Privacy Policy
Mandatory information on the rights of persons on personal data protection
Information about the company, which processes your data:
Designation: www.gratiaclothing.com
Information about the competent supervisory authority for the protection of personal data
Designation: Commission for the Protection of Personal Data
Headquarters and address of management: city. Sofia 1592, is it. "Prof. Tsvetan Lazarov" no 2
Mailing address: city. Sofia 1592, is it. "Prof. Tsvetan Lazarov" no 2
Telephone: 02 915 3 518
Web page: www.cpdp.bg
www.gratiaclothing.com (Hereinafter referred to as the “Administrator” or the “Company” for short) carries out its activities in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and the Council from 27 April 2016 year on the protection of natural persons in connection with the processing of personal data and on the free movement of such data. This information is intended to inform you about all aspects of the processing of your personal data by the Company and the rights, that you have in relation to this processing.
Grounds for collection, processing and storing your personal data
Art. 1.The administrator collects and processes your personal data in connection with the use of the electronic store ………………. and concluding contracts with the company on the basis of Art. 6, take. 1, Regulation (EU) 2016/679 (GDPR), and more particularly on the following ground:
- Express consent received from you as a customer;
- Fulfillment of the Administrator's obligations under a contract with you;
- Compliance with legal obligation, which applies to the Administrator;
- For the purposes of the legitimate interests of the Administrator or a third party;
Purposes and principles of collection, the processing and storage of your personal data
Art. 2. (1)We collect and process personal data, which you provide us in connection with the use of the electronic store and the conclusion of a contract with the company, including for the following purposes:
- creating a profile and providing full functionality when using the online store;
- conclusion and performance of a contract at a distance;
- individualization of a party to the contract;
- accounting purposes;
- statistical purposes;
- protection of information security;
- ensuring the performance of the contract for the provision of the relevant service.
- sending a newsletter if you wish;
(2) We observe the following principles when processing your personal data:
- legality, integrity and transparency;
- limitation of processing purposes;
- relevance to the purposes of the processing and minimization of the data collected;
- accuracy and timeliness of data;
- storage limitation in order to meet the objectives;
- integrity and confidentiality of processing and ensuring an appropriate level of personal data security.
(3) In the processing and storage of personal data, The administrator may process and store personal data in order to protect the following legitimate interests:
- fulfillment of obligations to the National Revenue Agency, Ministry of the Interior and other state and municipal bodies.
What types of personal data it collects, processed and stored by our company
Art. 3. (1) The company performs the following operations with the personal data provided by you for the following purposes:
- Registration of a user in the e-store and execution of a remote purchase-sale contract - the purpose of this operation is to create a profile for using the e-store to purchase goods and provide contact details for delivery of purchased goods. Registering and creating an account to use the online store is not a mandatory step of providing the service and it is available to a large extent without creating an account..
Conclusion of the impact assessment: Based on the impact assessment carried out, the operation "Registration of a user in the e-shop and execution of a contract of purchase and sale at a distance" is permissible to perform and provides sufficient guarantees to protect the rights and legitimate interests of the data subjects in accordance with the requirements of the GDPR. - Conclusion and execution of a commercial transaction with a client or partner - the purpose of this operation is the conclusion and execution of a contract with a trading partner or client and its administration. Given the limited scope of personal data collected and the circumstances, that some of them are collected from publicly available sources, carrying out an impact assessment is not necessary to carry out an impact assessment of the operation.
- Sending a newsletter (newsletter) - the purpose of this operation is to administer the process of sending newsletters to customers, who have declared, that they wish to receive. Given the limited scope of personal data collected, carrying out an impact assessment is not necessary to carry out an impact assessment of the operation.
- Exercising the right of refusal or making a complaint - the purpose of this operation is to administer the process of exercising the right of refusal or complaint by the customer. Given the limited scope of personal data collected, carrying out an impact assessment is not necessary to carry out an impact assessment of the operation.
