PERSONAL DATA PROTECTION NOTIFICATION
Definition of the Data Processor
- The company Bolf Kalimbas, s.r.o., registered office at Horná Lehota 135, 97681 Horná Lehota, Slovak Republic, Company Identification Number: 52 734 242, registered by District Court Banská Bystrica, Insert no. 37572 / S, Section: Sro (hereinafter referred to as the “Data Processor”), is a business company that operates online Internet store for the sale of hand-made musical instruments – kalimba and for the sale of accessories.
- The Data Controller alone or together with others, defines in this Notification the purpose and means of the processing of personal data and processes personal data in his own name. (hereinafter referred to as the “Notification”)
- The Data Controller publishes this Notification for the purpose of informing the Data Subjects. (definition of this term is given below)
- In addition to this Notification, the Data Controller also has special documentation and infrastructure in the field of Personal Data protection.
Definition of Personal Data
- In terms of the legislation in power, especially in accordance with the wording of the act no. 18/2018 Coll. on the Protection of Personal Data on Amendments to Certain Acts (hereinafter referred to as the “Act”) are personal data – the data relating to an identified natural person or an identifiable natural person that can be identified directly or indirectly, in particular by a generally applicable identifier, an identifier other than i.e. first name, last name, identification number, location data, or any online identifier, or based on one or more characteristics or features that make up its physical identity, physiological identity, genetic identity, mental identity, mental identity, economic identity, cultural identity, or social identity. (hereinafter referred to as “Personal Data”)
Definition of the purpose of the Notification
- By making this Notification public, the Data Processor complies with its obligations arising from the Act as well as the relevant European legislation, regulated in particular by Art. 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- The Data Controller shall carry out processing operations on personal data that includes, in particular, their collection, storage, use and modification.
Definition of the entity responsible for the processing of Personal Data of the Data Subjects
- A natural person whose Personal Data are processed shall be considered a Data Subject. (hereinafter referred to as the “Data Subject”).
- The Data Controller is responsible for the processing of Personal Data:
Company name: Bolf Kalimbas, s.r.o.
Registered seat at: Horná Lehota 135, 97681 Horná Lehota, Slovak Republic
Company ID: 52 734 242
Company registration: Company is registered by the Business Register of the Slovak Republic, administrated by District Court Banská Bystrica, Insert Nr: 37572/S, Section: Sro
Acting on behalf of the Company Mgr. Katarína Boľfová
Basic principles of Personal Data processing
- The Data Controller’s activities of the Personal Data processing shall be based on the following principles:
- Personal data are processed in accordance with the act no. 18/2018 on personal data protection and amending and supplementing certain Acts in a fair and transparent way;
- Collected Personal Data are processed only for justified purposes and are to be used in a form that is in accordance with the defined and specified purposes;
- The Data Controller processes only the Personal Data relevant for the purposes stated in this notification (the principle of exclusivity applies when in case of defining the purposes for processing of Personal Data);
- The Data Controller processes accurate and updated Personal Data;
- Personal data will be processed only within a period relevant for the purpose for achieving the purpose of the processing. The Data Subjects are dully informed about this fact;
- Personal Data are stored in secure conditions.
- The Data Controller has no legislative obligation to appoint a data officer for the protection of personal data. For the purpose of any questions and requests of the Data Subject related to the Personal Data protection, it is possible to contact the Data Processor in writing at its registered office, or via e-mail at: firstname.lastname@example.org.
- For the purposes of informing the Data Subject, the Data Controller provides contact information of the competent authority responsible for supervising the protection of Personal Data on the territory of the Slovak Republic:
Úrad pre ochranu osobných údajov (Office for Personal Data Protection)
820 07 Bratislava 27
+421 /2/ 3231 3214
- Definition of the purposes and scope of Personal Data processing
- As part of its business activities, the Data Controller focuses on the services of an Internet store, through which it sells musical instruments – hand made kalimbas with accessories, musical eqipment as well as the provides service related thereto.
- Purpose of Order Processing – Purchase Contracts
The key document in ensuring the sale of Products by the Data Processor as Seller is the Purchase Contracts. (Order converted into a Purchase Contract) The Data Processor processes Personal Data for the purpose of proper performance of the Seller’s obligations resulting from such Purchase Contract.
The Data Processor is not obliged to require special consent for the processing of Personal Data provided in connection with the performance from the Purchase Contract. In the event that the required Personal Data is not provided by the Data Subject, it is not possible to ensure proper performance of the Seller as the Data Subject arising from the Purchase Contract and thus proper processing of the Order for the Data Subject – the Buyer.
