Legal Requirements for Cookie and Privacy Policies
I.: General principles
Art. 1. (1) Mis Sheepskin EOOD (hereinafter referred to as "the Company") is the solely limited liability company, registered in the Commercial Register at the Registry Agency with UIC 204628289, with headquarters and address of management: Republic of Bulgaria. 4, Lipa Str., Sofia, with the main subject of activity: internet shoe marketing,accessories and more items.
(2). The employees who carry out personal data processing for the purposes of product marketing, the conclusion of contracts for the procurement of goods, fulfillment of obligations under such contracts, as part of their employment obligations, shall adhere to the following principles when processing personal data:
The person for protection of personal data is: Sonya Milkova Stefanova, e-mail email@example.com
Art. 3. For the purposes of this Policy:
- ‘‘Personal data‘‘ means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions, and g or destroying it.
- ‘‘Processing ‘‘ means any operation or combination of operations carried out on a personal basis. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing or destroying it.
- ‘‘Limitation of processing" means the marking of stored personal data for the purpose limiting their processing in the future.
- ‘'Pseudonymisation ‘' means a processing activity that makes data no longer attributable to a specific data subject without the use of additional information, when that additional information is kept separately from the pseudonymised data.7 Basically this means that when pseudonymising data, unique attributes are replaced by attributes from which the data subject can no longer be identified.''
- "Personal data record" means any structured set of personal data accessed according to specific criteria, whether centralized, decentralized or distributed according to a functional or geographic basis.
- 'Controller' means the natural legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- 'personal data processor' means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.
- 'recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
'supervisory authority' means an independent public authority which is established by a Member State pursuant to Article 51
Art. 4. The principles relating to the processing of personal data are:
A principle of legality, integrity, and transparency of the processing of personal data - the collection of personal data must be within the necessary limits. Information is collected in a legal and objective manner.
A principle of retention of personal data: it should be kept and used in a lawful manner not incompatible with the purpose for which they were collected and it should not be kept longer than necessary for that purpose and in accordance with relevant law.
3 A principle of accuracy- personal data is collected and retained for continuing use (as distinct from one-time uses or periods of short duration), the data controller has an obligation to take steps to ensure that the data is current and accurate as necessary for the purposes for which it was collected and is being used.
Principle of protection and security - data controllers have a clear duty to take necessary practical and technical steps to protect personal data in their possession or custody (or for which they are responsible) and to ensure that such personal data is not accessed, lost, destroyed, used, modified or disclosed except in accordance with the individual's knowledge or consent or other lawful authority.
Art. 5. Personal data of the customers-individuals of the online shop.milvena-leather.com are processed in the "Contractors" register and in particular in the "Users under the PPA" sub-register.
II. ISUBREGIST "CONSUMERS under APP"
Art. 6. (1) The following categories of personal data shall be processed in the "CPA Users" sub-register:
- Name and surname;
Articles 1,2,3,4 shall be processed for the purpose and on the grounds of a performance of the distance contract concluded between the Company and the consumer and on the grounds of the Accountancy Act, the Consumer Protection Act, as well as for the purpose of concluding the contract.
The data articles: 1, 2 are processed for marketing purposes on the basis of a legitimate interest of the Company and only after explicit consent has been given for processing for marketing purposes. The consent of the transition sentence is provided in electronic form by marking on the homepage of the Company's website or from the user's profile in the "Settings" menu. The consent given under this provision may be withdrawn by a user at any time by marking it on the homepage of the Company's website or its profile in the Settings menu.
By Proving consent the user agreement for the processing his or her personal data for marketing purposes and services by email and/or through a newsletter sent by e-mail, a survey to research on the goods offered, as well as for doing business analyzes, tracking consumer behavior, the preferences of the user and advertisement.
The organization does not have access to card data, as well as to the authentication data for payment by credit or debit card or via an ePay.bg account, and in no way registers or stores them.
Art. 7. (1) The personal data in the sub-register "Users under the PPA" shall be processed in electronic form.
(2) The personal data under Art. 6, para. 2 of the Policy are recruited by the users themselves in customized ordering software and stored electronically on a server hired by the Company located in the Netherlands for a period of 10 years from January 1 of the year following the year of occurrence the respective legal relationship, based on Art. 12, para. 1, item 2 of the Accountancy Act. After the expiry of the storage period and provided there are no documents to be transmitted to the State Archive all data carriers from the register shall be destroyed by an appropriate method, and deleting backup electronic copies.
(3) The personal data under Art. 6, para. 3 (except the IP address) of the Policy are recruited by the users themselves in the specially developed ordering software and stored for the periods specified below in Art. 9, Art. 10 and Art. 11 of this Policy.