(2) The administrator processes the following categories of personal data and information for the following purposes and on the following grounds:
- Your personalizing data (Email, name etc.)
- Purpose, for which the data is collected: 1) Establishing a connection with the user and sending information to him, 2) for the purposes of user registration in the online store, as well as 3) to send a newsletter.
- Basis for processing your personal data – With the acceptance of the general terms and conditions and registration in the electronic store or placing an order without registration, or upon entering into a written contract, a contractual relationship is created between the Administrator and you, on which basis we process your personal data - art. 6, take. 1, b. (b) GDPR. Your data for sending a newsletter is processed with your express consent – Art. 6, take. 1, b. (a) GDPR.
- Delivery data(Names, telephone, address, etc.)
- Purpose, for which the data is collected: Fulfillment of obligations of the administrator under the contract of purchase and sale and delivery of the purchased goods.
- Basis for processing your personal data – With the acceptance of the general terms and conditions and registration in the electronic store or placing an order without registration, or upon entering into a written contract, a contractual relationship is created between the Administrator and you, on which basis we process your personal data - art. 6, take. 1, b. (b) GDPR.
- Additional data, provided by you – If you wish to supplement your profile, you can fill in name details in it, surname, phone number.
- Purpose, for which the data is collected: Adding information about the user to their user account.
- Grounds for data processing: You have provided express consent to the processing of his personal data for one or more specific purposes – 6, take. 1, b. (a) of the GDPR at the time of registration in the online store. The provision of this data, not required for registration in the online store.
(3)The administrator does not collect or process personal data, which refer to the following:
- reveal racial or ethnic origin;
- reveal political, religious or philosophical beliefs, or membership of trade unions;
- genetic and biometric data, data on health status or data on sex life or sexual orientation.
(4) The personal data is collected by the Administrator from the individuals, to which they refer.
(5) The Company does not perform automated data decision making.
Art. 4. (1) The company performs the following operations with the data provided by you, as legal representatives or proxies of legal entities-trading partners, personal data for the following purposes:
- Conclusion and execution of a commercial transaction: For the conclusion and execution of a commercial transaction with a commercial company, we only process the three names of the legal representative or the person authorized by the company. Conclusion of the impact assessment: Given the small volume of individuals, whose data is processed and given the limited volume of personal data, which are collected, conducting an impact assessment is not necessary for the current operation.
(2) The personal data is collected by the Administrator from the individuals, which are also referred to by the Commercial Register at the Registration Agency.
(3) The Company does not perform automated data decision making.
Art. 5. The administrator can use the so-called. "cookies" for the purpose of providing full functionality of the website, improving the user experience, statistical purposes, easy access etc., which you agree to by using our website. You can control and/or delete cookies at any time through the settings of your browser. "Cookies" do not constitute personal data and are not used to identify visitors and users of the e-store.
Duration of storage of your personal data
Art. 6. (1) The administrator stores your personal data for a period not longer than the existence of your account in an online store. After deleting your account, The administrator takes the necessary care to delete and destroy all your data, without undue delay or to anonymize them (i.e. to bring them into view, which does not reveal your identity).
(2) The administrator processes your personal data, which you provided when placing an order without registering in the electronic store, until the order is completed, unless you have given your express consent when placing the order for your data to be processed for the purposes of improving the service, providing recommended content to you, individual conditions, promotions, as well as for statistical purposes.
(3) The administrator stores your personal data, provided in connection with online orders placed for a period of 5 years for the purpose of protecting the Administrator's legal interests in legal or administrative disputes with users of the online store.
(4) The administrator will notify you, in case, that the data storage period needs to be extended in order to fulfill a legal obligation or in order to have legitimate interests of the Administrator or other.
(5) The administrator stores the personal data, which it is required to keep under the applicable legislation for the relevant stipulated period, which may exceed the period of existence of your profile in the e-store or until the order is completed.
Art. 7. The administrator stores the personal data of the legal representatives of its commercial partners for the duration of the contract, to comply with the legitimate interests and legal obligations of the Administrator, and this term may exceed the term of the concluded contract.