The Data Processor processes the Personal Data of the Data Subject to the extent to which these are provided and recorded in the Order by the Buyer (converted into the Purchase Contract), namely: name, surname, title, date of birth, address of residence or delivery address of the Pro, e-mail address, telephone number.
Within this, the Personal Data of the Data Subjects are provided exclusively to the Data Controller’s transport partners, external accounting company, a hosting company with its registered office and data center in the European Union, or the state authorities in case they ask for such access. The external partners of the Data Controller as act Data Processors.
The Data Controller’s transport partners are the following entities:
- GLS General Logistics Systems Slovakia s.r.o., Lieskovská cesta 13 962 21 Lieskovec, Slovak Republic;
- DHL Express (Slovakia), spol. s r.o, Letisko M. R. Štefánika,820 01 Bratislava, Slovak Republic;
- Slovenská pošta, a. s., Partizánska cesta 9, 975 99 Banská Bystrica 1, Slovak Republic.
The Data Controller is obliged to pay attention to compliance with personal data protection legislation also in regard to the breach of the obligations Data Processors related to the business activities of the Data Controller in the matters they relate to the business activities of the Data Controller.
The Data Controller informs the Data Subjects that their Personal Data will not be transferred to third countries, with the exception of Orders to be delivered and provided outside the territory of the Slovak Republic if the providing of the Personal Data of the Data Subjects is needed for the proper delivery of the Products that are subject to the Purchase Contract.
- Purpose – warranty procedure
The legal basis for this is a legal obligation from the provision of the section 6 subsection c of the GDPR regulation in connection with the Act no. 40/1964 Coll. Civil Code as amended.
- Purpose – exercising the right of the Data Subjects
The Data Controller shall keep records of the complaints of the Data Subject and also the manner of resolving the complaints of the Data Subjects.
- Purpose – bookkeeping
The legal basis for this obligation is enacted in the Section 6 Subsection 1, letter c of the GDPR a special act, namely the act on accounting, which directly imposes on the Data Controller the obligation to process the personal data of the Data Subjects on the accounting documents.
- Marketing purposes
Marketing purposes represent the processing of Personal Data and are based on the personal features of the Data Subjects. These related to the personal features of the Data Subjects (physical identity, voice) who participate in workshops organized by the Data Controller. Thus the legal basis of the Data Subjects is the special consent of the Data Subjects, which are another legal basis for the processing of Personal Data.
The Data Subject has the right to object to the processing of Personal Data concerning him for the purpose of direct marketing, including profiling to the extent (if used by the Data Controller, which is not effective now – as of the date of October 1, 2020) which relates to the direct marketing. If the Data Subject objects to the processing of Personal Data for the purpose of direct marketing, the Data Controller may not further process the Personal Data for the purpose of direct marketing.
- The cookies help, for example: to the correct functionality of the Data Controller’s Internet Store, to remember the searched information, to find out which subpages and functions visitors use most often.
- The Data Controller uses the following types of cookies on his Internet Store:
|SessionID||bolfkalimbas.com||Data Controller||During user’s session||Functional cookies|
|csrftoken||bolfkalimbas.com||Data Controller||2 years||Functional cookies|
|_ga||bolfkalimbas.com||2 years||Analytical cookies|
|_gid||bolfkalimbas.com||24 hours||Analytical cookies|
|_gat||bolfkalimbas.com||1 minute||Analytical cookies|
|AMP_TOKEN||bolfkalimbas.com||30 seconds- 1 year||Analytical cookiesAnalytical cookies|
|gac_UA-12345678||bolfkalimbas.com||90 days||Analytical cookies|
|tk_lr||bolfkalimbas.com||JetPack (WordPress.com)||2 years||Analytical cookies|
|tk_or||bolfkalimbas.com||JetPack (WordPress.com)||5 years||Analytical cookies|
|tk_r3d||bolfkalimbas.com||JetPack (WordPress.com)||3 days||Analytical cookies|
“SessionID” cookies were used to ensure the correct functionality of the Data Controller’s Internet Store and are for its correct launch and display of its content. They are used to identify the logged-in user or anonymous user (meaning int this sense Data Subject) whose Personal Data may be processed (eg contract, form, etc.). This type of cookies is maintained during the specific launch of the Data Controller’s Internet Store.
“CookieConsent” cookies help prevent cross-site request forgery (CSRF) attacks.
Cookies “_ga” register a single ID, which is used to generate statistics on how Data Subject use the Data Controller’s Internet Store.
Cookies “_gat” are used by Google Analytics to limit the number of requests.