Art. 8. (1) The administrator shall assign the processing of the personal data under Art. 6, para. 1, items 1 to 4 of this Policy in a sub-register "Users under the PPA" of persons appointed under an employment relationship. The rights and obligations of the individual processors are indicated in the relevant job description.
(2) The administrator shall assign the processing of the personal data under Art. 6, para. 1, item 1, 3 and 5 on the grounds of fulfillment of a contract of the following companies providing courier services for delivery of orders ordered by consumers under the contracts concluded between them and the Company: - For consignments on the territory of the Republic of Bulgaria - Econt, Speedy, Bulgarian Posts.
For shipments within and outside the EU - Bulgarian Posts, Speedy-DPD
(3) The request for information related to the implementation of a specific distance contract, access to the sub-register Users under the PPA shall be provided to the manager of the company.
(4) Access to personal data of a person from a sub-register Users under the PPA shall be granted to a lawyer in connection with the protection of the rights of the Company in a dispute between the parties and / or need of consultation.
(5) Access to personal data of a person from a sub-register Users under the PPA shall be granted to third parties by order of a court and / or on the basis of a specific normative act.
Art. 9. (1) The administrator shall assign the processing of the personal data under Art. 6, para. 1, items 1, 2, 4 and 5 of this SiteGround Spain S.L. by virtue of a contractual relationship between the latter and the Company with the object of: providing services on a virtual server.
(2) The data under para. 1 are stored in electronic format on servers located in the Netherlands and complying with the requirements of the EU data protection legislation applicable to the protection of personal data. The term for storing the data by the processor under par. 1 is 1 (one) year.
Art. 10. (1) Upon consent given by a consumer under Art. 6, para. 4 of this Policy the administrator shall assign the processing of the personal data under Art. 6, para. 1, item 1, 2, item 4 and item 5 of SiteGround Spain SL, CIF: B-87194171, VAT: ESB87194171, Calle Prim 19, 28004 Madrid, Spain by virtue of a contractual relationship between the latter and the Company : providing marketing services related to performing business analyzes and examining user behavior on the Company's website. The data is stored in electronic format on servers located in the United States and in compliance with the requirements of the EU data protection legislation and the EU-US Privacy Shield agreement. The storage period for user behavior data is 13 (thirteen months). These data are pseudonymised and their recipients are Google LLC, Facebook and Instargram to provide advertising, business analytics, and remarketing services.
Art. 11. (1) Upon consent given by a consumer under Art. 6, para. 4 of this Policy, users receive notifications of promotions, campaigns or sales of certain goods via a newsletter received by email or receive such information by phone, examine their behavior on the site and their preferences
(2) The persons processing the data in order to perform the actions under para. 1, except those specified in Art. 9 and Art. 10, are also persons appointed under an employment relationship with the Company. The rights and obligations to process the data under the preceding sentence are governed by the job descriptions of the persons.
Art. 12. (1) The marketing activities related to analysis of consumer behavior and advertising with granted consent under Art. 6, para. 6 of this Policy are also processed by data that does not allow the identification of an individual (eg name, surname, telephone number, address, etc.), but through the activity of the user through the respective browser through the so- cookies or banner ads, which contains the following data:
- events related to the activity of the Company's website (number of viewed pages on the site, viewed products on the site, searches on the Company's website);
- information related to the user's device (device type, operating system and version);
- An approximate location derived from the IP address.
(2) The activities under para. 1 are made by the so-called "cookies" used by the Company or third party partners of the Company. Cookies are small packages of information sent from web pages to the user's browser and stored on their device.
(3) The company uses two types of cookies: necessary and functional.
Art. 13. Required cookies provide the functionality of the site by providing the ability to access the account of the relevant user on the site and to process orders made as follows:
Save the session
By the end of the session
Art. 14. (1) Functional cookies allow users to preserve user preferences and display user behavior on the site. These cookies save time and effort while shopping on the Company's site and are stored temporarily on the user's device. Functional cookies are used by the Company to analyze user behavior on the site and how users use it. This allows the Company to customize the content offered and quickly identify and fix various issues.
(2) The functional cookies that the Company uses - its and third-party partners, are as follows:
The name of the cookie
Place of storage
Art. 15. The Company uses the following websites and cookies, such as the type and name of the cookies, and the location and storage term of the third parties listed below:
- Google AdWords - Remarketing and Behavioral Targeting Service, submitted by Google LLC, 1600 Amphitheater Parkway Mountain View, CA 94043, USA. With this service, ad activity on www.remixshop.com connects to the AdWords ad network using cookies. Information on the use of this site acquired through cookies is transmitted and stored by Google LLC., 1600 Amphitheater Parkway Mountain View, CA 94043, USA (data processing) on servers located in the United States. Google LLC processes the data in compliance with the requirements of the EU privacy and data privacy law and the EU-US Privacy Shield agreement.
