Personal data protection

PERSONAL DATA PROCESSING TERMS AND CONDITIONS

of e-shop www.goriffee.com

With effect from 25 May 2018, all personal data has been processed in compliance with the Regulation (EU) of the European Parliament and Council no. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the personal data processing and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation – hereinafter referred to as the “Regulation”).

CONTROLLER: Goriffee s.r.o., Gabčíkova 8, 841 05  Bratislava, Slovenská republika, company ID no. 52145123, (hereinaf-ter referred to as the “Controller”) operates the e-shop https://goriffee.com/.

1. PERSONAL DATA PROTECTION POLICY

Your personal data will be stored securely in compliance with the Controller´s security policy for the time nec-essary to meet the purpose of the processing.

Access to your personal data will be restricted to the persons authorized by the Controller to process personal data in compliance with the Controller´s security policy and/or to the processors appointed by the Controller, who process personal data based on the Controller´s instructions and on the Controller´s behalf. Your personal data will be backed up in compliance with the Controller´s retention rules.

Where your personal data is backed up in backup repositories, the data will be deleted in accordance with individual backup policies. The data stored in backup repositories serves to address security incidents, in par-ticular, disruption of data availability due to a security incident.

2. PURPOSE OF PERSONAL DATA PROCESSING

The Controller processes your personal data for the following purposes depending on your status arising based on the activities carried out on the website https://goriffee.com/ and purchase of goods:

Ordering of goods/service, entering into a distance contract, payment processing, delivery of goods/service, and provision of other performance under the General Business Terms and Conditions
The Controller processes personal data for the following purposes: settlement of goods orders, delivery of goods, and due fulfilment of contractual obligations in compliance with the GBTC.
Legal basis

Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 6 (1) b) / processing is necessary for the performance of a contract to which the data subject is a party or where, based on the request of the data subject, it is necessary to take measures before entering into a contract /.

Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 6 (1) f) / the Controller´s legitimate interest / The main legitimate interest is the Controller´s interest in performing the con-tract in case of delivery to a different address;

Personal data category

Personal data category regular personal data / name; surname; invoicing / delivery address; telephone number; e-mail; the data contained in the note to the order; payment data (card data); data concerning the addressee who is to receive a shipment/

Personal data retention period until erasure

6 months from the end of the contractual relationship

Registration, records concerning clients / e-shop customers
If you decide to register and create an account within our e-shop, the Controller will process your personal data for this purpose on the basis of your consent throughout the consent term and in compliance with the following requirements:
Legal basis

Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 6 (1) (a) / the data subject has consented to the processing for one or more specific purposes /

Personal data category

regular personal data / login data; name; surname; e-mail; invoicing / delivery address; payment details (card de-tails); data concerning realized purchases and orders /

Personal data retention period until erasure

the consent term: the consent term is 60 months from the date of the last logging in by the registered person

Quotation request – wholesale
The Controller processes personal data of those interested in wholesale quotations and cooperation in compliance with the following requirements
Legal basis

Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 6 (1) b) / processing is necessary for the performance of a contract to which the data subject is a party or where, based on the request of the data subject, it is necessary to take measures before entering into a contract /.

Personal data category

regular personal data /name, e-mail, telephone number, other data provided by the data subject via a form/

Personal data retention period until erasure

6 months from the delivery of the request or end of the contractual relationship

Sending of business announcements – marketing communication
The Controller will process your personal data for the purposes of sending marketing and business notices based on your consent and in compliance with the following requirements
Legal basis

Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 6 (1) (a) / the data subject has consented to the processing for one or more specific purposes / or

Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 6 (1) (f) / the Controller´s legitimate interest / The main legitimate interest involves satisfaction surveys and other market-ing communication with customers

Personal data category

regular personal data / e-mail address; data entered into an unfinished order (e.g., goods entered into the cart, de-livery address, …) /

Personal data retention period until erasure

60 months from the consent date where the processing is based on your consent;

throughout the period necessary for a customer satisfaction survey and subsequent marketing communication in connection with a completed purchase

Contact form
The Controller processes personal data of data subjects in order to contact them via the contact form
Legal basis

Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 6 (1) (f) / the Controller´s legitimate interest / The main legitimate interest is communication with clients and visitors to the store

Personal data category

regular personal data / email address, name, the data provided by the data subject within message content, if any /

Personal data retention period until erasure

until settlement of the data subject´s request

Other purposes of data processing:

Records and settlement of complaints
Data subject categories Client/customer
Legal basis

Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 6 (1) (c) / a legal obligation under Act No 250/2007 on consumer protection and on amendments and supplements to certain acts, as amended /

Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 6 (1) b) / processing is necessary for the performance of a contract to which the data subject is a party or where, based on the request of the data subject, it is necessary to take measures before entering into a contract /.

