (purchased product, price, payment information, etc.).
3.1.7. Any other information submitted to the Controller during the purchase of the services and goods offered or by contacting the Controller.
3.2. In addition to the foregoing, the Controller has the right to collect data about the customer that are available in public registers.
3.3. The legal basis for the processing of personal data points (a), (b), (c) and (f) of Article 6(1) of the General Data Protection Regulation:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the Controller is subject;
(f) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data subject which require protection of personal data, in particular where the Data subject is a child.
3.4. Processing of personal data according to the purpose of processing:
3.4.1. Purpose of processing – security and safety. The maximum period of storage of personal data – according to
the terms specified by law.
3.4.2. Purpose of processing – the processing of orders. Maximum period of storage of personal data – during 1 year period.
3.4.3. Purpose of processing – ensuring the functioning of Online store services. Maximum period of storage of personal data – during 1 year period.
3.4.4. Purpose of processing – customer management. Maximum period of storage of personal data – during 1 year period.
3.4.5. Purpose of processing – financial activities, accounting. Maximum period of storage of personal data – according to the terms specified by law.
3.4.6. Purpose of processing – marketing. Maximum period of storage of personal data – during 1 year period. Upon termination of the circumstances specified in this paragraph, the personal data of the Data subject also expires, and all relevant personal data are permanently deleted from computer systems and electronic and / or paper documents containing the relevant personal data, or these documents are depersonalized.
3.5. The Controller has the right to share personal data of customers with third parties such as processors, accountants, transport and courier companies, providing transfer services. The Controller is in charge of the processing of personal data. The Controller transmits the personal data necessary for making payments to the processor, Maksekeskus AS. Upon request, the Data Controller may transfer the personal data of the Data Subject to state and law enforcement authorities in order to defend their legal interests, if necessary, by drawing up, submitting and defending legal claims.
3.6. The Сontroller processes and stores personal data of the Data subject to implementing the organizational and technical measures to ensure that the personal data is protected against any accidental or unlawful destruction, alteration, disclosure, and any other unlawful processing.
3.7. The Controller stores the data of the Data subjects depending on the purpose of processing, but no longer than for 2 years.
4. Rights of the Data subject
4.1. The Data subject has the right to gain access to and examine their personal data.
4.2. The Data subject has the right to obtain information on the processing of their personal data.
4.3. The Data subject has the right to request the correction of incorrect, inaccurate or incomplete personal data.
4.4. If the Controller processes personal data of the Data subject based on the consent granted by the latter, the Data subject has the right to withdraw their consent at any time.
4.5. To exercise their rights, the Data subject can contact the customer support of the Online store at: firstname.lastname@example.org
4.6. To protect their rights, the Data subject can file a complaint with the Data Protection Institution.
5. Final provisions