Cookies “AMP_TOKEN” enable detection of deactivation, application progress, possible login errors (Google Analytics).
“_gac_UA” cookies allow them to measure the interactions of the Data Subject with the Data Controller.
Cookies “tk_lr” collect data on the behavior of the Data Subjects as visitors to the Data Controller’s Internet Store.
Cookies “tk_or” collect data on the behavior of the Data Subjects as visitors to the Data Controller’s Internet Store.
Cookies “tk_r3d” collect data on the device used by the Data Subjects as visitors to the Data Controller’s Internet Store.
These data have the nature of so-called metadata, that is that there is no use of specific and person – related Personal Data which means that the individual Data Subject cannot be specifically identified. These cookies are used by the Data Controller for analytical and marketing purposes.
Other cookies are not captured by the Data Controller. In order to find out more on analytical cookies, the Data Controller recommends the Data Subject to visit the following website:
Through third-party applications, the Data Controller collects information about the device through which the Data Person browses the Data Controller’s Internet Store. They cannot identify the Data Subject as a specific person and are used only for the production of statistics and their subsequent analysis.
The Data Controller thus uses 2 types of cookies:
- Functional cookies – are used to recognize a visit to the Data Controller’s Internet Store and allow him to offer you improved and personalized functions, such as remembering user preferences. These cookies therefore remember the choices of the Data Subject, on the basis of which the Data Controller improves the user comfort when using the Data Controller’s Internet Store. These cookies collect anonymized information.
- Analytical and performance cookies – enable the Internet Store administrator (Data Controller) to recognize and calculate the number of visitors and obtain information on how the Internet Store is used. They will help the Internet Store administrator (Data Controller) to improve the functioning of the Internet Store. These cookies do not collect Personal Data on the Data Subjects. All information is aggregated and fully anonymous. These cookies are thus used to improve the user functioning of the Data Controller’s Internet Store.
The Data Controller uses third-party cookies, which store anonymous information about visiting the Internet Store. These can then be used for analytical or marketing purposes. All information related to cookies that are stored is anonymous. Cookies cannot be tracked automatically – The Data Controller uses the opt-in variant which means that monitors cookies only with the consent of the Data Subject.
The Data Controller has also adopted and uses technical and organizational measures to prevent unauthorized or accidental access to Personal Data, alteration, destruction or loss, unauthorized transfer, their other unauthorized processing, as well as other misuse of Personal Data.
To this end, they are also taking the following security measures:
- Anonymization of Personal Data,
- Ability to restore the availability of and access to Personal Data in a timely manner in the event of physical or technical incidents,
- The process of regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures in place to ensure processing security,
- Multilevel firewall,
- Antivirus protection and control of unauthorized access,
- Access to personal data only for authorized persons of the Data Controller.
Periods of Personal Data processing
- Personal Data of the Data subjects shall be processed in automated and non-automated way in that way ensuring their security, integrity and availability. The period for which the Personal Data are processed and stored depends on the purpose of processing and is determined by the Data Subject, or by relevant legislation.
- Within the particular purposes of Personal Data processing, the Data Controller has determined the following periods of retention of Personal Data:
- purpose of accounting – 10 years;
- purpose of the warranty procedure handling – 10 years;
- purpose for marketing purposes – until the withdrawal of consent to the processing of Personal Data from the Data Subjects for this purpose;
- purpose of achieving the exercise of the right of the Persons concerned – 10 years;
- purpose of monitoring the Data Processor’s Internet Store via cookies – see point VII. of this Notification.
Personal data protection by the Data Controller
- The Data Subject as the Buyer and a party to the Purchase Contract shall provide the Data Controller as the Seller in the interest of smooth processing of the Order by the Data Processor with his name and surname, address of residence including postal code, telephone number and e-mail address.
- The Data Subject may at any time check and change the provided Personal Data, as well as cancel his registration in the Customer account after logging in to the website of the Data Controller’s Internet Store.
- The Data Controller hereby notifies the Data Subject that in accordance with section 14 subsection 2 of Act no. 18/2018 Coll. on Personal Data Protection and on Amendments to Certain Acts, as amended that as the Data Controller and administrator of the particular information system it will process the Personal Data of the Data Subject in the process of concluding the Purchase Contract, as the processing of Personal Data of the Data Subject is necessary also in the phase of pre-contractual relation in the interest of proper concluding of the Purchase Contract. The processing of the Personal Data is also necessary subsequently in performance of the Purchase Contract, in which the Data Subjects acts as one of the parties, as an entity taking over the Product from the Data Controller, eventually his transport partner. The processing of Personal Data of the Data Subject is also necessary due to relevant accounting and tax legislation.
