Information on processing personal data in e-commerce
As the controller of the e-commerce platform www.friiofnorway.eu, the company BAGPIPERS, s. r. o. processes personal data and is therefore obliged, in accordance with the transparency principle, to inform data subjects about the processing of their personal data. This document is to inform data subjects about the scope, purpose, and duration of the processing of their personal data. Personal data may be processed electronically by employees or processors of BAGPIPERS, s.r.o.
BAGPIPERS, s. r. o.
Sinokvetná 1569/21, 821 05 Bratislava
Id. No 51 286 955
Phone +421 918 468 151
Data Protection Officer
The controller did not designate any Data Protection Officer.
Purpose of processing personal data
Personal data of data subjects are processed for the following purposes:
- sale of goods through the online store (in particular identification of the buyer and communication with him/her, fulfilment of contractual obligations, proving, enforcing or defending legal claims of the controller arising from this contractual relationship, administration of information related to this contractual relationship),
- accounting and tax purposes,
- fulfilment of legal obligations and ensuring compliance with legal regulations, including providing personal data to state and other authorities supervising the activities of the controller,
- statistical purposes, archival purposes in the public interest, and purposes of historical and scientific research,
- protection of legitimate interests of the controller and other persons, which include in particular:
- adherence to basic principles of personal data processing, implementation, and maintenance of technical and organizational security measures, including but not limited to preventing unauthorized access to systems and information, investigating suspected or known security breaches,
- prevention of fraud and protection against misuse of services,
- communication with business partners if it concerns the processing of personal data of their contact persons,
- direct marketing.
Providing personal data is necessary for concluding a purchase contract through the controller’s online store and fulfilling obligations arising from this contract.
Legal basis for processing personal data
Processing of personal data of data subjects in connection with the sale of goods may be based on the fulfillment of a legal obligation under Article 6(1)(c) GDPR, the performance of a contract under Article 6(1)(b) GDPR, or the legitimate interest pursued by the controller under Article 6(1)(f) GDPR.
- Act No. 40/1964 Coll. Civil Code, Act No. 513/1991 Coll. Commercial Code, Act No. 102/2014 Coll. on consumer protection in the sale of goods or provision of services based on a distance or off-premises contract of the seller, Act No. 250/2007 Coll. on consumer protection.
Processing of personal data of data subjects for tax and accounting purposes may be based on compliance with a legal obligation under Article 6(1)(c) of the GDPR.
- Act No. 431/2002 Coll. on Accounting, Act No. 222/2004 Coll. on Value Added Tax, Act No. 563/2009 Coll. on Tax Administration (Tax Code), Act No. 40/1964 Coll. Civil Code, Act No. 513/1991 Coll. Commercial Code.
Processing of personal data of data subjects in order to fulfil legal obligations and ensure compliance with legal regulations may be based on the legal obligation under Article 6(1)(c) GDPR, public interest under Article 6(1)(e) GDPR or legitimate interests under Article 6(1)(f) GDPR.
- Act No. 102/2014 Coll. on consumer protection in the sale of goods or provision of services based on a contract concluded at a distance or a contract concluded outside the seller’s premises, Act No. 250/2007 Coll. on consumer protection, Regulation on the protection of individuals regarding the processing of personal data (GDPR)
Personal data of data subjects can be processed for statistical purposes, archival purposes in the public interest, and purposes of historical and scientific research on a legal basis that allowed for the collection of personal data for the original purposes under the regime of Article 89 of the GDPR.
- Act No. 395/2002 Coll. on archives and registries
Processing of personal data of data subjects for the purpose of protecting the legitimate interests of the controller or third parties may be based on the legitimate interest legal basis according to Article 6(1)(f) of the GDPR.
The scope of processed personal data
The controller processes personal data specified in the order of the buyer, especially the name, surname, and address, or the business name and registered office of the buyer who is a natural person entrepreneur, the purchased goods, telephone and email contact of the buyer, data on payment execution (but not data on his payment card), and possibly other personal data specified in the order, complaint, request or complaint of the buyer. Personal data is obtained directly from the data subject or provided by the buyer to the controller.
