1.4. The Controller complies with the data processing principles set out in applicable legislation and the Controller processes personal data lawfully, fairly and securely. The Controller is able to demonstrate that personal data has been processed in accordance with the provisions of applicable legislation.
2. Collection, processing and storage of personal data
2.1. The personal data collected, processed and stored by the Controller is collected electronically, mostly on the website and by e-mail.
2.4. The Controller is not liable for any damage incurred by the data subject or third parties due to submission of incorrect data.
3. Processing of customers’ personal data
3.1. The Controller may process the following types of the data subject’s personal data:
3.1.1. Given name and surname;
3.1.2. Date of birth;
3.1.3. Phone number;
3.1.4. E-mail address;
3.1.5. Delivery address;
3.1.6. Bank account number;
3.1.7. Payment card details.
3.2. In addition to the above, the Controller is entitled to collect publicly available data on the customer from public registers.
3.3. The legal basis of processing of personal data is Article 6 (1) (a), (b), (c) and/or (f) of the GDPR:
- (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- (b) the processing of personal data is necessary for the performance of a contract to which the data subject is party, or for the implementation of precontractual measures which take place at the request of the data subject;
- (c) the processing of personal data is necessary to fulfil a legal obligation to which the Controller is subject;
- (f) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
3.4. Personal data is processed for the following purposes:
- security and safety;
- fulfilment of orders;
- ensuring the operation of the Controller’s online store;
- customer relations management;
- financial transactions and accounting; and
3.5. The Controller may share the customers’ personal data with third parties such as authorized processors, accountants, providers of transport and courier services, providers of payment services. The Controller is the controller of personal data. The Controller shares the personal data needed to make payments with EveryPay AS, a processor.
3.6. The Controller shall apply organizational and technical measures when processing the data subject’s personal data so as to ensure the protection of personal data against accidental or unlawful destruction, alteration, disclosure or other unlawful processing.
3.8. Most of the personal data of data subjects is stored for the duration of the contractual customer relationship between the data subject and the Controller and 3 years after the end of the contractual customer relationship. Some personal data may be retained after the contractual customer relationship has ended, if applicable legislation so requires or allows. For example, the Controller shall store accounting source documents (e.g. copies of sales contracts and invoices) for 7 years as of the end of the financial year of the transaction, as required by applicable legislation. The Controller shall store certain personal data relating to contracts for 10 years as of the end of the contractual relationship, which is the maximum limitation period in case of intentional breaches.
3.9. When the storage of personal data of data subjects is no longer required by applicable legislation or in view of the rights and obligations of parties, the Controller shall permanently delete the personal data unless the data subject has instructed the Controller otherwise or the parties have concluded an agreement for longer storage of personal data.
4. Data subject’s rights
4.1. The data subject has the right to access his/her personal data.
4.2. The data subject has the right to receive information on the processing of his/her personal data.
4.3. The data subject has the right to supplement, update, amend or correct inaccurate personal data.
4.4. If the Controller is processing the data subject’s personal data on the basis of his/her consent, the data subject has the right to withdraw such consent at any time.
4.5. The data subject has the right to request the restriction of processing of personal data or object to the processing of his/her personal data.
4.6. The data subject has the right to data portability, i.e. the right to receive his/her personal data in a structured, commonly used machine-readable format and transmit the personal data to another data controller at his/her discretion.
4.7. To exercise the abovementioned rights, the data subject may contact the Controller’s customer service at the e-mail address firstname.lastname@example.org.
4.8. The data subject has the right to file a complaint to the data protection authority of his/her location. In Estonia, this authority is the Data Protection Inspectorate. Contact details of the Data Protection Inspectorate are available here: www.aki.ee.
6. Final provisions