- The Data Controller obliges himself to treat and dispose of the Personal Data of the Data Subject in accordance with the legal regulations of the Slovak Republic and the European Union that are in force. The Personal Data these will not be subject to transfer to third countries, unless it is a case of the delivery of Products to third countries and such a transfer in necessary for the proper handling of the Product Order. In such a situation the Personal Data of the Data Subject may be provided also to the Data Controller’s transport partner.
- The Data Controller declares that the Personal Data will be collected only for the purpose stated in this Notification and that the principles of processing Personal Data defined in Sections 6 – 13 of the act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain laws as amended will be fully observed.
- Before sending the Order, the Data Subject will be asked to confirm by checking the box “I have read the Terms and Conditions” before sending the Order that the Data Controller has notified him in a clear, comprehensible, easily accessible and irreplaceable about its Personal Data Protection rules and policies, especially:
- his identification data, which are listed in Article 1 of this Notification;
- the fact that the Data Controller as the Seller, as the administrator of the information system, will process the Personal Data of the Data Subject as the Buyer to the extent of name and surname, address of residence, including postal code, telephone number and e-mail address and delivery address;
- identification data of a third party, which is the transport partner that will deliver the ordered Products of the Data Subjects by providing them with the Personal Data specified in the Order Confirmation in the interest of proper delivery of the ordered Products;
- the purpose of processing Personal Data of the Data Subject which is the conclusion of a Purchase Contract between the Data Controller and the Data Subject;
- contact details of the person responsible for personal data protection at the Data Controller.
- The Data Controller declares that it will process Personal Data on the basis of the legislation in force in accordance with good morals and will act in a manner that does not contravene the relevant legislation, in particular the act no. 18/2018 Coll. on the protection of personal data and amending certain laws, as amended, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95 / 46 / EC (General Data Protection Regulation) or other legislation in force and in any way circumvents the law. The Data Controller declares that he will not enforce or condition the consent of the Data Subject in regard to rejection of the contractual relationship for the supply of Product or rendering the services.
- The Seller as the Data Controller of own Internet Store and at the same time as the administrator of Information Systems containing Personal Data informs about the method and scope of processing Personal Data, including the list of rights of the Buyer as a Data Subjects and also visitors of its Internet Store as provided in the article IX. and X. of this Notification.
- The Data Controller while processing the Personal Data shall proceed in accordance with the main legal regulations in the field of Personal Data Protection:
- act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain laws as amended;
- regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46 / EC (General Data Protection Regulation).
- The Data Controller processes Personal Data for the following purposes (always only necessary data):
3.1 Performance from the Purchase Contract concluded with the Data Subject, or other obligation or provision of the services vis-a-vis the Data Subject:
- Personal Data will be processed for the duration of the pre-contractual relationship between the Data Controller and the Data Subject (the potential Buyer is considered for this purpose also the Data Subject), for the purpose of concluding the Purchase Contract and for the duration of the contractual relationship arising from the Purchase Contract.
3.2. observation of the legal duties of the Data Collector regarding the Purchase Contract, as provided by particular law, i.e. the duties arising from the accounting, tax or archive legislation, providing of the cooperation to the administrative state bodies, police, tax etc.
3.3 marketing and business offer purpose of the Data Collector on the basis of particular consent of the Data Subject:
– mass sending of business offers of Products and services, sending general advertising notification without any targeting on particular needs and preferences of the Data Subject.
– individual offer of the Data Subject (also as a potential Buyer): sending advertising notifications after sending the request by the Data Subject (also as a potential Buyer); The Data Controller does not perform profiling according to section 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of data and repealing Directive 95/46 / EC (General Data Protection Regulation), since the Data Controller manually creates individual offers that are sent to the Data Subject;
- sending of business information by third parties; meaning sending of business notifications by other Data Controllers to whom the Personal Data of the Data Subject (also as a potential Buyer) as Affected Persons were transferred on the basis of their express consent and under a special Personal Data Processing Agreement between the original Data Controller by a third party acting as secondary Data Controller.
- marketing purposes in case of organization of the workshops represent the processing of Personal Data and are based on the personal features of the Data Subjects. These related to the personal features of the Data Subjects (physical identity, voice) who participate in workshops organized by the Data Controller.
3.4 legitimate interests of the Data Controller.