Transmission of your personal data for processing
Art. 8. (1) The administrator may, at its own discretion, transfer part or all of your personal data to processors of personal data for the fulfillment of the purposes of processing, which you have agreed to, in compliance with the requirements of the Regulation (EU) 2016/679 (GDPR).
(2) The administrator notifies you in case of intention to transfer part or all of your personal data to third countries or international organizations.
Your collection rights, the processing and storage of your personal data
Withdrawal of consent to the processing of your personal data
Art. 9. (1) If you do not wish the personal data provided by you to be processed for marketing purposes and receiving a newsletter, You can withdraw your consent to processing at any time, by completing the consent withdrawal form in Appendix no 1 or by free text request, and email it to us.
(2) After we receive your request, we will send to your email, which you have indicated to receive newsletters and advertising messages, a letter with detailed instructions for your verification as a recipient of newsletters and a subject of personal data, for which withdrawal of consent has been requested.
(3) The withdrawal of consent does not affect the lawfulness of the processing of personal data, which the Administrator has been doing up to this point.
Right of access
Art. 10. (1) You have the right to request and receive confirmation from the Administrator as to whether personal data is being processed, related to you, by sending a free text request via email.
(2) You have the right to access the data, related to you, as well as to the information, relating to collection, the processing and storage of your personal data.
(3) After we receive your request, we will send to your email, which you used to register or place orders in the e-shop, a letter with detailed instructions for your verification as a data subject, to which access is requested.
(4) After the verification is done, according to para. 3, Your administrator provides upon request, a copy of the processed personal data, related to you, in electronic or other suitable form.
(5) Providing access to the data is free, but the Administrator reserves the right to impose an administrative fee, in case of repetitive or excessive requests.
Right to rectification or completion
Art. 11. (1) You can correct or complete inaccurate or incomplete personal data at any time, related to you, through the "Profile Edit" option.
(2) You can correct or complete inaccurate or incomplete personal data, related to you directly through your profile on the website or by making a request to the Administrator by email, using the format in Appendix no 4 or by free text request.
Right to erasure ("to be forgotten")
Art. 12. (1) You have the right to ask the Administrator to delete part or all of your personal data, and the Administrator has the obligation to delete them without undue delay, when any of the grounds listed below are present:
- the personal data are no longer necessary for the purposes, for which they have been collected or otherwise processed;
- You withdraw your consent, on which the processing of the data is based and there is no other legal basis for the processing;
- You object to the processing of your personal data, including for the purposes of direct marketing and there are no legal grounds for the processing, to have an advantage;
- the personal data were processed unlawfully;
- the personal data must be deleted in order to comply with a legal obligation under EU law or the law of a Member State, which applies to the Administrator;
- personal data were collected in connection with the provision of information society services.
(2) The administrator is not obliged to delete the personal data, if it stores and processes them:
- to exercise the right to freedom of expression and the right to information;
- to comply with a legal obligation, which requires processing, provided for in EU or Member State law, which applies to the Administrator or to the performance of a task of public interest or in the exercise of official powers, which are provided to him;
- for reasons of public interest in the field of public health;
- for archiving purposes in the public interest, for scientific or historical research or statistical purposes;
- for the establishment, the exercise or defense of legal claims.
(3) To exercise your right to be forgotten, it is necessary to send an email request to delete your personal data, which the Administrator processes, by filling the form in Appendix no 2 or by free text request, after which the Administrator will send to the email, which you used to register or place orders in the e-shop, a letter with detailed instructions for your verification as a store user and personal data subject, for which a deletion request has been made.
(4) After we verify the identity of the person, made the request and the person, to which the data relates in accordance with the instructions sent to you, we will delete all data, which we process for you, in accordance with para. 3.
(5) If there is an order placed by you, which is being processed, the earliest moment, in which you can request to be "forgotten", is upon successful order completion.
