PROCESSING OF PERSONAL DATA The controller of personal data for the online shop www.reforms.ee is OÜ REFORMS (registration number 14667959), address ESTONIA , Tallinn, Kesklinn, Marta 6-4, 11312, phone no. +372 5242074, and email address firstname.lastname@example.org The controller transfers the personal data, which are necessary for making payments, to the processor Maksekeskus AS.
What personal data are processed?
− name, phone number, and email address; − delivery address; − bank account number; − cost of goods and services, and data related to payments (order history); − customer support data.
On what purpose are personal data processed?
Personal data are used for managing customer orders and for delivering goods. Order history data (date of order, goods, quantity, customer data) are used for reviewing goods and services bought, and for analysing customer preferences. Bank account numbers are used for making refunds to customers. Personal data, such as email address, phone no., customer’s name, are used for settling issues relating to goods and to the provision of services (customer support). The IP address and other online identifiers of the online shop customers are processed for offering the services of the online shop as an information society, and for web usage statistics.
Personal data are processed in order to perform a contract concluded with the customer. Personal data are processed in order to fulfil a legal responsibility (e.g., accounting and handling consumer disputes).
Who are the personal data recipients?
Personal data are transferred to the customer support of the online shop for managing orders and order history, and for solving customer problems. The name, phone number, and email address are transferred to the delivery service provider chosen by the customer. If the order is being delivered by courier, also the customer’s address is transferred in addition to the contact information. If the accounts of the online shop are being kept by a service provider, the personal data are transferred to the service provider for accounting procedures. Personal data may be transferred to information technology service providers if this is necessary for ensuring the functioning or data hosting of the online shop.
Security and access to data
Personal data are stored on ESTONIA servers that are located in the territory of a Member State of the European Union, or of the European Economic Area countries. Data may be transferred to countries with an adequate level of data protection according to the European Commission, and to U.S. companies that have joined the Privacy Shield programme. Access to personal data is granted to the online shop employees who can access personal data to address technical issues related to the use of the online shop, and to provide customer support service. The online shop implements appropriate physical, organisational, and information technology related security measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorised access or disclosure. Personal data are transferred to the processors of the online shop (e.g., the delivery service provider and data hosting) based on contracts concluded between the online shop and the processors. The processors are obliged to ensure that personal data processing is subject to appropriate safeguards.
Access to and rectification of personal data
Personal data can be accessed and rectified on the user profile of the online shop. If an order is placed without a user account, personal data can be accessed via customer support.
Withdrawal of consent
If personal data are processed based on the customer’s consent, the customer has the right to withdraw his or her consent, informing the customer support about it by email.
If a customer account of the online shop is closed, the personal data are erased, unless such data must be retained for accounting purposes, or for handling consumer disputes. If an order is placed with the online shop without a customer account, order history will be retained for three years. In case of payment related disputes and consumer disputes, personal data will be retained until the claim is settled, or until its expiry. Personal data necessary for accounting will be retained for seven years.
In order to erase personal data, the customer support must be contacted via email. An erasure request will be responded to within one month, specifying the time of erasure of the data.
A request for the transmission of personal data submitted by email will be responded to within one month. The customer support will verify the identity and inform about the personal data to be transmitted.
Direct marketing communications
The email address and phone number are used for direct marketing communications if the customer has approved this. If a customer does not want to receive direct marketing communications, he or she must click on the relevant link at the email footage, or contact the customer support. If personal data are processed for direct marketing purposes (profiling), the customer has the right to object to both the initial and further processing of his or her personal data, including profiling to the extent that it is related to such direct marketing, at any time, informing the customer support about this by email (such information must be presented clearly and separate from any other information).
Resolution of disputes
Disputes concerning personal data processing are settled via customer support: email email@example.com phone no. +372 5242074 The supervisory authority is the Estonian Data Protection Inspectorate: email firstname.lastname@example.org.