ON COLLECTION AND PROCESSING OF PERSONAL DATA BY DESIRFURN Ltd
I. DATA OF THE CONTROLLER
1.2. In case needed, any user of the Website can contact the Controller by using the following email address: firstname.lastname@example.org
II. COLLECTION AND PROCESSING OF PERSONAL DATA
2.2. Below, data subjects shall find information about the whole mechanism of collecting and processing of their personal data, the purposes and legal ground for this, the limitation periods forthe storage of personal data and the rights data subjects have in connection to such processing.
III. PURPOSES OF AND LEGALGROUNDS FOR PERSONAL DATA PROCESSING
3.1.1. Collection and processing of analytic information about the use of the Website;
3.1.2. Processing of received purchase orders for selected goods offered by the manufacturers through the Website and for the purpose of fulfillment of obligations under contracts concluded in connection to the purchase orders;
3.1.3. Establishing contact and providing customer service, by various means, through contact information provided by the Buyers;
3.1.4. Invoicing of goods purchased through the Website;
3.1.5. Prevention of tax and other types of fraud, money laundering, abuse and any other illegal activities;
3.1.6. Sending information about the products and services offered on the Website;
3.1.7. Personalization of search results on the Website and identification of the data subject for the purpose of making the use of the Website more convenient and easier upon subsequent visit and search, and displaying of content that meets the preferences of the respective user;
3.1.8. Offers for participation in advertising campaigns and customer loyalty programs, whereas information about the best deals available on the Website is sent in a timely manner;
3.1.9. Market researches made with anonymous data. In case use of data that could identify the data subject is required, an explicit consent of the data subjects shall be required in advance.
3.2. Desirfurn collects and processes personal data of its present and potential buyers on the following legal grounds:
3.2.1. Consent - on visiting the Website, as well as in all cases where an explicit consent given by the user is necessary for the fulfillment of a specific purpose within the activity of the Controller. The users have the right to refuse to give their consent or subsequently to withdraw it, but in these cases Desirfurn may not be able to perform certain contract operations. Desirfurn gives opportunity to data subjects to withdraw the given consent at any time, whereas this shall not affect the lawfulness of processing based on consent before its withdrawal.
3.2.2. Legal Obligation - Generally, Desirfurn has no legal obligation to collect and process personal data, but in the event of necessity, and in all cases when the Controller is obliged to cooperate with state authorities and institutions in connection to the activities performed by the company of the Controller, as well as in some cases arising from the legislation in force, the controller can use this legal ground for processing.
IV. CATEGORIES OF PERSONAL DATA WE COLLECT
4.1. For the achievement of the abovementioned purposes of its activity, the Controller collects the following categories of personal data from data subjects:
4.1.2. Identification data, such as name and surname, contact details, for example telephone and e-mail address, the position occupied by the person, representative of a client – legal entity – for the cases of registration of a client on the Website;
4.1.3. Identification information such as name and surname, contact details, such as telephone and email address of users in case the users submit an online enquiry through the Website;
4.2. Desirfurn does not collect or process any special categories of personal data (sensitive personal data). In the event that processing of such data becomes necessary for the professional activity of the Controller, Desirfurn shall request your explicit consent for provision of this type of personal data in advance.
V. RECIPIENTS AND CATEGORIES OF RECIPIENTS OF PERSONAL DATA
5.1. In the course of its business activities Desirfurn provides personal data to the following categories of recipients:
5.1.1. Personal data processors that process analytical and other information data from HTTP headers, cookies, and other online tools, e.g. Google Analytics, Google AdWords, Facebook Pixel, etc.;
5.1.2. Accountants or external accounting companies used for book keeping of the accounts of the Controller;
5.1.3. Manufacturers who have access to a purchase order made by a customer while processing the purchase order and delivering goods to the client;
5.1.4. Telephone or online operators for direct communication with buyers;
5.1.5. External contractors providing various services through which they can access personal data, for example software support services, hardware maintenance, system administrators and other IT support services.
VI. TRANSMISSION OF PERSONAL DATA
6.1. Desirfurn does not transfer personal data to third countries or international organizations.
6.2. Should this become necessary for the performance of its activities, the Controller shall comply with all the requirements of Regulation (EU) 2016/679 on the protection of personal data.
VII. PERIOD FOR STORAGE OF PERSONAL DATA
7.1. Users’ personal data shall be stored for no longer than is necessary for the trader to fulfil its obligations, except where the law requires storage for a longer period.
7.2. In case the prescribed storage periods and necessary time for processing and storage of a specific personal data has expired, the said data shall be permanently deleted.
7.3. Some of the storage limitations in this regard are:
7.3.1. Data collected on visiting the Website shall be stored until the consent is withdrawn or until the system records on a webhosting level expire;
7.3.2. In the case of explicitly given consent to processing – storage shall be until consent withdrawal and unless there is another legal ground requiring storage and / or processing for a longer period;
7.3.3. In case of online inquiries sent to the Controller or in case of sent purchase orders – storage period shall be 1 year from the date on which the correspondence was finally closed or from the date of execution of the contract for the purchase order.
VIII. RIGHTS OF DATA SUBJECTS
8.1. In connection to the collection and processing of personal data, the Controller provides the opportunity of all buyers and users, under certain conditions, to enjoy all the rights, specified exhaustively in details in Regulation (EU) 2016/679, namely:
• Right of Access - according to Art.15 of the Regulation, the data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, to have access to the said data;
• Right to rectification – according to Art. 16 of the Regulation, the data subject has the right to ask the Controller to correct inaccurate personal data relating to him/her;
• Right to erasure (‘right to be forgotten’) - according to Art. 17 of the Regulation, the data subject has the right to request the Controller to delete the personal data related to him/her. The Controller is obliged to delete personal data without undue delay whenever possible;
• Right to restriction of processing - according to Art. 18 of the Regulation, the data subject is entitled to require from the Controller to limit the processing when one of the following applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
(b) the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
• Right to data portability - according to Art. 20 of the Regulation the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided;
• Right to object - pursuant to Art. 21 of the Regulation, the data subject is entitled, at any time and on grounds relating to his particular situation, to object to the processing of personal data concerning him/her. The Controller shall terminate the processing of personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
8.2. For the exercise of the above rights, the data subject shall not pay any charges or fees to the Controller. However, the latter may charge fees where the request is unfounded or excessive or in case it is often repeated.
8.3. The data subject is aware that in order to use the options to register on the Website, as well as to make an online inquiry and order selected goods, he/she must provide a certain set of personal data which the Controller has reduced to the absolute minimum in order to be able to proceed with further communication, provide an adequate response to a request, deliver the purchase goods, etc.
8.4. The data subject agrees that the provision of personal data by him/her is not a mandatory requirement for the purpose of simply visiting the Website, but is obligatory for making an online inquiry through the Website, since without the minimum set of identifying personal data, such as email or address, the Controller will not be able to answer questions or to deliver the ordered items.
8.5. The data subject shall have the right to approach the competent supervisory authority, namely the Commission for Personal Data Protection, at its address: 1592 Sofia, 2 Prof. Tsvetan Lazarov Str., fax: 02/9153 525, email: email@example.com
IX. OTHER PROVISIONS ON THE PROTECTION OF PERSONAL DATA
9.1. Desirfurn does not use the opportunity for automated decision making, incl. profiling, for its users and potential users. In the event that this becomes necessary for any reason related to the performance of its activity, the Controller is obliged to inform the data subjects thereof in advance. Data subjects, in turn, have the right to object to such processing, where they have reason to do so, when such processing has legal effects on them and thus significantly affects them, incl. when their legitimate interest outweighs that of the data Controller.