Right to limitation
Art. 13. You have the right to request the Administrator to limit the processing of the data related to you, by sending us a free text request by email, when:
- dispute the accuracy of personal data, for a period, which allows the Administrator to verify the accuracy of personal data;
- the processing is unlawful, but you do not want the personal data to be deleted, but only that their use be limited;
- The administrator no longer needs the personal data for processing purposes, but you require them for the establishment, the exercise or defense of its legal claims;
- You have objected to the processing pending verification of whether the legal grounds of the Administrator take precedence over your interests.
(2) After we receive your request, we will send to your email, which you used to register or place orders in the e-shop, a letter with detailed instructions for your verification as a store user and personal data subject, for which a request for restriction of processing has been made.
(3) After carrying out the verification according to para. 2, The company will stop processing your data, but it won't remove the posts, that you have made in the online store, if available.
Right of portability
Art. 14. (1) If you have consented to the processing of your personal data or the processing is necessary for the performance of the contract with the Administrator, or if your data is processed in an automated manner, you can:
- to ask the Administrator to provide you with your personal data in a readable format and to transfer them to another Administrator;
- to ask the Administrator to directly transfer your personal data to an administrator specified by you, when technically feasible.
(2) You can exercise the right of portability by emailing us the completed form as per Attachment no 3 or free text request, after which the Administrator will send to the email, which you used to register or place orders in the e-shop, a letter with detailed instructions for your verification as a store user and personal data subject, for which portability is requested.
(3) After carrying out the verification according to para. 2, The company sent the data to the e-mail you specified, which processes for you, in XML format.
Right to receive information
Art. 15. You can ask the Administrator to inform you about all recipients, on which the personal data, for which correction is requested, erasure or restriction of processing, have been revealed. The administrator may refuse to provide this information, if this would be impossible or require a disproportionate effort.
Right to object
Art. 16. You can object at any time to the processing of personal data by the Administrator, which relate to him, including if processed for profiling or direct marketing purposes.
Your rights in the event of a breach of the security of your personal data
Art. 17. (1) If the Administrator detects a breach of the security of your personal data, which may pose a high risk to your rights and freedoms, it notifies you of the breach without undue delay, as well as for measures, which have been undertaken or are to be undertaken.
(2) The administrator is not obliged to notify you, if:
- has taken appropriate technical and organizational data protection measures, affected by the security breach;
- has subsequently taken measures, which guarantee, that the breach will not result in a high risk to your rights;
- notification would require a disproportionate effort.
Faces, to which your personal data is provided
Art. 18. (1) For the purposes of processing your personal data and providing the service in its full functionality and in view of your interests, The administrator can provide the data to the following persons, who are data processors:
Personal data processor Purpose of personal data processing
……………………………………….. ……………………………………………………………
……………………………………….. ……………………………………………………………
……………………………………….. ……………………………………………………………
(2) Personal data processors comply with all legality and security requirements when processing and storing your personal data.
Art. 19. The administrator does not transfer your data to third countries.
Art. 20. In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to file a complaint with the Commission for Personal Data Protection, as follows:
Designation: Commission for the Protection of Personal Data.
Headquarters and address of management: city. Sofia 1592, is it. "Prof. Tsvetan Lazarov" no 2
Mailing address: city. Sofia 1592, is it. "Prof. Tsvetan Lazarov" no 2
Telephone: 02 915 3 518
Web page: www.cpdp.bg
Art. 21. You can exercise all your rights regarding the protection of your personal data through the forms, attached to this information. Of course, these forms are optional and you can make your requests in any form, which contains a statement to that effect and identifies you as the data owner.
Art. 22. If the consent relates to a transfer, The administrator describes the possible risks for the transfer of data to third countries in the absence of an adequate protection solution and suitable means of protection.
Application no 1
Form for withdrawal of consent for processing purposes
Your Name*: …………………….
your e-mail, that you used in the e-shop*: …………………….
Feedback data (e-mail)*: …………………….
To
Designation: …………………….
EIK/BULSTAT: …………………….