- Facebook and Instagram - This application uses Social Plugins on the social network facebook.com and instragam.com, which is maintained by Facebook Inc., Menlo Park, California, USA. ("Facebook"). Plugins are recognized on the Facebook logos (white "f" on a blue background or "thumbs up") or are awarded the "Facebook Social Plugin".
When a user enters a web page, his browser will immediately make a direct connection to the Facebook servers. The content of this Plugin will be transmitted directly from Facebook to the user's browser that will link it to the website.
By linking to these Plugins, Facebook receives information that the relevant Company or Platform page has been visited. If a user logs in to Facebook, Facebook may assign that visit to his / her profile. If a user interacts with these Plugins (e.g., click the "Like" button or write a comment), the relevant information will be immediately transferred from his browser to Facebook and stored there. If the user is not registered on Facebook, Facebook is still able to understand its IP address and save it. These Facebook plugins can be attached by site operators to their own websites or platforms. With one click on these Plugins, users registered with Facebook can automatically leave a message on their Facebook profile that they like the information from the site operator's links. The Facebook Plugin "communicates" with Facebook and visits the website and sends Facebook data - even if the user has not clicked Plugins. Through the so-called iFrame connection, the browser also loads an additional page-to-page page that contains the corresponding Plugin. In the case of a Plugin belonging to Facebook, this iFrame-link or source text comes entirely from Facebook and can not be controlled or processed by the Company.
If the user is not logged on to Facebook or is not registered at all, it is still a cookie that can not be recognized and is valid for two years.
If the browser later reconnects with the social network server, the cookie is transferred and can help create an account. For users who register later, it is also possible to link to the information contained in the cookie.
If the user is logged in the current Facebook session, both page and cookie information is transmitted - this session identification information may be assigned to that account.
With Add-ons, the user can block Facebook-Social-Plugins for your browser by using, for example, "Facebook Blocker". Facebook Inc. processes the data in compliance with the requirements of the EU data protection legislation and the EU-US Privacy Shield Agreement
- Doubleclick by Google - Remarketing and Behavioral Targeting Service, submitted by Google LLC., 1600 Amphitheater Parkway Mountain View, CA 94043, USA.
https://www.google.de/intl/en/policies/technologies/ads/ With this service, ad activity on www.remixshop.com connects to the Doubleclick by Google ad network using cookies.
Google LLC processes the data in compliance with the requirements of the EU privacy and data privacy law and the EU-US Privacy Shield agreement.
III. Rights of the data subjects
The data subjects have the following rights in respect of their personal data:
- The right of access;
- Right to rectification;
- Right to data portability;
- Right to erasure (‘right to be forgotten');
- Right to the restriction of processing;
- Right to object to the processing of personal data:
- The right of the data subject not to be subject to a decision based solely on automated processing, regardless of whether the processing includes profiling.
Art. Article 17. (1) Every individual subject to personal data shall have the right to receive information about the data controller as well as the processing of his personal data.This information include:
- data identifying the controller as well as his contact details, including the contact details of a data subject;
- the purposes and legal basis of the processing;
- recipients or categories of recipients of personal data, if any;
- the controller's intention to transmit the personal data to a third party (where applicable);
- the term of storage of the personal data;
- the existence of automated decision making, including profiling (if any);
- information about all the rights the entity has;
- the right of appeal to the supervisory authority.
(2) The information under para. 1 is not provided if the data subject already has it.
(3) When making a request for information from a data subject under the order of para. (1), the Company together with the designated data protection officer shall carry out the necessary verification and provide a response with the required information within 14 (fourteen) days but no later than 30 (thirty) days from the date of receipt of the request. If necessary, this period may be extended by a further two months, taking into account the complexity and number of requests from a particular person. The company shall inform the person of any such extension within one month of receipt of the request, indicating the reasons for the delay. The application contains the identification of the person (three names and PIN for Bulgarian citizens and for all other persons - citizens of other EU Member States - names and date of birth), description of the request, preferred form for granting access to personal data, signature , date, email, address for correspondence and power of attorney when the application is filed by an authorized person. The company is not obliged to respond to a request if it is unable to identify the data subject. The request shall be filed in a separate incoming register of the Company and may be filed in one of the following ways: a) by electronic means the following e-mail: firstname.lastname@example.org b) at a place in an office of the Company, located in Sofia, Lozenets district, 4, Lipa Str., floor 2 or c) by post to the address of management of the Company: Sofia, Lozenets District, 4 Lipa Str., 2nd floor.