The controller does not process special categories of personal data.
Period of retention of personal data
The retention period for processed personal data, regarding the obligations of the controller, especially in the areas of taxation and accounting, will be a maximum of 10 years from the date of sale of the goods and is always dependent on the legal obligations of the controller.
When handling personal data, the controller applies the principle of minimization, which means that as soon as the period during which he is obliged or authorized to keep personal data has elapsed, he immediately anonymizes personal data from databases and information systems. The controller has strict internal rules for storing personal data, which ensure that information is not held for longer than the controller is authorized or obliged to.
Recipients of personal data
Personal data of data subjects will be made available to Packeta Slovakia s.r.o., which is a delivery company and its subcontractors. Personal data of data subjects may be made available to employees and intermediaries of the controller, accountants, lawyers, auditors, archives, software equipment and support providers, including employees of these entities. Personal data of data subjects may be made available to state administration authorities or other authorities, especially those that oversee the activities of the controller. The controller only provides personal data to the extent necessary and while maintaining the confidentiality of the recipient.
Transfer to third countries
The controller does not transfer personal data to international organizations or to third countries.
The rights of the data subject
The data subject is entitled to exercise the following rights against the controller through the contact details provided above:
- Right to access personal data (Art. 15 GDPR) – the right to obtain a copy of the personal data that the controller has available about the affected person, as well as information on how their personal data is being used.
- Right to rectification of personal data (Art. 16 GDPR) – the right to request the rectification of inaccurate or incorrect personal data being processed.
- Right to erasure of personal data (Art. 17 GDPR) – (i) if such data is no longer necessary for the purposes for which it was collected, (ii) if consent has been withdrawn and there is no other legal basis for processing, (iii) if the affected person objects to processing based on legitimate interests and their interests, rights, and freedoms outweigh the legitimate reasons of the controller, or objects to processing for direct marketing purposes, (iv) if personal data was processed unlawfully.
- Right to restriction of processing (Art. 18 GDPR) – (i) if the affected person believes that incorrect personal data is being processed, until its accuracy is verified, (ii) if the processing is unlawful and the affected person requests restriction instead of erasure, (iii) if the controller no longer needs the personal data but the affected person needs it for their own purposes of proving, enforcing or defending their legal claims, (iv) if the affected person objects to processing, until it is verified whether the legitimate reasons of the controller outweigh their interests, rights, and freedoms.
- Right to data portability (Art. 20 GDPR) – the right to request the transfer of personal data to another controller in a structured, commonly used and machine-readable format, if the personal data is processed based on consent and/or by automated means.
If the affected person believes that the processing of their personal data is breaching applicable laws, they have the right to lodge a complaint with the supervisory authority (Art. 77 GDPR). The supervisory authority in the Slovak Republic is the Office for Personal Data Protection of the Slovak Republic, with its registered office at Hraničná 12, Bratislava.
The right to object to the processing
The data subject has the right to refuse the processing of their personal data for the purposes of direct marketing at any time – in such a case, personal data may no longer be processed for these purposes. If the controller processes personal data to ensure its legitimate interests or the legitimate interests of other persons, the data subject may object to this processing due to their specific situation (Art. 21 GDPR); in such a case, the controller may further process their personal data only if they can demonstrate the existence of compelling legitimate grounds that override the interests, rights and freedoms of the data subject, or if such data is necessary for the establishment, exercise or defence of legal claims.
Automated decision-making including profiling
When processing personal data, the controller does not make decisions based solely on automated processing, including profiling, which have legal effects or significantly affect the data subject, pursuant to Art. 22 of the GDPR.
Cookies are small files stored in the memory of the end device (notebook, tablet, smartphone, etc.) of visitors to the e-commerce platform. Through them, the controller has information related to the use of the end device, which may be personal data.