Personal data category name, surname, address, e-mail address, telephone number, other data necessary for complaint settlement (data concerning the goods subject to a complaint)
Personal data retention period until erasure 5 years after the end of the complaint procedure
Bookkeeping, accounting and tax records processing
Data subject categories persons specified in accounting documents
Legal basis
Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 6 (1) (c) / a legal obligation resulting from Act No 595/2003 on income tax, as amended, and Act No 431/2002 on ac-counting, as amended
Personal data category personal data contained in accounting and tax documents to the extent of regular personal data
Personal data retention period until erasure 6 months after expiry of 10 years from the fulfillment of the tax liability
Proving, enforcing and defending the Controller’s legal claims under the contract, damage, and other legal title
Data subject categories natural persons – participants in court / enforcement proceedings or extrajudicial enforcement procedure and persons authorized to act on their behalf, persons concerned, and other natural persons acting as participants in the proceedings
Legal basis
Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 6 (1) (f) / the Controller´s legitimate interest – the main legitimate interest involves proving, enforcement, and defending of legal claims/
Personal data category regular personal data /e.g., name, surname and address of residence, address for delivery in an electronic form, signature, other personal data found or provided during court / out-of-court disputes, enforcement of damages and claims, … /
Personal data retention period until erasure individual retention periods differ according to the enforced right / claim in accordance with the provisions of Sections 100 through 114 of Act No 40/1964 of the Civil Code; at least 10 years from the final completion of judicial / extrajudicial enforcement
Records of enforced rights of data subjects and breaches of protection under Act No. 18/2018, records of enforced rights of data subjects according to Chapter III, and notifications according to Articles (33) and (34) of the Regulation
Data subject categories the data subjects involved in enforcement of a right; the data subjects subject to a breach of personal data protection
Legal basis
Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 6 (1) (f) / the Controller´s legitimate interest – the main legitimate interest involves registration of enforced rights of data subjects and privacy breach notices
Personal data category regular personal data relating to enforcement of rights, personal data relating to a possible breach of privacy
Personal data retention period until erasure 6 months after the expiry of 5 years from the exercise of a right, or from a privacy breach
Network management (network security, information security)
Data subject categories clients/customers; e-shop visitors, data subjects involved in enforcement of rights; data subjects subject to a breach of personal data protection, the persons who have showed interest in being contacted, the persons specified in accounting documents;
Legal basis
Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 6 (1) (f) / the Controller´s legitimate interest – the main legitimate interest is to ensure network and information security
Personal data category regular personal data
Personal data retention period until erasure individually according to the defined processing operation, criterion for determination – personal data is processed on a regular monthly basis by the network administrator

3. WHAT ARE THE CATEGORIES OF RECIPIENTS OF YOUR PERSONAL DATA?

  • Authorized persons/employees of the Controller
  • Partners providing transport of goods – Postal companies in accordance with Act No 324/2011
  • Partner arranging delivery of marketing communication
  • Partner processing accounting documents
  • Partner carrying out marketing activities
  • Entities to whom the Controller is obliged to provide personal data by virtue of law

4. DOES THE CONTROLLER TRANSFER PERSONAL DATA OUTSIDE THE EU?

The Controller transfers personal data to the USA to the partner arranging delivery of marketing communication – Mailchimp.

5. WHAT ARE THE LEGITIMATE INTERESTS OF THE CONTROLLER?

Prior to the processing of personal data of data subjects, the Controller conducted a proportionality test (com-parative test) for each of the legitimate interests listed below, in which they assessed its legitimacy, necessi-ty, appropriateness, proportionality, and the application of appropriate safeguards to protect the rights and free-doms of data subjects.

The legitimate interests of the Controller within the meaning of Article 6 (1) (f) of the Regulation:

  1. Network administration (network and information security)
  2. Proving, enforcement, and defending of legal claims
  3. Registration of the rights enforced by the data subjects concerned and personal data protection viola-tion notices
  4. Communication with clients and visitors to the store via the contact form
  5. Satisfaction surveys and further marketing communication with customers

6. WILL THE CONTROLLER USE PERSONAL DATA FOR INDIVIDUAL AUTOMATED DECISION-MAKING?

The Controller will not use your personal data for automated decision making, including profiling.