- If the Data Subject in the position of the Buyer does not provide his personal data, it is not possible to enter into a contract with the Data Controller and / or to properly provide him with proper delivery of the Product. In this context, Personal Data are necessary for the proper performance resulting from the Purchase Contract concluded at a distance, as well as in conjunction with relevant legislation in the field of accounting and taxes etc..
- The Data Subject is obliged to provide the Seller as the Data Controller only with real and accurate Personal Data. The Data Subject directly responsible for their correctness, accuracy and veracity. The Data Controller is not responsible for the accuracy of the provided data.
- The Data Controller shall make every effort to prevent unauthorized processing by any unauthorized third parties and declares that disposes over elaborated documentation for the protection of Personal Data as well as the security infrastructure.
- The Data Controller is entitled to transfer the personal data of the Data Subjects to third parties on the basis of their consent, for the following purposes: completion of the order process, delivery of Products, sending business notifications, customer satisfaction assessment, providing of consumer credit, customer support services, provision, handling of complaints, processing of the Data Controller ‘s accounting documents and in other cases where the law explicitly allows for the disclosure of Personal Data to state authorities on the basis of a special provision of the law.
- Personal data are and will be processed in electronic form in an automated as well as in a non-automated way.
- The Data Controller keeps records of the personal data of the Buyer (as well as the potential Buyer) as the Data Subjects for a period not longer than necessary for the purpose for which the Data Controller obtained them.
- If a person is interested in providing information on the specific retention period of Personal Data, as well as the scope of processed Personal Data of the Data Subject (including the potential Buyer as the Data Subject), this person can contact the Data Controller’s Personal Data Officer by e-mail at: email@example.com.
- The Data Subject (also as a potential Buyer) has a set of rights that result from the law – the act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain laws as amended, namely:
- the right to information and access to Personal Data, which means that the Data Subject must always be provided with a certain amount of information on personal data protection when obtaining Personal Data and must be given access to personal data under specified conditions;
- the right to obtain from the Seller as the Data Controller a confirmation as to whether its Personal Data and related information of the Data Subject are processed;
- the right to rectification and erasure of Personal Data, which means that the Data Subject has the right to request the rectification of incorrectly stated Personal Data and the completion of incomplete Personal Data;
- the right to erasure (“forgetfulness”), on the basis of which the Data Subject may request at the Data Controller the erasure of the Personal Data, if the conditions and purpose for the data processing expired;
- the right to request, under specified conditions, restrictions on the processing of the Personal Data;
- the right, in conjunction with the rectification, erasure and restriction of the processing of Personal Data to communicate this fact communicated to any recipient to whom the Personal Data have been provided;
- the right to the transfer the Personal Data, meanig, if possible by the Data Controller, the Personal Data of the Data Subject must be provided to this Data Subject in a way that allows their transfer to another Data Controller (in a structured, commonly used and machine-readable format), or the Data Subject, if technically possible has the right to such a transfer carried out by the Data Controller himself;
- the right to object to the processing of Personal Data at any time under the conditions stipulated by the law;
- the right to object to automated individual decision-making, including profiling (provided that such decision-making is done by the Data Controller), providing automatically processed decision of the Data Subject on the basis of personal data provided to the Data Controller without human intervention;
- the right to object to the processing of Personal Data for the purposes of direct marketing;
- the right to be notified by the Data Controller without undue delay on such a breach of Personal Data protection leading to a high risk to its rights, in a clear and simple manner.
- The Data Subject (also in the position of a potential Buyer) has the right to submit a complaint against the Data Controller, namely to: the Office for Personal Data Protection of the Slovak Republic (www.dataprotection.gov.sk).
The contact form of the Office for Personal Data Protection for submitting a complaint is available on the following website: https://dataprotection.gov.sk/uoou/sk/content/navrh-na-zacatie-konania-o-ochrane-osobnych-udajov
- If the legal basis for the processing of Personal Data of the Data Subject (also as a potential Buyer) is consent to the processing, the Data Person may revoke it at any time, and is entitled to use the same method as the consent was granted for the Data Controller. However, the Data Subject (including the potential Buyer) acknowledges that in special cases stipulated by law, the Data Controller cannot fully comply with the withdrawal of consent.
- The Data Controller shall regularly review and update the rules of Personal Data protection and Personal Data protection documentation as well as its personal protection infrastructure in order to ensure the consistent fulfillment of its obligations as the Data Controller of the relevant information systems.
- This Notification shall enter into force October 1, 2020.
- Terms in capital letters are defined in the Terms and Conditions, if they are not defined in this Notification or Complaints Procedure of the Data Controller..
Done, in Horná Lehota, October 1, 2020