Headquarters and address of management: …………………….
Mailing address: …………………….
Telephone: …………………….
E-mail: …………………….
Website: …………………….
I hereby withdraw my consent to the processing of the personal data provided by me for the purpose of receiving a newsletter, advertising messages or other marketing materials, being familiar with the conditions for withdrawing consent in accordance with the Mandatory Information on the Rights of Individuals on the Protection of Personal Data of the e-shop.
In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to file a complaint with the Commission for Personal Data Protection, as follows:
Designation: Commission for the Protection of Personal Data.
Headquarters and address of management: city. Sofia 1592, is it. "Prof. Tsvetan Lazarov" no 2
Mailing address: city. Sofia 1592, is it. "Prof. Tsvetan Lazarov" no 2
Telephone: 02 915 3 518
Web page: www.cpdp.bg
Application no 2
Request "to be forgotten" – to delete personal data, related to me
Your Name*: …………………….
your e-mail, with which you registered or used for orders in the e-store*: …………………….
Feedback data (e-mail)*: …………………….
To
Designation: …………………….
EIK/BULSTAT: …………………….
Headquarters and address of management: …………………….
Mailing address: …………………….
Telephone: …………………….
E-mail: …………………….
Website: …………………….
All personal details please, that you collect, process and store, provided by me or by third parties, that are related to me, according to the specified identification, to be deleted from your databases.
I declare, that I know, that some or all of my personal data may continue to be processed and stored by the controller for the purposes of fulfilling its legal obligations.
In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to file a complaint with the Commission for Personal Data Protection, as follows:
Designation: Commission for the Protection of Personal Data.
Headquarters and address of management: city. Sofia 1592, is it. "Prof. Tsvetan Lazarov" no 2
Mailing address: city. Sofia 1592, is it. "Prof. Tsvetan Lazarov" no 2
Telephone: 02 915 3 518
Web page: www.cpdp.bg
Application no 3
Request for portability of personal data
Your Name*: …………………….
your e-mail, with which you registered or used for orders in the e-store*: …………………….
Feedback data (e-mail)*: …………………….
To
Designation: …………………….
EIK/BULSTAT: …………………….
Headquarters and address of management: …………………….
Mailing address: …………………….
Telephone: …………………….
E-mail: …………………….
Website: …………………….
All personal data related to me please, which are collected, processed and stored in your databases, to be sent in XML format to:
e-mail: …………………….
Administrator - receiving the data: …………………….
Designation: …………………….
ID (EIC, BULSTAT, reg. number in CPLD): …………………….
E-mail: …………………….
In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to file a complaint with the Commission for Personal Data Protection, as follows:
Designation: Commission for the Protection of Personal Data.
Headquarters and address of management: city. Sofia 1592, is it. "Prof. Tsvetan Lazarov" no 2
Mailing address: city. Sofia 1592, is it. "Prof. Tsvetan Lazarov" no 2
Telephone: 02 915 3 518
Web page: www.cpdp.bg
Application no 4
Request to correct data
Your Name*: …………………….
your e-mail, with which you registered or used for orders in the e-store*: …………………….
Feedback data (e-mail)*: …………………….
To
Designation: …………………….
EIK/BULSTAT: …………………….
Headquarters and address of management: …………………….
Mailing address: …………………….
Telephone: …………………….
E-mail: …………………….
Website: …………………….
Please provide the following personal information, that you collect, process and store, provided by me or by third parties, that are related to me, be corrected as follows:
Data, which are subject to correction:
…………………………………………..
Please be corrected as follows:
…………………………………………..
In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to file a complaint with the Commission for Personal Data Protection, as follows:
Designation: Commission for the Protection of Personal Data.
Headquarters and address of management: city. Sofia 1592, is it. "Prof. Tsvetan Lazarov" no 2
Mailing address: city. Sofia 1592, is it. "Prof. Tsvetan Lazarov" no 2
Telephone: 02 915 3 518
Web page: www.cpdp.bg