7. „Cookies“

Cookies are small text files that can be used by websites to make the user experience more effective. The law states that we may store cookies on your device if they are necessary for the operation of this site. For all other types of cookies, we need your consent. This site uses different types of cookies. Some cookies are placed here by third party services that appear on our website. You can change or revoke your consent to the Cookie Policy at our website at any time. When contacting us in connection with your consent, please, provide consent ID and its date. Please, note that the refusal of cookies may result in limited functioning of our web-site. For more information about cookies used on the Controller´s website visit about Cookies

8. WHICH RIGHTS YOU HAVE AS THE DATA SUBJECT?

  • The right to revoke the consent – in cases where your personal data is processed based on your consent, you have the right to revoke this consent at any time. You may revoke your consent at [email protected]. The consent withdrawal is without prejudice to the lawfulness of personal data processing carried out by us based on your consent.
  • The right to access – you are entitled to be provided with a copy of the personal data we have about you as well as with the information on how we use your personal data. If you have requested this information by electronic means, it will be provided electronically where it is technically possible.
  • The right to rectification – we take reasonable personal precautions to ensure the accuracy, complete-ness, and recency of the information we have about you. If you believe the data that we have is inaccurate, incomplete or out of date, please, do not hesitate to ask us to modify, update or complete the information.
  • The right to erasure (to be forgotten) – you are entitled to ask us to delete your personal data, for exam-ple, if the personal data we have received from you is no longer necessary for the fulfillment of the original purpose of processing. However, your right must be assessed in the light of all relevant circumstances. For example, we may have some legal and regulatory obligations, which means we will not be able to comply with your request.
  • The right to restrict the processing – under certain circumstances, you are entitled to request that we stop using your personal data. These are, for example, cases where you believe that the personal data that we have about you may be inaccurate or if you believe that we no longer need to use your personal data.
  • The right to data portability – under certain circumstances, you are entitled to ask us to transfer the per-sonal data you have provided to us to another third party of your choice. However, the right to portability concerns only the personal data we have obtained from you on the basis of consent or under a contract to which you are one of the parties.
  • The right to object – you are entitled to object to the processing of personal data that is based on our legit-imate interests. If we do not have a valid legitimate reason for processing and you object, we will refrain from processing your personal data.
  • The right to file a motion to initiate personal data protection proceedings – if you believe that your personal data is being processed unfairly or illegally, you may file a complaint with the supervisory authority, Úrad na ochranu osobných údajov Slovenskej republiky (Office for Personal Data Protection of the Slovak Republic), Hraničná 12, 820 07 Bratislava 27, phone number: + 421/2/3231 324; e-mail: [email protected] pdp.gov.sk, http: //dataprotection.gov.sk. If such a motion is submitted electroni-cally, the requirements under Section 19 (1) of Act No 71/1967 on administrative proceedings (Rules of Administrative Procedure) are to be complied with.

9. INFORMATION DISCLOSURE, ENFORCEMENT OF RIGHTS

Your requests concerning the scope and eligibility of personal data processing and other information about it or personal data issues are to be addressed to the Controller and sent to: [email protected]. Your requests will be settled at no charge, except for those under Article 15 (3) of the Regulation, within 30 days from delivery of your request.

10. PERSONAL DATA PROCESSING POLICY

Within personal data processing, the Controller complies with the following principles:

  • principle of legality
    we process personal data only in a lawful manner and we pay special attention to prevent any violation of the fundamental rights of data subjects
  • principle of purpose limitation
    we collect personal information only for a specific, explicit, and legitimate purpose and never process it in a way that is incompatible with that purpose
  • • the principle of data minimization
    we process only the personal data that is adequate, relevant, and limited to the extent necessary for the purpose for which the data is processed
  • principle of accuracy
    we make sure that the personal data we process is correct and we update it as needed
  • principle of retention limitation
    we keep personal data in a form that allows identification of data subjects until it is necessary for the pur-pose for which the personal data is processed a maximum
  • principle of integrity and confidentiality
    we always process personal data in a way that guarantees adequate personal data security based on ap-propriate technical and organizational measures
  • principle of responsibility
    as the Controller, we take a responsible approach to comply with the basic personal data processing prin-ciples.

11. PERSONAL DATA PROTECTION GUARANTEE

The Controller has adopted appropriate personnel related, organizational, and technical measures that are specified in the personal data protection documentation.

The Controller has developed a security policy and guidelines governing personal data processing procedures with particular emphasis on the protection of the rights of data subjects.