(4) The information under para. 1 is provided in one copy to the data subject free of charge. For additional copies requested by the data subject or excessive demands of the entity, especially due to its repeatability, the Company may impose a reasonable fee in the amount of the administrative costs incurred.
(5) When providing a copy of personal data, the Company may not disclose the following categories of data:
- personal data of third parties, unless they have expressly consented to this;
- data that constitute trade secret, intellectual property or confidential information;
- other information that is protected under the applicable law.
(6) The merits of an application shall be judged separately for each case by the Company.
(7) In case of refusal to grant access to personal data, the Company shall justify its refusal and inform the data subject about his / her right to file a complaint with the supervisory body.
Art. 18. (1) Data subjects may request that their personal data processed by the Company be corrected in the event that the data are inaccurate or incomplete.
(2) A satisfied reguest for correcting personal data, the Company shall notify the recipients of data to which such data have been disclosed.
(3) The right under para. (1) shall be exercised by making a request under Art. 17, para. 3 of the Policy.
Art. Article 19. (1) Any individual, subject of personal data, has the right to request the deletion of his/her data, "Right to be forgotten" if one of the following conditions is met:
- The person's personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- The data subject withdraws his consent on which the processing of the data is based and no other legal basis for the processing;
- The data subject objects to the processing, and there are no legitimate grounds for the processing to take precedence;
- Personal data has been processed unlawfully;
- Personal data must be deleted in order to comply with a legal obligation under EU Law or the law of a Member State that applies to the controller;
- Personal data has been gathered in connection with the provision of information society services to children and consent is given by the parent's parental responsibility.
(2) The right under para 1 shall be exercised by making a request under the procedure of Art. 17, para. 3.
Art. 20. (1) Any individual owner of personal data shall have the right to restrict the processing of his personal data by the controller, but for this purpose specific conditions are required, among which:
- The accuracy of personal data is disputed by the data subject;
- The processing is unlawful, but the data subject does not want the personal data to be deleted, but instead requires a limitation of their use;
- The controller no longer requires personal data for the purpose of processing, but the data subject requests them for the establishment, exercise or protection of legal claims;
- The data subject has objected to the revocation pending verification that the controller's legal grounds have an advantage over the interests of the data subject.
(2) In the cases under the para. 1, item 1, the limitation of the processing are for a period which allows the controller to verify the accuracy of the personal data.
(3) The right under para 1 shall be exercised by making a request under the procedure of Art. 17, para. 3.
Art. 21. (1) Any natural person who is a person of personal data shall have the right to receive the personal data which concern him and which he has provided to an administrator in a structured, widely used and machine readable format and shall have the right to transfer such data to another administrator without obstruction by the controller to whom the personal data are provided when the processing is based on consent or a contractual obligation and the processing is done in an automated manner.
(2) When exercising its right to data portability, the data subject shall also be entitled to receive a direct transfer of personal data from one controller to another where this is technically feasible.
(3) The right under para 1 shall be exercised by making a request under the procedure of Art. 17, para. 3.
Art. 22. (1) The data subject shall have the right to object to the processing of his personal data by the Company if the data are processed on one of the following grounds:
- Processing is necessary for the performance of a task of public interest or in the exercise of official authority which is conferred on the controller;
- Processing is necessary for purposes related to the legitimate interests of the Company or a third party;
- Data processing involves profiling.
(2) The administrator shall discontinue the processing of the personal data unless he can prove that there are convincing legal grounds for his continuation which takes precedence over the interests, rights and freedoms of the data subject or for the establishment, exercise or protection of legal claims.
Art. 23. (1) Every natural person who is a person of personal data has the right to be informed, and the Company is obliged to notify the subject in case of a violation of the security of his or her personal data and when this violation is likely to pose a high risk to the rights and the freedoms of the data subject.
(2) The notification under par. 1 shall be carried out without undue delay after its detection and shall contain a description of the nature of the breach of personal data security, indicating the nature of the breach, the name and contact details of the data protection officer, the consequences of the breach and the action taken measures by the Company to address the violation and to reduce the possible adverse effects.
Art. 24. In case of violation of your rights or the applicable data protection legislation, you have the right to file a complaint with the Personal Data Protection Commission, address: 1592 Sofia, "Prof. Tsvetan Lazarov Str., Tel .: 02 / 91-53-518, e-mail: email@example.com, website: www.cpdp.bg